42cc638331dca3e6b29111f995ccc58710e61142e1d9ca79a1d8f03e1299d425

Analysis

max time kernel
151s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8aefa90099eefaa0880ec0815d209c44.exe
Size

975KB
MD5

8aefa90099eefaa0880ec0815d209c44
SHA1

4777bff211bdaff1179a2755c55bc51f9f03cc92
SHA256

42cc638331dca3e6b29111f995ccc58710e61142e1d9ca79a1d8f03e1299d425
SHA512

dcd4a59eb8e28be8c3ae086c58790259f82ffc501c6e817ab6537a650168f3d2be4e653c71d650bd778d665f0078587247906657e17d32204f305d0297e5b90a
SSDEEP

12288:IWnwQuO0hqtpxRNcEi0/3IWV//dctB68NESUMc7K8wlN272aU3H+WvDHD:IWnwT2//8OSUMc7K527DUuW

Score

7^/10

upx

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	exec1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	exec1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	8aefa90099eefaa0880ec0815d209c44.exe

Executes dropped EXE 12 IoCs

pid	Process
3404	exec1.exe
3020	exec2.exe
4080	service.exe
2696	service.exe
8	service.exe
3904	service.exe
1804	service.exe
2600	service.exe
3392	service.exe
2052	service.exe
1040	service.exe
2716	service.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4388-0-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/4388-17-0x0000000000400000-0x000000000044A000-memory.dmp	upx

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\service.exe	exec1.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	exec1.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Jqrw	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\rnkcaGv	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\rnkcaGv\ = "goDG_bgNVKr\x7fnAf{STJPAV\|IB"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\vGdpn\ = "\|Aec\\WSGxDROPHfl_q\x7fQGJaSY{@"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\wbmKbzwb	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\gvghuzb\ = "mH[bKBQeYZXYIYfiHnEKJsiibAY\\L"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\hovSNCtsekMye	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\rnkcaGv\ = "goDG_cWNVKr\x7fn@V{STJPARlIB"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\vGdpn\ = "\|Aec\\WSGxDROPHgX_q\x7fQGj_vctp"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uctnigzQHiSY\ = "jzQKxDjI_}FU_FMlfgXi@iTMW"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\gvghuzb	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\rnkcaGv\ = "goDG_bwNVKr\x7fnAv{STJPAULIB"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uctnigzQHiSY\ = "jzQKxDjI_}FU_FMlfgXi@iTMW"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\vGdpn\ = "\|Aec\\WSGxDROPHg@_q\x7fQGsN``U`"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\rnkcaGv\ = "goDG_bgNVKr\x7fnAf{STJPAV\|IB"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\vGdpn\ = "\|Aec\\WSGxDROPHfH_q\x7fQG^`Vm]@"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\hovSNCtsekMye	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\vGdpn\ = "\|Aec\\WSGxDROPHeD_q\x7fQGtc^APP"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\hovSNCtsekMye	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\wbmKbzwb	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\vGdpn\ = "\|Aec\\WSGxDROPHg\|_q\x7fQGze{dA`"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\luLuxfbr	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Jqrw\ = "oobYmbJ^nBR}t@Xhd"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\gvghuzb\ = "mH[bKBQeYZXYIYfiHnEKJsiibAY\\L"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\luLuxfbr	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\vGdpn\ = "\|Aec\\WSGxDROPHf@_q\x7fQGenlJ_p"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\vGdpn	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\luLuxfbr\ = "vCnIpCge\x7f{DZBsvW\|A"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Jqrw\ = "oobYmbJ^nBR}t@Xhd"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uctnigzQHiSY	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Jqrw	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Jqrw\ = "oobYmbJ^nBR}t@Xhd"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\vGdpn\ = "\|Aec\\WSGxDROPHft_q\x7fQGt@xNUP"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\rnkcaGv\ = "goDG_`GNVKr\x7fnCF{STJPAKLIB"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\wbmKbzwb\ = "[RgbbEAfpKJ]`exUs"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\rnkcaGv\ = "goDG_cGNVKr\x7fn@F{STJPARlIB"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\rnkcaGv\ = "goDG_cgNVKr\x7fn@f{STJPAG\|IB"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\wbmKbzwb\ = "[RgbbEAfpKJ]`exUs"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\vGdpn	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\hovSNCtsekMye\ = "pXMblZ~^aTCqd{XB"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\hovSNCtsekMye\ = "pXMblZ~^aTCqd{XB"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Jqrw\ = "oobYmbJ^nBR}t@Xhd"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\gvghuzb	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uctnigzQHiSY	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\vGdpn	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ = "ADOX.Table.6.0"	exec1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\gvghuzb\ = "mH[bKBQeYZXYIYfiHnEKJsiibAY\\L"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\luLuxfbr\ = "vCnIpCge\x7f{DZBsvW\|A"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\hovSNCtsekMye\ = "pXMblZ~^aTCqd{XB"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\vGdpn\ = "\|Aec\\WSGxDROPHgP_q\x7fQGrrTyLp"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\hovSNCtsekMye\ = "pXMblZ~^aTCqd{XB"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\wbmKbzwb	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\vGdpn\ = "\|Aec\\WSGxDROPHgx_q\x7fQGVg^DNp"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\vGdpn\ = "\|Aec\\WSGxDROPHeh_q\x7fQG]CcGj`"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\vGdpn\ = "\|Aec\\WSGxDROPHel_q\x7fQGqAFgep"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\vGdpn\ = "\|Aec\\WSGxDROPHet_q\x7fQGOH@jm@"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\vGdpn\ = "\|Aec\\WSGxDROPHgL_q\x7fQGwQYftP"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\gvghuzb\ = "mH[bKBQeYZXYIYfiHnEKJsiibAY\\L"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\vGdpn\ = "\|Aec\\WSGxDROPHfT_q\x7fQGdzv\|K`"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uctnigzQHiSY	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\vGdpn\ = "\|Aec\\WSGxDROPHf\|_q\x7fQGlEwNKp"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Jqrw	service.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe
4080	service.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: 33	3404	exec1.exe
Token: SeIncBasePriorityPrivilege	3404	exec1.exe
Token: 33	4080	service.exe
Token: SeIncBasePriorityPrivilege	4080	service.exe
Token: 33	2696	service.exe
Token: SeIncBasePriorityPrivilege	2696	service.exe
Token: 33	8	service.exe
Token: SeIncBasePriorityPrivilege	8	service.exe
Token: 33	3904	service.exe
Token: SeIncBasePriorityPrivilege	3904	service.exe
Token: 33	1804	service.exe
Token: SeIncBasePriorityPrivilege	1804	service.exe
Token: 33	2600	service.exe
Token: SeIncBasePriorityPrivilege	2600	service.exe
Token: 33	3392	service.exe
Token: SeIncBasePriorityPrivilege	3392	service.exe
Token: 33	2052	service.exe
Token: SeIncBasePriorityPrivilege	2052	service.exe
Token: 33	1040	service.exe
Token: SeIncBasePriorityPrivilege	1040	service.exe
Token: 33	2716	service.exe
Token: SeIncBasePriorityPrivilege	2716	service.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 3404	4388	8aefa90099eefaa0880ec0815d209c44.exe	84
PID 4388 wrote to memory of 3404	4388	8aefa90099eefaa0880ec0815d209c44.exe	84
PID 4388 wrote to memory of 3404	4388	8aefa90099eefaa0880ec0815d209c44.exe	84
PID 4388 wrote to memory of 3020	4388	8aefa90099eefaa0880ec0815d209c44.exe	85
PID 4388 wrote to memory of 3020	4388	8aefa90099eefaa0880ec0815d209c44.exe	85
PID 4388 wrote to memory of 3020	4388	8aefa90099eefaa0880ec0815d209c44.exe	85
PID 3404 wrote to memory of 4080	3404	exec1.exe	86
PID 3404 wrote to memory of 4080	3404	exec1.exe	86
PID 3404 wrote to memory of 4080	3404	exec1.exe	86
PID 4080 wrote to memory of 2696	4080	service.exe	94
PID 4080 wrote to memory of 2696	4080	service.exe	94
PID 4080 wrote to memory of 2696	4080	service.exe	94
PID 2696 wrote to memory of 8	2696	service.exe	96
PID 2696 wrote to memory of 8	2696	service.exe	96
PID 2696 wrote to memory of 8	2696	service.exe	96
PID 8 wrote to memory of 3904	8	service.exe	97
PID 8 wrote to memory of 3904	8	service.exe	97
PID 8 wrote to memory of 3904	8	service.exe	97
PID 3904 wrote to memory of 1804	3904	service.exe	98
PID 3904 wrote to memory of 1804	3904	service.exe	98
PID 3904 wrote to memory of 1804	3904	service.exe	98
PID 1804 wrote to memory of 2600	1804	service.exe	99
PID 1804 wrote to memory of 2600	1804	service.exe	99
PID 1804 wrote to memory of 2600	1804	service.exe	99
PID 2600 wrote to memory of 3392	2600	service.exe	100
PID 2600 wrote to memory of 3392	2600	service.exe	100
PID 2600 wrote to memory of 3392	2600	service.exe	100
PID 3392 wrote to memory of 2052	3392	service.exe	101
PID 3392 wrote to memory of 2052	3392	service.exe	101
PID 3392 wrote to memory of 2052	3392	service.exe	101
PID 2052 wrote to memory of 1040	2052	service.exe	102
PID 2052 wrote to memory of 1040	2052	service.exe	102
PID 2052 wrote to memory of 1040	2052	service.exe	102
PID 1040 wrote to memory of 2716	1040	service.exe	103
PID 1040 wrote to memory of 2716	1040	service.exe	103
PID 1040 wrote to memory of 2716	1040	service.exe	103

C:\Users\Admin\AppData\Local\Temp\8aefa90099eefaa0880ec0815d209c44.exe
"C:\Users\Admin\AppData\Local\Temp\8aefa90099eefaa0880ec0815d209c44.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4388
- C:\exec1.exe
  "C:\exec1.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\SysWOW64\service.exe
    C:\Windows\system32\service.exe 1432 "C:\exec1.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4080
  - - C:\Windows\SysWOW64\service.exe
      C:\Windows\system32\service.exe 1480 "C:\Windows\SysWOW64\service.exe"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 1472 "C:\Windows\SysWOW64\service.exe"
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:8
      - C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 1460 "C:\Windows\SysWOW64\service.exe"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 1476 "C:\Windows\SysWOW64\service.exe"
        7⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 1456 "C:\Windows\SysWOW64\service.exe"
        8⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 1468 "C:\Windows\SysWOW64\service.exe"
        9⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 1496 "C:\Windows\SysWOW64\service.exe"
        10⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 1484 "C:\Windows\SysWOW64\service.exe"
        11⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 1464 "C:\Windows\SysWOW64\service.exe"
        12⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
- C:\exec2.exe
  "C:\exec2.exe"
  2⤵
  - Executes dropped EXE
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C980DA7D.TMP

Filesize
129B

MD5
04df488a6a7c240641671f5f9900677e

SHA1
6fdd0c5302f20833a4eb54840112e5581dd35444

SHA256
b6a0a75b1930e8cf1fee89519211563f4f42563c092b7a462e335d69ce6f24f2

SHA512
24953e3432a881a51184fcfb89d92c324d3d8c9158f0f9200b0b9a51ebb8a8d79fdd45dc00bad39a665f3c17a8876c0816d14520dbbb95b0d0743d480d07318b

Download Submit
C:\Users\Admin\AppData\Local\Temp\C980DA7D.TMP

Filesize
129B

MD5
2f3f92a2ec223781f343160c3ea75b0d

SHA1
dd2cb599c5eef23960e414df3ab892ce31e3c24b

SHA256
430d765dcdd14e5b2781b88a13ab721d5a0505752974d3f638861e7fcc828adb

SHA512
ee2b9e9f133d4c5d7890fda28227ed80874f2ed91f61a1283bd9d006d29c48cbeeb846a5af640584aa9fb2f143e5d065a4574f70a14ab4f93ec5d9efbc5dd5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\C980DA7D.TMP

Filesize
129B

MD5
574fd8ac4001549f916e65d5482e4092

SHA1
62af85ac09b88e17766cb30dc9ae5211b0729f64

SHA256
e58f2470b758d31c04771219e2ab1c3b330a9b21a5efa81156deec1ba591face

SHA512
54b0a32b1b6eb5870186e8fd94fbdca7821b841f029ec38cedd3f94b0b4cd42678bb7997830a77f616aece913208f991038ad135a85b765f04da8e0ffb9a9090

Download Submit
C:\Users\Admin\AppData\Local\Temp\C980DA7D.TMP

Filesize
129B

MD5
6b2bd7b0a3d42e886dc9d8e27d4cb104

SHA1
77fec747be466dc418d0a9feab4ed3d0cf551783

SHA256
6e75ad9997d8fd6a08ff794e7a821e01099640df334329aca5427c70b7cd276f

SHA512
dc285d005fe58f6d4030ecba98e11d6dc189022a0e34d512001353b72f5b80c688bb48e000a19c08ecb1fbef9eca314d2adcb61ba69a8bb6fe3fc185abfb1151

Download Submit
C:\Users\Admin\AppData\Local\Temp\C980DA7D.TMP

Filesize
129B

MD5
553f4776662040f5387d9b0b16ee7613

SHA1
bafacd096fdbdb034c2f538a1c8ac99276333bfa

SHA256
a3be1529ac55cf5b5dc833550b3fec7d9a313db060306d3e9240b02f2e49d27d

SHA512
0e3128bb61c16cdfebbbe55edcb42f07c872893486320764dc5f05a21f597c078cf237bfb0678caa0659818d87e24652796f478d7a6e48745a86934286dae9bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\C980DA7D.TMP

Filesize
129B

MD5
3f8b7f31f13d1a9151b9246e516755ef

SHA1
6e1f2be5643116e5ee47c38186ef26e30e6f9b18

SHA256
d89f1a241bde87e60ec56923ffb1d737821d2fa6da031443923ec2c55f48b0ef

SHA512
8c983f8dd25acd2fe925f9bea22159af66716cbfffb568100c35fbfabc1cfbbb1a5183219def88d7b8369f3db24360bf3edb11518d0ef850ffcc4971d1d22c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C980DA7D.TMP

Filesize
129B

MD5
97bba527197e6f0f1099db8063720c1d

SHA1
64dcb8ef6da82ba1f265799258e78fd7dd06f56c

SHA256
5cca47254b480ff713b35ceb65d77f9b01d76b13a5e0e0e9721dac3b9fd7b8a2

SHA512
e5e33221ee3e08549e4b0b68bb7d1644f27904e653a6c690df3ac2142792ab5d0b3ec139fa97ace142f01428b13e6faf9353a87b71388e02a5cd986caa09aa37

Download Submit
C:\Users\Admin\AppData\Local\Temp\C980DA7D.TMP

Filesize
129B

MD5
2c7612a3094b7c5104b039cae67a7d0b

SHA1
84fb150eb2b0920777b708687787410a95da0322

SHA256
d77a247192d4f7348c849918cc30999f1ec691d660abd88141b1ff6e5795caae

SHA512
48866eb6da51a490d060973b410044c2665db4064abe7ca2a008c0100fb3db2eff007d67a42865656f8cbade782464f386ae551ba424d050551f3d2497814cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\C980DA7D.TMP

Filesize
129B

MD5
19ab243b5d595c31bdab81450af145ec

SHA1
1b93fe7b9139b4dd97d45edbf13fdb189f476b79

SHA256
930ff6dcf8cc2a82a886d3279cf453b29de79ebd5128bda185809e5c02c9645d

SHA512
850cdd011935dfb7b15174d81a3387473d9929e661b42d4be283493bd4816182cc901c88f5b625d426862045c411f43fbfafc62675a823e800e42b707e82c121

Download Submit
C:\Users\Admin\AppData\Local\Temp\C980DA7D.TMP

Filesize
129B

MD5
55133bc04bfa89b04d72d5f9034c958c

SHA1
3c48faecb1ba90b9630f64e2d9811f7b0ceaf997

SHA256
7e89a44f77b32d3fe0fe1aba602d0ec436876b24f553e158cb614d6504ffb60c

SHA512
d6363a25594bd464b583bdcd56035a69d89198476175229452c8566e0e45fea836a34733004c58022467e3cfc91daed4c40f2695df23cbc3afcaf76632062306

Download Submit
C:\Users\Admin\AppData\Local\Temp\C980DA7D.TMP

Filesize
129B

MD5
7bdad9c23fa1255c09c57c2bfa64abae

SHA1
ebc54570e3619a682d3de939515b674b5a208b9d

SHA256
029a39e1c50e7ac5a2ede79810abf6d337088a74aa7b8b6cf93d4a6045c580bd

SHA512
c6c279021951d0dfeb7ba9defb35563f31daf12172c34142ee5e18ff10b6a2c8e03ce3dedcfd65a3873afe36a7b6b00e82b78221e2b373ee3acb18c3388abf00

Download Submit
C:\Users\Admin\AppData\Local\Temp\C980DA7D.TMP

Filesize
129B

MD5
165d40b86ed5861b45caa653849ac8a1

SHA1
aa127fe28c30333070c3dce9e51444d1e0374beb

SHA256
ea34b081c801d3b54f161f97513a8441ab90fe4d2f788e58d83eaeb7b9e618ba

SHA512
1ac30b0361060f0e5ab4c7dece7bf40883a85278f8aa9f61f0c6e2079d1eca226f9b767289965d157c3436236a54aab6b1706aaffb63f0526248cb1b25157eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\C980DA7D.TMP

Filesize
129B

MD5
fa7c19104cfa4ac71d50f021cd8dfd7a

SHA1
6f683f146944ed4e553171f2011b56419dafe94d

SHA256
cb3b7e46cd1672c0db7cec9ccabc6d9641d3ef53c5ec568d60406a8b51cee11b

SHA512
42ca5e7e6560465a3cd0caed905bf0954c092ad138f5a0f4c53988ee5d349d6c05f9fc64f1720cecc437358f13317e0bed1b4ce17a1949a3c985664f811ce6fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\C980DA7D.TMP

Filesize
129B

MD5
f8566fea12aeca7d66b36fbcbc9a47f8

SHA1
f4b58e7eeb8c34ff8c67e2d50dd1245f91822f7a

SHA256
abc9303b427053b99a7eebea49d3fd3cceef04fc33e9cfd2e61e2105cced1f95

SHA512
5b7bbe22944c86fb5ad7a8f6bce462946b0fc33fdd6999e9bc42bb8e45fda0ede069ae1a86599501a109645eda3229d07b1dc53e1bd2f2845a29ec77597aa986

Download Submit
C:\Users\Admin\AppData\Local\Temp\C980DA7D.TMP

Filesize
129B

MD5
20841df8fd5067229c2d40258e54357c

SHA1
1588f4440971bdcc870236007c4aedf809da71fd

SHA256
65dd6d81d0a55857d2032be128c18d4bdaf190903bf9e2d2649d1f3dc8955a57

SHA512
39fd81c28bb86faf65645c74138e1c95933e4859a35cf2d3135b23feddf329fcf0c8f69d8d55b7c6c8a30bc007b950f5099ed73b071817d6d929bd691292d7d4

Download Submit
C:\exec1.exe

Filesize
660KB

MD5
ed4c3c45d8c912ba9b516b6da9e2ce58

SHA1
fdcb34d1f7463ae7fbf8b5ea3da97e6d3c39c154

SHA256
8708c9a1cdc102b4f8799d2bcc38a2e1763b62d8244ddda1531b689561f15997

SHA512
947d81c1dc9dd78a5845105ff2ec50adabc9223fa38b5f8a134de92d7967c92afff77c5011f4abc8b9f1e9c065aa436f3d46e083d55d8134a8da183b2e3ef103

Download Submit
C:\exec2.exe

Filesize
48KB

MD5
a4e5075de707c91f1802537f90e75cbe

SHA1
f986eb6918bdb31f305cd813eb307abe92a8d038

SHA256
a847f1f2d4df9b1ac403f741d08cfcab6ad53a04b7ba673803a4faf13fec1de3

SHA512
da443cbc231be234b04d3719c9765a1331ffc6ccfbdfa33b791288d122862799c6ffb93c4e3db1a2dcadfc45c5753f8ce412c0ab754b83085df6575b6703b981

Download Submit
memory/8-97-0x0000000000610000-0x000000000066A000-memory.dmp

Filesize
360KB

Download
memory/8-99-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/8-117-0x0000000000610000-0x000000000066A000-memory.dmp

Filesize
360KB

Download
memory/8-96-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/8-95-0x0000000000610000-0x000000000066A000-memory.dmp

Filesize
360KB

Download
memory/8-119-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/8-93-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/8-92-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/8-91-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/8-79-0x0000000000610000-0x000000000066A000-memory.dmp

Filesize
360KB

Download
memory/1040-265-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1040-241-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1804-143-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1804-167-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2052-238-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2052-214-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2600-189-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2600-161-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2696-65-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2696-87-0x0000000000700000-0x000000000075A000-memory.dmp

Filesize
360KB

Download
memory/2696-71-0x0000000000700000-0x000000000075A000-memory.dmp

Filesize
360KB

Download
memory/2696-64-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2696-94-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2696-56-0x0000000000700000-0x000000000075A000-memory.dmp

Filesize
360KB

Download
memory/2696-73-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2696-76-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2696-66-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/2696-74-0x0000000000700000-0x000000000075A000-memory.dmp

Filesize
360KB

Download
memory/2716-261-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/3392-215-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/3392-191-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/3404-32-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/3404-26-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/3404-15-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/3404-20-0x00000000006B0000-0x000000000070A000-memory.dmp

Filesize
360KB

Download
memory/3404-25-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/3404-27-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/3404-28-0x00000000006B0000-0x000000000070A000-memory.dmp

Filesize
360KB

Download
memory/3404-42-0x00000000006B0000-0x000000000070A000-memory.dmp

Filesize
360KB

Download
memory/3404-43-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/3904-120-0x0000000000710000-0x000000000076A000-memory.dmp

Filesize
360KB

Download
memory/3904-114-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/3904-113-0x0000000000710000-0x000000000076A000-memory.dmp

Filesize
360KB

Download
memory/3904-111-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/3904-112-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/3904-140-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/3904-110-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/3904-102-0x0000000000710000-0x000000000076A000-memory.dmp

Filesize
360KB

Download
memory/4080-47-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/4080-50-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/4080-37-0x00000000006E0000-0x000000000073A000-memory.dmp

Filesize
360KB

Download
memory/4080-51-0x00000000006E0000-0x000000000073A000-memory.dmp

Filesize
360KB

Download
memory/4080-53-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/4080-46-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/4080-48-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/4080-69-0x00000000006E0000-0x000000000073A000-memory.dmp

Filesize
360KB

Download
memory/4080-49-0x00000000006E0000-0x000000000073A000-memory.dmp

Filesize
360KB

Download
memory/4080-72-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/4388-17-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4388-0-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download