42cc638331dca3e6b29111f995ccc58710e61142e1d9ca79a1d8f03e1299d425

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8aefa90099eefaa0880ec0815d209c44.exe
Size

975KB
MD5

8aefa90099eefaa0880ec0815d209c44
SHA1

4777bff211bdaff1179a2755c55bc51f9f03cc92
SHA256

42cc638331dca3e6b29111f995ccc58710e61142e1d9ca79a1d8f03e1299d425
SHA512

dcd4a59eb8e28be8c3ae086c58790259f82ffc501c6e817ab6537a650168f3d2be4e653c71d650bd778d665f0078587247906657e17d32204f305d0297e5b90a
SSDEEP

12288:IWnwQuO0hqtpxRNcEi0/3IWV//dctB68NESUMc7K8wlN272aU3H+WvDHD:IWnwT2//8OSUMc7K527DUuW

Score

7^/10

upx

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	exec1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	exec1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service.exe

Executes dropped EXE 12 IoCs

pid	Process
2980	exec1.exe
2708	exec2.exe
2568	service.exe
1924	service.exe
1508	service.exe
1560	service.exe
2148	service.exe
1808	service.exe
1736	service.exe
2996	service.exe
2008	service.exe
2956	service.exe

Loads dropped DLL 20 IoCs

pid	Process
2980	exec1.exe
2980	exec1.exe
2568	service.exe
2568	service.exe
1924	service.exe
1924	service.exe
1508	service.exe
1508	service.exe
1560	service.exe
1560	service.exe
2148	service.exe
2148	service.exe
1808	service.exe
1808	service.exe
1736	service.exe
1736	service.exe
2996	service.exe
2996	service.exe
2008	service.exe
2008	service.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1744-0-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral1/memory/1744-17-0x0000000000400000-0x000000000044A000-memory.dmp	upx

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	exec1.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	exec1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\sHfXj	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\NvKfvw	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\sHfXj\ = "XYIYfiHnEKJsiibAY\\L[RgbbEAfpKJ]`"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\sHfXj	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\sHfXj\ = "XYIYfiHnEKJsiibAY\\L[RgbbEAfpKJ]`"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\pzTm	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\NvKfvw	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocServer32\ = "C:\\Windows\\SysWOW64\\mfc42u.dll"	exec1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\brIJ	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ySdxtzHctmuw	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\brIJ	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\pzTm\ = "GxDROPHeH_q\x7fQG@dtaA`"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\sHfXj\ = "XYIYfiHnEKJsiibAY\\L[RgbbEAfpKJ]`"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\hcDlZjJlln\ = "oobYmbJ^nBR}t@Xhd\|Aec\\WS"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\NvKfvw\ = "exUsgoDG_cgNVKr\x7fn@f"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\brIJ	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\pzTm\ = "GxDROPHep_q\x7fQGud[]op"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\mjtcx\ = "{STJPA^\\IBvCnIpCge\x7f{DZBsvW\|A"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\mjtcx\ = "{STJPAO\\IBvCnIpCge\x7f{DZBsvW\|A"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\pzTm\ = "GxDROPHf\|_q\x7fQGONBiW`"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\mjtcx\ = "{STJPAV\|IBvCnIpCge\x7f{DZBsvW\|A"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\hcDlZjJlln	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\pzTm\ = "GxDROPHfL_q\x7fQGrJ^Wtp"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\mjtcx\ = "{STJPAKLIBvCnIpCge\x7f{DZBsvW\|A"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\pzTm\ = "GxDROPHet_q\x7fQGYf~}``"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\pzTm\ = "GxDROPHgX_q\x7fQGj_vctp"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\brIJ\ = "FMlfgXi@iTMWmH[bKBQeYZ"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\sHfXj	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\brIJ	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\pzTm\ = "GxDROPHeh_q\x7fQG]CcGj`"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ySdxtzHctmuw	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\sHfXj\ = "XYIYfiHnEKJsiibAY\\L[RgbbEAfpKJ]`"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\hcDlZjJlln	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\mjtcx\ = "{STJPAULIBvCnIpCge\x7f{DZBsvW\|A"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\pzTm	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ySdxtzHctmuw	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\brIJ\ = "FMlfgXi@iTMWmH[bKBQeYZ"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\NvKfvw\ = "exUsgoDG_cGNVKr\x7fn@F"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\NvKfvw	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\mjtcx	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\brIJ	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ySdxtzHctmuw\ = "pXMblZ~^aTCqd{XBjzQKxDjI_}FU_"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\pzTm\ = "GxDROPHfP_q\x7fQGvGnwXP"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\pzTm\ = "GxDROPHed_q\x7fQGTvOsOp"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\pzTm	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\pzTm\ = "GxDROPHg@_q\x7fQG~duRQ@"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\pzTm\ = "GxDROPHex_q\x7fQG{gGPZP"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ySdxtzHctmuw	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\brIJ	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\hcDlZjJlln	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\mjtcx\ = "{STJPAt\|IBvCnIpCge\x7f{DZBsvW\|A"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\brIJ	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\mjtcx	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\NvKfvw\ = "exUsgoDG_`WNVKr\x7fnCV"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\pzTm\ = "GxDROPHe@_q\x7fQGeS}uk`"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\NvKfvw\ = "exUsgoDG_bGNVKr\x7fnAF"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\hcDlZjJlln\ = "oobYmbJ^nBR}t@Xhd\|Aec\\WS"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\sHfXj	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\pzTm	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ySdxtzHctmuw\ = "pXMblZ~^aTCqd{XBjzQKxDjI_}FU_"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\brIJ\ = "FMlfgXi@iTMWmH[bKBQeYZ"	service.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe
2568	service.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: 33	2980	exec1.exe
Token: SeIncBasePriorityPrivilege	2980	exec1.exe
Token: 33	2568	service.exe
Token: SeIncBasePriorityPrivilege	2568	service.exe
Token: 33	1924	service.exe
Token: SeIncBasePriorityPrivilege	1924	service.exe
Token: 33	1508	service.exe
Token: SeIncBasePriorityPrivilege	1508	service.exe
Token: 33	1560	service.exe
Token: SeIncBasePriorityPrivilege	1560	service.exe
Token: 33	2148	service.exe
Token: SeIncBasePriorityPrivilege	2148	service.exe
Token: 33	1808	service.exe
Token: SeIncBasePriorityPrivilege	1808	service.exe
Token: 33	1736	service.exe
Token: SeIncBasePriorityPrivilege	1736	service.exe
Token: 33	2996	service.exe
Token: SeIncBasePriorityPrivilege	2996	service.exe
Token: 33	2008	service.exe
Token: SeIncBasePriorityPrivilege	2008	service.exe
Token: 33	2956	service.exe
Token: SeIncBasePriorityPrivilege	2956	service.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2980	1744	8aefa90099eefaa0880ec0815d209c44.exe	28
PID 1744 wrote to memory of 2980	1744	8aefa90099eefaa0880ec0815d209c44.exe	28
PID 1744 wrote to memory of 2980	1744	8aefa90099eefaa0880ec0815d209c44.exe	28
PID 1744 wrote to memory of 2980	1744	8aefa90099eefaa0880ec0815d209c44.exe	28
PID 1744 wrote to memory of 2708	1744	8aefa90099eefaa0880ec0815d209c44.exe	29
PID 1744 wrote to memory of 2708	1744	8aefa90099eefaa0880ec0815d209c44.exe	29
PID 1744 wrote to memory of 2708	1744	8aefa90099eefaa0880ec0815d209c44.exe	29
PID 1744 wrote to memory of 2708	1744	8aefa90099eefaa0880ec0815d209c44.exe	29
PID 2980 wrote to memory of 2568	2980	exec1.exe	30
PID 2980 wrote to memory of 2568	2980	exec1.exe	30
PID 2980 wrote to memory of 2568	2980	exec1.exe	30
PID 2980 wrote to memory of 2568	2980	exec1.exe	30
PID 2568 wrote to memory of 1924	2568	service.exe	31
PID 2568 wrote to memory of 1924	2568	service.exe	31
PID 2568 wrote to memory of 1924	2568	service.exe	31
PID 2568 wrote to memory of 1924	2568	service.exe	31
PID 1924 wrote to memory of 1508	1924	service.exe	32
PID 1924 wrote to memory of 1508	1924	service.exe	32
PID 1924 wrote to memory of 1508	1924	service.exe	32
PID 1924 wrote to memory of 1508	1924	service.exe	32
PID 1508 wrote to memory of 1560	1508	service.exe	35
PID 1508 wrote to memory of 1560	1508	service.exe	35
PID 1508 wrote to memory of 1560	1508	service.exe	35
PID 1508 wrote to memory of 1560	1508	service.exe	35
PID 1560 wrote to memory of 2148	1560	service.exe	36
PID 1560 wrote to memory of 2148	1560	service.exe	36
PID 1560 wrote to memory of 2148	1560	service.exe	36
PID 1560 wrote to memory of 2148	1560	service.exe	36
PID 2148 wrote to memory of 1808	2148	service.exe	37
PID 2148 wrote to memory of 1808	2148	service.exe	37
PID 2148 wrote to memory of 1808	2148	service.exe	37
PID 2148 wrote to memory of 1808	2148	service.exe	37
PID 1808 wrote to memory of 1736	1808	service.exe	38
PID 1808 wrote to memory of 1736	1808	service.exe	38
PID 1808 wrote to memory of 1736	1808	service.exe	38
PID 1808 wrote to memory of 1736	1808	service.exe	38
PID 1736 wrote to memory of 2996	1736	service.exe	39
PID 1736 wrote to memory of 2996	1736	service.exe	39
PID 1736 wrote to memory of 2996	1736	service.exe	39
PID 1736 wrote to memory of 2996	1736	service.exe	39
PID 2996 wrote to memory of 2008	2996	service.exe	40
PID 2996 wrote to memory of 2008	2996	service.exe	40
PID 2996 wrote to memory of 2008	2996	service.exe	40
PID 2996 wrote to memory of 2008	2996	service.exe	40
PID 2008 wrote to memory of 2956	2008	service.exe	41
PID 2008 wrote to memory of 2956	2008	service.exe	41
PID 2008 wrote to memory of 2956	2008	service.exe	41
PID 2008 wrote to memory of 2956	2008	service.exe	41

C:\Users\Admin\AppData\Local\Temp\8aefa90099eefaa0880ec0815d209c44.exe
"C:\Users\Admin\AppData\Local\Temp\8aefa90099eefaa0880ec0815d209c44.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1744
- C:\exec1.exe
  "C:\exec1.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\service.exe
    C:\Windows\system32\service.exe 704 "C:\exec1.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\SysWOW64\service.exe
      C:\Windows\system32\service.exe 796 "C:\Windows\SysWOW64\service.exe"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1924
    - - C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 472 "C:\Windows\SysWOW64\service.exe"
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
      - C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 488 "C:\Windows\SysWOW64\service.exe"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 800 "C:\Windows\SysWOW64\service.exe"
        7⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 492 "C:\Windows\SysWOW64\service.exe"
        8⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 804 "C:\Windows\SysWOW64\service.exe"
        9⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 468 "C:\Windows\SysWOW64\service.exe"
        10⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 820 "C:\Windows\SysWOW64\service.exe"
        11⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 480 "C:\Windows\SysWOW64\service.exe"
        12⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
- C:\exec2.exe
  "C:\exec2.exe"
  2⤵
  - Executes dropped EXE
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C980DA7D.TMP

Filesize
129B

MD5
5efc42dba245f37428468ce33c399d67

SHA1
8074809b13cf9df56753399dc4dc9aaa3a3b9592

SHA256
a57ae89535e50e197c1fd0cd051d1be0f1aedd0698f2596e184f491c178330cc

SHA512
54eeaeee88153d3a291fc4c8db668da3556f3b723337e652779538f8efbc7870f8d7cbb33f9cc98fbca5c7b8d19a294006e85ae6848b169148e51c4827860640

Download Submit
C:\Users\Admin\AppData\Local\Temp\C980DA7D.TMP

Filesize
129B

MD5
3de3e542de0e02d2f7fa8c5b47004436

SHA1
87452aa176f0105e8ec28ce7b1d3f6f4029c75c2

SHA256
a46aca8ed08a556ca64649eff120aa78b9b63e4990cf78df32d54e0ab240b162

SHA512
7579f9c35f98fb6ce8f6c32208002ee0523b96f0943608a141423aaf452428d2c1089de2f164ecc297068d5ff15fc5072421d7cdc674fe5f61a12a2e90e59f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\C980DA7D.TMP

Filesize
129B

MD5
574fd8ac4001549f916e65d5482e4092

SHA1
62af85ac09b88e17766cb30dc9ae5211b0729f64

SHA256
e58f2470b758d31c04771219e2ab1c3b330a9b21a5efa81156deec1ba591face

SHA512
54b0a32b1b6eb5870186e8fd94fbdca7821b841f029ec38cedd3f94b0b4cd42678bb7997830a77f616aece913208f991038ad135a85b765f04da8e0ffb9a9090

Download Submit
C:\Users\Admin\AppData\Local\Temp\C980DA7D.TMP

Filesize
129B

MD5
6b2bd7b0a3d42e886dc9d8e27d4cb104

SHA1
77fec747be466dc418d0a9feab4ed3d0cf551783

SHA256
6e75ad9997d8fd6a08ff794e7a821e01099640df334329aca5427c70b7cd276f

SHA512
dc285d005fe58f6d4030ecba98e11d6dc189022a0e34d512001353b72f5b80c688bb48e000a19c08ecb1fbef9eca314d2adcb61ba69a8bb6fe3fc185abfb1151

Download Submit
C:\Users\Admin\AppData\Local\Temp\C980DA7D.TMP

Filesize
129B

MD5
3f8b7f31f13d1a9151b9246e516755ef

SHA1
6e1f2be5643116e5ee47c38186ef26e30e6f9b18

SHA256
d89f1a241bde87e60ec56923ffb1d737821d2fa6da031443923ec2c55f48b0ef

SHA512
8c983f8dd25acd2fe925f9bea22159af66716cbfffb568100c35fbfabc1cfbbb1a5183219def88d7b8369f3db24360bf3edb11518d0ef850ffcc4971d1d22c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C980DA7D.TMP

Filesize
129B

MD5
a1b5c43bcb41ddfeb5813e38f10b6013

SHA1
ab7c072f93c7fa1c86ec833b40df309726c547d0

SHA256
a286465474f6ec239793c0e75b395265a3615f1765aef2bb573ef922490157e0

SHA512
3e0096c8201632cf590a8612add5d76aab51dfcc041c892abeb48fcfe3dcf35ad3553349464c1bf064da114b3043adae904afa849f4521b2df255e92f99e2c76

Download Submit
C:\Users\Admin\AppData\Local\Temp\C980DA7D.TMP

Filesize
129B

MD5
5da767a71c19a18fdc9b995148d62e20

SHA1
bd0a782370c0d060cc6ba65a05b013cdb37f9361

SHA256
5a58282968a0d8643cf640fb94c605fefca3403409c7e34eab44ce20dd1e5dd9

SHA512
9f57b63238ce6386bed4801c5789fab17e48daa934dd64cb0476b9759bd90b219309932ff33b02b37777a951a7f7b9cfaff1d24d81f03902f91233c683d95fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\C980DA7D.TMP

Filesize
129B

MD5
13a81b2c72a3cfcd6a45859ff8c54ed5

SHA1
ba166567db5dcc3af635fb37e0c45ae3211620c9

SHA256
7e877a0f4bb3672435a4eb2857eeef39f7baa6a539cce28f9fa522c235cb7fde

SHA512
7d9639683d32091dea776ff09688797b010da956e5375c7c24c4ed7262524289303c87a71cf262523becdd9dc75f9454f0aa8bac2b536f18d3d49c2c21267d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\C980DA7D.TMP

Filesize
129B

MD5
8c927d474246a2e609c9371c0f7053de

SHA1
0d270db45fffdbacd616792213b913461b0addcf

SHA256
6349691e296801367c7b4e9c9900fa5aa3da6b1d2ed69c33bdd5edcbcf449d5c

SHA512
2e53a8f3609f012402a85546013f46d874d0da11dadfefc4a3f42029a871d98df79259414b18a3b7216dde0374388b58f3f6758e53eb8e349aceb54cea609c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\C980DA7D.TMP

Filesize
129B

MD5
8eb4526525370e25bd61d583318e905c

SHA1
8ce88ee7f50e8a6886091ef1e11488768e128905

SHA256
ecd37e27816c2553aa31bb03c0076319f2a8e6df58f59175159a488987fcf35e

SHA512
8cf946ffb3233925914cd6b1bb356b71fe2e76143d3f195b7fc461bd15319074933655e0c15efca14303ee4159376ab0935f647d66d3029891d5acb4715f3f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C980DA7D.TMP

Filesize
129B

MD5
20841df8fd5067229c2d40258e54357c

SHA1
1588f4440971bdcc870236007c4aedf809da71fd

SHA256
65dd6d81d0a55857d2032be128c18d4bdaf190903bf9e2d2649d1f3dc8955a57

SHA512
39fd81c28bb86faf65645c74138e1c95933e4859a35cf2d3135b23feddf329fcf0c8f69d8d55b7c6c8a30bc007b950f5099ed73b071817d6d929bd691292d7d4

Download Submit
C:\Windows\SysWOW64\service.exe

Filesize
392KB

MD5
f8e861e09b06a78f5a6b4686d58a145f

SHA1
5cf68b603cef2ab0dbc0413f1e703c96de765398

SHA256
4af305f00680cd1fe63a159d50967c165c3f77f49888e34c10e657b02fa7491f

SHA512
8ab0cfa95957718c530ffceef980cb3902c3912edda6789e55c30497e2cfd8c77079431db6c26cf353fc172efa539414176e6bd98bc5cfc25d2ab8d7fae931e7

Download Submit
C:\Windows\SysWOW64\service.exe

Filesize
313KB

MD5
c5cf185201e0b4b470a580e64b6c48f9

SHA1
553e93f716b23a6c338dd604082e43f094b8e83b

SHA256
e322a9e6f0c548bada9b160ad2603546153d59ea336cb488711c6ebc0d38c36c

SHA512
8a855eee4ee876a5948686ed0cc2c1e9c96c2ac27e738d15154addd30afe97144c4fa7266d2cdda262d8985565a4dff58716b6a12a3dc8134549aa13b9be5e61

Download Submit
C:\exec1.exe

Filesize
384KB

MD5
bb63a74d5e13c29ec3ddffa6a520227b

SHA1
77d75f75d197d5a392fbefdb0cd493ef0baf4142

SHA256
1119c5e0334d8ba1cfdbd584f15ed7fdb5165c482ce9f9ff8978804fa9ac143b

SHA512
d359a46d0bdb4d2d310f018dcb2a71981814db805edf050153cdf9c84c1c8843a90e99697b060159cf5fb3253825401c2e7dc0c6f0110fb6e9d857f8bbdb94b7

Download Submit
C:\exec1.exe

Filesize
470KB

MD5
e1659d76d6212db6f782e5d477459044

SHA1
080fb6204e4d3c07d32d9f12d53f740e001adf4d

SHA256
ea2ce5cd5e849cf86cc521918544ec7e88c3041e69069851a95db5ca6052caf5

SHA512
c1086b5271192e5bf696af4fd6a61c8272f651f4b5b5532c391e64f2dbbd49423188309df54c6311080b27ebf85af09d991ec54475dbcad6f3480803774e75a5

Download Submit
C:\exec2.exe

Filesize
48KB

MD5
a4e5075de707c91f1802537f90e75cbe

SHA1
f986eb6918bdb31f305cd813eb307abe92a8d038

SHA256
a847f1f2d4df9b1ac403f741d08cfcab6ad53a04b7ba673803a4faf13fec1de3

SHA512
da443cbc231be234b04d3719c9765a1331ffc6ccfbdfa33b791288d122862799c6ffb93c4e3db1a2dcadfc45c5753f8ce412c0ab754b83085df6575b6703b981

Download Submit
\Windows\SysWOW64\service.exe

Filesize
660KB

MD5
ed4c3c45d8c912ba9b516b6da9e2ce58

SHA1
fdcb34d1f7463ae7fbf8b5ea3da97e6d3c39c154

SHA256
8708c9a1cdc102b4f8799d2bcc38a2e1763b62d8244ddda1531b689561f15997

SHA512
947d81c1dc9dd78a5845105ff2ec50adabc9223fa38b5f8a134de92d7967c92afff77c5011f4abc8b9f1e9c065aa436f3d46e083d55d8134a8da183b2e3ef103

Download Submit
memory/1508-109-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1508-108-0x0000000000230000-0x000000000028A000-memory.dmp

Filesize
360KB

Download
memory/1508-107-0x0000000000230000-0x000000000028A000-memory.dmp

Filesize
360KB

Download
memory/1508-106-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1508-98-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1508-105-0x0000000000230000-0x000000000028A000-memory.dmp

Filesize
360KB

Download
memory/1508-104-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1508-103-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1508-112-0x00000000037A0000-0x0000000003962000-memory.dmp

Filesize
1.8MB

Download
memory/1508-120-0x0000000000230000-0x000000000028A000-memory.dmp

Filesize
360KB

Download
memory/1508-122-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1508-90-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1508-88-0x0000000000230000-0x000000000028A000-memory.dmp

Filesize
360KB

Download
memory/1560-149-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1560-115-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1560-138-0x0000000003660000-0x0000000003822000-memory.dmp

Filesize
1.8MB

Download
memory/1560-133-0x0000000000230000-0x000000000028A000-memory.dmp

Filesize
360KB

Download
memory/1560-132-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1560-131-0x0000000000230000-0x000000000028A000-memory.dmp

Filesize
360KB

Download
memory/1560-130-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1560-129-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1560-128-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1736-229-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1736-215-0x00000000036C0000-0x0000000003882000-memory.dmp

Filesize
1.8MB

Download
memory/1736-209-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1736-192-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1744-9-0x0000000002A80000-0x0000000002C42000-memory.dmp

Filesize
1.8MB

Download
memory/1744-0-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1744-17-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1808-205-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1808-166-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1808-183-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1808-189-0x0000000003650000-0x0000000003812000-memory.dmp

Filesize
1.8MB

Download
memory/1924-81-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1924-65-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1924-97-0x0000000000290000-0x00000000002EA000-memory.dmp

Filesize
360KB

Download
memory/1924-79-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1924-64-0x0000000000290000-0x00000000002EA000-memory.dmp

Filesize
360KB

Download
memory/1924-78-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1924-102-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1924-84-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1924-82-0x0000000000290000-0x00000000002EA000-memory.dmp

Filesize
360KB

Download
memory/1924-80-0x0000000000290000-0x00000000002EA000-memory.dmp

Filesize
360KB

Download
memory/1924-83-0x0000000000290000-0x00000000002EA000-memory.dmp

Filesize
360KB

Download
memory/1924-77-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2008-243-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2008-260-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2008-267-0x00000000037D0000-0x0000000003992000-memory.dmp

Filesize
1.8MB

Download
memory/2008-278-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2148-141-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2148-158-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2148-180-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2568-62-0x0000000003660000-0x0000000003822000-memory.dmp

Filesize
1.8MB

Download
memory/2568-53-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2568-57-0x00000000001C0000-0x000000000021A000-memory.dmp

Filesize
360KB

Download
memory/2568-56-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2568-55-0x00000000001C0000-0x000000000021A000-memory.dmp

Filesize
360KB

Download
memory/2568-40-0x00000000001C0000-0x000000000021A000-memory.dmp

Filesize
360KB

Download
memory/2568-54-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2568-59-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2568-71-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2568-43-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2568-68-0x00000000001C0000-0x000000000021A000-memory.dmp

Filesize
360KB

Download
memory/2568-51-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2956-270-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2956-286-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2980-39-0x00000000034C0000-0x0000000003682000-memory.dmp

Filesize
1.8MB

Download
memory/2980-46-0x00000000034C0000-0x0000000003682000-memory.dmp

Filesize
1.8MB

Download
memory/2980-52-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2980-10-0x0000000000260000-0x00000000002BA000-memory.dmp

Filesize
360KB

Download
memory/2980-26-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2980-24-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2980-19-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2980-45-0x0000000000260000-0x00000000002BA000-memory.dmp

Filesize
360KB

Download
memory/2980-28-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2980-25-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2980-27-0x0000000000260000-0x00000000002BA000-memory.dmp

Filesize
360KB

Download
memory/2996-252-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2996-218-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2996-235-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download