ea4bea83f66080c7d7886f687ad3c56bccd6c847bb01507a4ae839ab1f0889fc

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2024, 23:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8acfd4b5862e9e780665ba9e8385993b.exe
Size

676KB
MD5

8acfd4b5862e9e780665ba9e8385993b
SHA1

2398993394dccdab067aff4c1a575a6ea877ad68
SHA256

ea4bea83f66080c7d7886f687ad3c56bccd6c847bb01507a4ae839ab1f0889fc
SHA512

5852d64e64b4bac0cfdea7f492335f21b88a9b9f2b5b33113ef926c9a4753769d7ee42d2492e44d019380b1333341f87830c925cd09fbaac2497887816be24aa
SSDEEP

12288:8aAIgAP1HRT7/EvxX5GR6a+DlGxIuy8tWggdiL8Uj:8aNgAP1HREWR6pZr2gkLj

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WinSecUpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WinSecUpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WinSecUpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WinSecUpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WinSecUpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WinSecUpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WinSecUpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WinSecUpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WinSecUpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WinSecUpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WinSecUpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WinSecUpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8acfd4b5862e9e780665ba9e8385993b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WinSecUpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WinSecUpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WinSecUpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WinSecUpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WinSecUpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WinSecUpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WinSecUpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	8acfd4b5862e9e780665ba9e8385993b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WinSecUpd.exe

Executes dropped EXE 10 IoCs

pid	Process
3540	WinSecUpd.exe
3648	WinSecUpd.exe
4224	WinSecUpd.exe
4700	WinSecUpd.exe
1380	WinSecUpd.exe
1012	WinSecUpd.exe
2328	WinSecUpd.exe
4428	WinSecUpd.exe
4364	WinSecUpd.exe
2304	WinSecUpd.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WinSecUpd.exe	WinSecUpd.exe
File opened for modification	C:\Windows\SysWOW64\WinSecUpd.exe	WinSecUpd.exe
File created	C:\Windows\SysWOW64\WinSecUpd.exe	WinSecUpd.exe
File opened for modification	C:\Windows\SysWOW64\WinSecUpd.exe	WinSecUpd.exe
File created	C:\Windows\SysWOW64\WinSecUpd.exe	WinSecUpd.exe
File opened for modification	C:\Windows\SysWOW64\WinSecUpd.exe	8acfd4b5862e9e780665ba9e8385993b.exe
File opened for modification	C:\Windows\SysWOW64\WinSecUpd.exe	WinSecUpd.exe
File created	C:\Windows\SysWOW64\WinSecUpd.exe	WinSecUpd.exe
File created	C:\Windows\SysWOW64\WinSecUpd.exe	WinSecUpd.exe
File created	C:\Windows\SysWOW64\WinSecUpd.exe	WinSecUpd.exe
File created	C:\Windows\SysWOW64\WinSecUpd.exe	WinSecUpd.exe
File created	C:\Windows\SysWOW64\WinSecUpd.exe	WinSecUpd.exe
File opened for modification	C:\Windows\SysWOW64\WinSecUpd.exe	WinSecUpd.exe
File opened for modification	C:\Windows\SysWOW64\WinSecUpd.exe	WinSecUpd.exe
File created	C:\Windows\SysWOW64\WinSecUpd.exe	WinSecUpd.exe
File opened for modification	C:\Windows\SysWOW64\WinSecUpd.exe	WinSecUpd.exe
File created	C:\Windows\SysWOW64\WinSecUpd.exe	WinSecUpd.exe
File opened for modification	C:\Windows\SysWOW64\WinSecUpd.exe	WinSecUpd.exe
File created	C:\Windows\SysWOW64\WinSecUpd.exe	8acfd4b5862e9e780665ba9e8385993b.exe
File created	C:\Windows\SysWOW64\WinSecUpd.exe	WinSecUpd.exe
File opened for modification	C:\Windows\SysWOW64\WinSecUpd.exe	WinSecUpd.exe
File opened for modification	C:\Windows\SysWOW64\WinSecUpd.exe	WinSecUpd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\rsGmheHva = "jN_}FU_FMlfgXi@iTMWmH[bKBQeYF"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\olrknuAst = "IcY"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CAtFkTlm = "r\x7fnCV{STJPAq\\IBvCnuk"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\olrknuAst = "h\|o"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\olrknuAst = "YnH"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CAtFkTlm = "r\x7fnAv{STJPAULIBvCnuk"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\iWrHbh = "@VpLJ]\|eyes`oDG_`GNVK"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CAtFkTlm = "r\x7fnCF{STJPAz\\IBvCnuk"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocServer32\ThreadingModel = "Both"	8acfd4b5862e9e780665ba9e8385993b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\oaTie = "kw}~RH{Vnoe@XnIh\\^X"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Eohowri = "XXyYaiHrEJzsnib]Y]\|[Ugb~E"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\rsGmheHva = "jN_}FU_FMlfgXi@iTMWmH[bKBQeYF"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\kcXqqext = "pXMblZ~^aTCqd{XBjzMKxD"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\iWrHbh = "@VpLJ]\|eyes`oDG_cWNVK"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CAtFkTlm = "r\x7fn@F{STJPA[lIBvCnuk"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\oaTie = "kw}~RH{Vnol`XnIh\\Z~"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\oaTie = "kw}~RH{Vno`@XnIh]kN"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\olrknuAst = "vkV"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\oaTie = "kw}~RH{VnogpXnIh_K~"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CAtFkTlm = "r\x7fnAf{STJPAR\\IBvCnuk"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\olrknuAst = "xy\x7f"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\olrknuAst = "kj["	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\olrknuAst = "tyc"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\olrknuAst = "peU"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Eohowri = "XXyYaiHrEJzsnib]Y]\|[Ugb~E"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\iWrHbh = "@VpLJ]\|eyes`oDG_bGNVK"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CAtFkTlm = "r\x7fn@V{STJPA[lIBvCnuk"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\oaTie = "kw}~RH{VnooPXnIh_M_"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CAtFkTlm = "r\x7fnCF{STJPA}LIBvCnuk"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CAtFkTlm = "r\x7fnCv{STJPAfLIBvCnuk"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CAtFkTlm = "r\x7fn@F{STJPAG\\IBvCnuk"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\iWrHbh = "@VpLJ]\|eyes`oDG_cgNVK"	WinSecUpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	WinSecUpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\olrknuAst = "Wtx"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\olrknuAst = "AtE"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\oaTie = "kw}~RH{VnompXnIh_BR"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\piyqPviLfiI = "\\]ngLz_kS@seplXRdC\|P\\`t]CGVzO"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\oaTie = "kw}~RH{VnodPXnIh]QR"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\kcXqqext = "pXMblZ~^aTCqd{XBjzMKxD"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\piyqPviLfiI = "\\]ngLz_kS@seplXRdC\|P\\`t]CGVzO"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\olrknuAst = "stx"	WinSecUpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ = "CFrameRateConvertDmo"	8acfd4b5862e9e780665ba9e8385993b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\piyqPviLfiI = "\\]ngLz_kS@seplXRdC\|P\\`t]CGVzO"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\oaTie = "kw}~RH{VnoopXnIh_xC"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\olrknuAst = "VjJ"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\oaTie = "kw}~RH{Vnoo@XnIh]}U"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CAtFkTlm = "r\x7fnCV{STJPA}LIBvCnuk"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Eohowri = "XXyYaiHrEJzsnib]Y]\|[Ugb~E"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\olrknuAst = "V]L"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\iWrHbh = "@VpLJ]\|eyes`oDG_cwNVK"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CAtFkTlm = "r\x7fnAF{STJPAULIBvCnuk"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CAtFkTlm = "r\x7fn@V{STJPAR\\IBvCnuk"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\iWrHbh = "@VpLJ]\|eyes`oDG_cwNVK"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\rsGmheHva = "jN_}FU_FMlfgXi@iTMWmH[bKBQeYF"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CAtFkTlm = "r\x7fn@v{STJPAHLIBvCnuk"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\oaTie = "kw}~RH{Vnon`XnIh^lN"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\oaTie = "kw}~RH{VnoePXnIh^nR"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CAtFkTlm = "r\x7fn@v{STJPAHLIBvCnuk"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Eohowri = "XXyYaiHrEJzsnib]Y]\|[Ugb~E"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\olrknuAst = "iQo"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Eohowri = "XXyYaiHrEJzsnib]Y]\|[Ugb~E"	WinSecUpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\piyqPviLfiI = "\\]ngLz_kS@seplXRdC\|P\\`t]CGVzO"	WinSecUpd.exe

NTFS ADS 11 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\TEMP:C980DA7D	WinSecUpd.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	WinSecUpd.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	WinSecUpd.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	WinSecUpd.exe
File created	C:\ProgramData\TEMP:C980DA7D	WinSecUpd.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	WinSecUpd.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	WinSecUpd.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	WinSecUpd.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	WinSecUpd.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	WinSecUpd.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	WinSecUpd.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: 33	4892	8acfd4b5862e9e780665ba9e8385993b.exe
Token: SeIncBasePriorityPrivilege	4892	8acfd4b5862e9e780665ba9e8385993b.exe
Token: 33	3540	WinSecUpd.exe
Token: SeIncBasePriorityPrivilege	3540	WinSecUpd.exe
Token: 33	3648	WinSecUpd.exe
Token: SeIncBasePriorityPrivilege	3648	WinSecUpd.exe
Token: 33	4224	WinSecUpd.exe
Token: SeIncBasePriorityPrivilege	4224	WinSecUpd.exe
Token: 33	4700	WinSecUpd.exe
Token: SeIncBasePriorityPrivilege	4700	WinSecUpd.exe
Token: 33	1380	WinSecUpd.exe
Token: SeIncBasePriorityPrivilege	1380	WinSecUpd.exe
Token: 33	1012	WinSecUpd.exe
Token: SeIncBasePriorityPrivilege	1012	WinSecUpd.exe
Token: 33	2328	WinSecUpd.exe
Token: SeIncBasePriorityPrivilege	2328	WinSecUpd.exe
Token: 33	4428	WinSecUpd.exe
Token: SeIncBasePriorityPrivilege	4428	WinSecUpd.exe
Token: 33	4364	WinSecUpd.exe
Token: SeIncBasePriorityPrivilege	4364	WinSecUpd.exe
Token: 33	2304	WinSecUpd.exe
Token: SeIncBasePriorityPrivilege	2304	WinSecUpd.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 3540	4892	8acfd4b5862e9e780665ba9e8385993b.exe	83
PID 4892 wrote to memory of 3540	4892	8acfd4b5862e9e780665ba9e8385993b.exe	83
PID 4892 wrote to memory of 3540	4892	8acfd4b5862e9e780665ba9e8385993b.exe	83
PID 3540 wrote to memory of 3648	3540	WinSecUpd.exe	91
PID 3540 wrote to memory of 3648	3540	WinSecUpd.exe	91
PID 3540 wrote to memory of 3648	3540	WinSecUpd.exe	91
PID 3648 wrote to memory of 4224	3648	WinSecUpd.exe	93
PID 3648 wrote to memory of 4224	3648	WinSecUpd.exe	93
PID 3648 wrote to memory of 4224	3648	WinSecUpd.exe	93
PID 4224 wrote to memory of 4700	4224	WinSecUpd.exe	94
PID 4224 wrote to memory of 4700	4224	WinSecUpd.exe	94
PID 4224 wrote to memory of 4700	4224	WinSecUpd.exe	94
PID 4700 wrote to memory of 1380	4700	WinSecUpd.exe	95
PID 4700 wrote to memory of 1380	4700	WinSecUpd.exe	95
PID 4700 wrote to memory of 1380	4700	WinSecUpd.exe	95
PID 1380 wrote to memory of 1012	1380	WinSecUpd.exe	96
PID 1380 wrote to memory of 1012	1380	WinSecUpd.exe	96
PID 1380 wrote to memory of 1012	1380	WinSecUpd.exe	96
PID 1012 wrote to memory of 2328	1012	WinSecUpd.exe	97
PID 1012 wrote to memory of 2328	1012	WinSecUpd.exe	97
PID 1012 wrote to memory of 2328	1012	WinSecUpd.exe	97
PID 2328 wrote to memory of 4428	2328	WinSecUpd.exe	98
PID 2328 wrote to memory of 4428	2328	WinSecUpd.exe	98
PID 2328 wrote to memory of 4428	2328	WinSecUpd.exe	98
PID 4428 wrote to memory of 4364	4428	WinSecUpd.exe	99
PID 4428 wrote to memory of 4364	4428	WinSecUpd.exe	99
PID 4428 wrote to memory of 4364	4428	WinSecUpd.exe	99
PID 4364 wrote to memory of 2304	4364	WinSecUpd.exe	100
PID 4364 wrote to memory of 2304	4364	WinSecUpd.exe	100
PID 4364 wrote to memory of 2304	4364	WinSecUpd.exe	100

C:\Users\Admin\AppData\Local\Temp\8acfd4b5862e9e780665ba9e8385993b.exe
"C:\Users\Admin\AppData\Local\Temp\8acfd4b5862e9e780665ba9e8385993b.exe"
1⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\SysWOW64\WinSecUpd.exe
  C:\Windows\system32\WinSecUpd.exe 1420 "C:\Users\Admin\AppData\Local\Temp\8acfd4b5862e9e780665ba9e8385993b.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Windows\SysWOW64\WinSecUpd.exe
    C:\Windows\system32\WinSecUpd.exe 1464 "C:\Windows\SysWOW64\WinSecUpd.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Windows\SysWOW64\WinSecUpd.exe
      C:\Windows\system32\WinSecUpd.exe 1476 "C:\Windows\SysWOW64\WinSecUpd.exe"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4224
    - - C:\Windows\SysWOW64\WinSecUpd.exe
        
        C:\Windows\system32\WinSecUpd.exe 1480 "C:\Windows\SysWOW64\WinSecUpd.exe"
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4700
      - C:\Windows\SysWOW64\WinSecUpd.exe
        
        C:\Windows\system32\WinSecUpd.exe 1472 "C:\Windows\SysWOW64\WinSecUpd.exe"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\WinSecUpd.exe
        
        C:\Windows\system32\WinSecUpd.exe 1488 "C:\Windows\SysWOW64\WinSecUpd.exe"
        7⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\WinSecUpd.exe
        
        C:\Windows\system32\WinSecUpd.exe 1404 "C:\Windows\SysWOW64\WinSecUpd.exe"
        8⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\WinSecUpd.exe
        
        C:\Windows\system32\WinSecUpd.exe 1484 "C:\Windows\SysWOW64\WinSecUpd.exe"
        9⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\WinSecUpd.exe
        
        C:\Windows\system32\WinSecUpd.exe 1496 "C:\Windows\SysWOW64\WinSecUpd.exe"
        10⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\WinSecUpd.exe
        
        C:\Windows\system32\WinSecUpd.exe 1492 "C:\Windows\SysWOW64\WinSecUpd.exe"
        11⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:C980DA7D

Filesize
125B

MD5
33ee11d05440e0b7f9f6611744fe40a0

SHA1
9906d2299ab9f49a9c028b04083e00762e588e73

SHA256
b978ea625976663fc7965f3c429c34a7b6d29c1415b4f54aa0e9e74f4fd2891c

SHA512
38e2577f98df34d639c9100695002f0ad2864b76a351557599a0fb7e9f9cb8446d433f6942ca5d006a4394af518a8ad7c476291186571cffc6f6933fdd324131

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
125B

MD5
6b040babdef9838e0195a7ad99de4757

SHA1
42e89b2a7f7f5e6fb5693ee39cc7d6fdaa037141

SHA256
dc292627fe6a7c64234e7d4303105ce5b8fd0c01bd7f4075075940399e365bd3

SHA512
76867f1077a1d9a678f1574627f4835b7d9dcefcd0947f2b259a0fb32425b7a5ee864cd9ed3ce6557ce87748bdf1b40f4b3f5014d46a228565a059c30defe6d1

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
125B

MD5
23e89f814a582832c65e899e837151ca

SHA1
a8ba48b7848c9cef42a04915b335a069a14563b7

SHA256
7f941d3705491cdd2cfb0d498608136a71d8690621f2ae18b0729451e7e9d2c3

SHA512
7925fc8babf955775cf9b8ab4be2e22f5d136886b1c4460cff120ecaace2d1ab7aa1b53ec06c1eb57d23fa72bcbe255635bd129684ada18963a7d195bb013ed4

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
125B

MD5
42a40a55599acb6e5371b7a07d4e3853

SHA1
93f755ee1e44210bac63c0c0e90de0070c4597be

SHA256
0715492002a4249c6d98e2322cf0a3f41bbb6cd0a5d45f5ce4e19365148fc7cd

SHA512
63893d98c023994b40ccf19d8a2f6db9181f130928e8a3ced36e9f3dc85d170d603d7dec8e2392156440fdad3e32103ca875b80020c9c6605252336f996eb548

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
125B

MD5
1a397d6c5d9cfe3e8ab1e1d7c436590f

SHA1
884ba97b9f0e2a27661fad1a37450d15cb199a19

SHA256
899d8e6c50bec141dc3fb72c29fc1ceb1e31570e99d46e848e8149fa84fd9e19

SHA512
ac7cba311122bc806230b867047023f8d849e06a4303269f56824e9e7454fd009ff4bf1a48c69ad4ec9139a76de2c8bc2c537ae0fb9ab3ec2cf5a216808b81d5

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
125B

MD5
5663eb785f0badc0e74d340e2b01da76

SHA1
c5b3aa35e1680669cb63af67ea82ad1014cb718d

SHA256
40c7b17582435fb51aa3278f40b0c6617b8983a04ccb385d87514107db158940

SHA512
97af09b37a21e8ab18292cf37948168b002a22e6b54119b890156427effbf3e2e7bf46552ae7d7a9ec31f7c10045e50d28b954ce7c09be213604a3f4a4a669b2

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
125B

MD5
fbfb918aafb5912729dd7cb03c7a9f10

SHA1
e4ab1c040a0c62dd16c4d5b6723a13b448e6fd00

SHA256
cb348eac556b515a3f7d43fe08f3af6388b7e5d115e872b3d76d652cb025d4b5

SHA512
5726d2dcd9bdb77b83c0adb79da96c78f223f332bd2580a61b472775b3ae74a24dbe9b2c6fcfa8988d6cbab8f616f19d077ccdd622d2d6360c43112b10d7a11c

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
125B

MD5
b436c95f25842c7119795d7523b3b69c

SHA1
918ece9875e85dcabc0ed436d200c229b751364f

SHA256
3363001652f2863e99577114a43fd9ef2f860906c1df47d89c904885b3d342c1

SHA512
47a555aa5fa1a580a1cbfa91e06b2806f9408390477417cb811163689bd1241eeebc6d3e5f301de5a3b40e9e93298da06544c6a497a4aa540577d5deeb2fec17

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
125B

MD5
8733831cd655220ed96641d923eb936c

SHA1
b0d540557f541cfdb03f7495e066b595a7ca53e0

SHA256
92ab99d4568847a924a2272f1110f640a55f1b3de0bfa8e29b6bd4fa230773b6

SHA512
db0278e493e246c6a6d1e374f56a43b19c367448ca8a07885ecfbad6ce34c55586337d3354295fbc1f43d9b12301af0f711224f16335344959e9d762c7555192

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
125B

MD5
2e9a431eea244ef4b4b1f148cd78dc43

SHA1
19c3b43de9abb743abb0b2e91e6428884ed16611

SHA256
64c31e95562f04db85ada1850faea10227108116b1b8adf431d65e18e8f245e5

SHA512
27decd20e0330f290790b85e25080f51b7b23c5ca2f6d945913ac095702b9fcf0d81d4f122cccf7107359679a7e96c950ac39c3191df13f765cb407d3e2649df

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
125B

MD5
e170ab546585945030d12f58dbf79876

SHA1
c47f025691c5f772a0779862a61cd7a357bf9ace

SHA256
8c90720c4907dea00f67529a5fd1c040532384ff91fbacda46f803c5feca47a8

SHA512
6cdbad634351c84997d97cce2e2bc896e7a7f6995d0df78db00b6500aafb2ecd0b49e5c00210459c93a1206e96f622398ca0ba3cae2c37ae6d365ed131865878

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
125B

MD5
373142b59d5bdd311624b55a2195dea1

SHA1
33b74ab060fa8b4fab9294931f191522bf295f0a

SHA256
a2e2688657e26a8b3d3da6026469ed4779d76aea5bf9375d607588610d84f3e3

SHA512
24d119f934f6f0dd00a504daa95161a7c3d4631625cbe2c3ff6fb8e9ac5cbf75dbe93e8a210387f72eeb458a8623c04de20e1bfef72972a0596b7962fd5475cc

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
125B

MD5
5194edaeb8a0bfc25f97fc44ddba066d

SHA1
10dec3d7d65bf3faef0fb8f698676007b9b795c5

SHA256
8b48a4f38865a834de7b6819849748d141654e3a4d51c8fb85406c9765bd02bd

SHA512
33054fe48cd88b83b813d356276e06a5e1710d9d8d54e75f58a72b20f0f10d4d44971019017563f95575e810134a81f317489a8b2cc0124a23a240ecb8f76e6f

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
125B

MD5
c6bdf0d2b6bb6393ac46c0af424e62ee

SHA1
ad35a691ccfb225cd12c3398da82527e5ce1fb14

SHA256
94c212a30189d7a58478b9a3bef4866a5d936985ea3852e5f94635cf2965a76c

SHA512
005593747b4bf43855bfcff54a0dc183af00cc44d49c4be5c6fc0913042bb2a989bdf2c37fbeb8c975098ddeaf2feb773070d7cfe94f558e58f48337b485550e

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
125B

MD5
48a7f44686e1894089761aa06ac650bd

SHA1
e0207931039b922f0b62437adbcf2c2e0faa6772

SHA256
eda19bbdbfdfac737beda760a5f455a368dde2f8f3dc3b590d6122c9ad067737

SHA512
790d55033fd37313ceba79196447a8bbb40d93c2de4f6e5fcf23dd13244b40dbb2a489a61a559c6f3d3a5c2bd8f92c47cd1a1f5d6739c3d14c47b21508804679

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
125B

MD5
37ab7071f9fad4dd6954128e2bbb3aed

SHA1
46326d43021ea5a89a73c45c1c596980bcedb00e

SHA256
82187f808150b2b60f451ca5f53c443b273781f0e6853817dae9bf7435cd4538

SHA512
cb57b4b2b88beb445ac6dbee97f8a41fc6254948d2ad1995f43fd330dfcbb0af8965c7f3ece09ee862e32e109d2dec568896586a2227a5bbb8e86cec3eff1a69

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
125B

MD5
94d4762e47517f9fb6bb6c490d06cb59

SHA1
70e42483b68536e3451e901bbd013871db085134

SHA256
4da2cb277c2865339d86c2f71e3f861082c9f59ecc12be3e9571a47c158d96cc

SHA512
72b412bca73eb394a90fa5a58881334924427f022ab3cfc8813a315323bc6482e792a352e0604cfd8d811d50bccd54fa0a7443a50b24c707c6c0548e77e55a1e

Download Submit
C:\Windows\SysWOW64\WinSecUpd.exe

Filesize
598KB

MD5
136f48600b29e7aac2810df2408992d3

SHA1
6fc6ef7d196669abf347ef9bc3d3d469b1bc6923

SHA256
a444ce300f9053146a0ab0cefe780757eec905b74b6fbc210bfd5e7fcda255dc

SHA512
71a85d7f3d5e2b63ea41454d21495a4676fd6b1c515566d305d92eb2bed797771af33e4aec53b00fb3b93117450f3555a584678bdaa879cb8cc3f020ae4b4127

Download Submit
C:\Windows\SysWOW64\WinSecUpd.exe

Filesize
676KB

MD5
8acfd4b5862e9e780665ba9e8385993b

SHA1
2398993394dccdab067aff4c1a575a6ea877ad68

SHA256
ea4bea83f66080c7d7886f687ad3c56bccd6c847bb01507a4ae839ab1f0889fc

SHA512
5852d64e64b4bac0cfdea7f492335f21b88a9b9f2b5b33113ef926c9a4753769d7ee42d2492e44d019380b1333341f87830c925cd09fbaac2497887816be24aa

Download Submit
memory/1012-216-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/1380-183-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/2328-244-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/3540-35-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/3540-39-0x0000000000620000-0x000000000066D000-memory.dmp

Filesize
308KB

Download
memory/3540-41-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/3540-43-0x0000000000620000-0x000000000066D000-memory.dmp

Filesize
308KB

Download
memory/3540-36-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/3540-37-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/3540-33-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/3540-54-0x0000000000620000-0x000000000066D000-memory.dmp

Filesize
308KB

Download
memory/3540-31-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/3540-29-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/3540-21-0x0000000000620000-0x000000000066D000-memory.dmp

Filesize
308KB

Download
memory/3540-22-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/3540-38-0x0000000000620000-0x000000000066D000-memory.dmp

Filesize
308KB

Download
memory/3648-65-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/3648-64-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/3648-69-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/3648-71-0x00000000005D0000-0x000000000061D000-memory.dmp

Filesize
308KB

Download
memory/3648-46-0x00000000005D0000-0x000000000061D000-memory.dmp

Filesize
308KB

Download
memory/3648-66-0x00000000005D0000-0x000000000061D000-memory.dmp

Filesize
308KB

Download
memory/3648-58-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/3648-61-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/3648-63-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/3648-87-0x00000000005D0000-0x000000000061D000-memory.dmp

Filesize
308KB

Download
memory/3648-67-0x00000000005D0000-0x000000000061D000-memory.dmp

Filesize
308KB

Download
memory/3648-62-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/4224-122-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/4224-93-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/4224-92-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/4224-90-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/4224-88-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/4224-83-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/4224-82-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/4224-74-0x00000000006C0000-0x000000000070D000-memory.dmp

Filesize
308KB

Download
memory/4224-94-0x00000000006C0000-0x000000000070D000-memory.dmp

Filesize
308KB

Download
memory/4364-298-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/4428-274-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/4700-153-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/4892-34-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/4892-13-0x00000000020E0000-0x000000000212D000-memory.dmp

Filesize
308KB

Download
memory/4892-12-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/4892-11-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/4892-10-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/4892-9-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/4892-8-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/4892-7-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/4892-32-0x00000000020E0000-0x000000000212D000-memory.dmp

Filesize
308KB

Download
memory/4892-2-0x00000000020E0000-0x000000000212D000-memory.dmp

Filesize
308KB

Download
memory/4892-0-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download