3a2a5e920e52942b0f9423a94db0a9ad48a96549ed7d04b6526f9d1ed243df2f

Analysis

max time kernel
267s
max time network
275s
platform
windows7_x64
resource
win7-20231215-es
resource tags

arch:x64arch:x86image:win7-20231215-eslocale:es-esos:windows7-x64systemwindows
submitted
12-02-2024 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Patch/wfilmorav13060-zmco.exe
Size

41.2MB
MD5

56fd172551e6e3d2a9d38974ebcbc26c
SHA1

36c1eda497a99497c72efe0cd3b5546630add886
SHA256

2ffd6cd0d6565c6641026fe321e56df0404a079585a2f7d826ac54977dae8cc0
SHA512

f057eba80a5645f43f9b9a0743ef7d7158779f7ed3c0a42bc69101d7d153510f6a07a2d99cccf1a5b975d3caf742f8a1fcf6bde7cecfe2ee4b129d450e9070d2
SSDEEP

786432:zxX+2eOjyJr5FHScfsDEqiovZXGBKE85MmrHIb2XJgdnGWY7L:zB+NJjDgEqRh2YEIr0uJgBGn

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 13 IoCs

Processes:

wfilmorav13060-zmco.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeRZSBKB.exeRZSBKB.exeGPUASX.exegpuasx.exe icsys.icn.exeexplorer.exe

pid	process
1356	wfilmorav13060-zmco.exe
2200	icsys.icn.exe
2832	explorer.exe
2696	spoolsv.exe
2228	svchost.exe
988	spoolsv.exe
2184	RZSBKB.exe
1432	RZSBKB.exe
1236	GPUASX.exe
1100	gpuasx.exe
2232	icsys.icn.exe
1224
2780	explorer.exe

Loads dropped DLL 30 IoCs

Processes:

wfilmorav13060-zmco.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exewfilmorav13060-zmco.exe RZSBKB.exeRZSBKB.exeGPUASX.exeicsys.icn.exe

pid	process
1292	wfilmorav13060-zmco.exe
1292	wfilmorav13060-zmco.exe
1292	wfilmorav13060-zmco.exe
2200	icsys.icn.exe
2200	icsys.icn.exe
2832	explorer.exe
2832	explorer.exe
2696	spoolsv.exe
2696	spoolsv.exe
2228	svchost.exe
2228	svchost.exe
1356	wfilmorav13060-zmco.exe
2184	RZSBKB.exe
1432	RZSBKB.exe
1432	RZSBKB.exe
1432	RZSBKB.exe
1432	RZSBKB.exe
1432	RZSBKB.exe
1432	RZSBKB.exe
1432	RZSBKB.exe
1356	wfilmorav13060-zmco.exe
1356	wfilmorav13060-zmco.exe
1356	wfilmorav13060-zmco.exe
1356	wfilmorav13060-zmco.exe
1356	wfilmorav13060-zmco.exe
1236	GPUASX.exe
1236	GPUASX.exe
1236	GPUASX.exe
1224
2232	icsys.icn.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI21842\python311.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI21842\python311.dll	upx
behavioral1/memory/1432-183-0x000007FEF5670000-0x000007FEF5C58000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exewfilmorav13060-zmco.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skyp\\Microsoft Update.lnk"	wfilmorav13060-zmco.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Patch\wfilmorav13060-zmco.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\Patch\wfilmorav13060-zmco.exe	autoit_exe
\??\c:\users\admin\appdata\local\temp\patch\wfilmorav13060-zmco.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\Skyp\Microsoft Office Click-to-Run.exe	autoit_exe

Drops file in Windows directory 6 IoCs

Processes:

explorer.exespoolsv.exesvchost.exeicsys.icn.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wfilmorav13060-zmco.exe icsys.icn.exeexplorer.exesvchost.exe

pid	process
1356	wfilmorav13060-zmco.exe
2200	icsys.icn.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2228	svchost.exe
2228	svchost.exe
2832	explorer.exe
2832	explorer.exe
2228	svchost.exe
2832	explorer.exe
2228	svchost.exe
2832	explorer.exe
2228	svchost.exe
2832	explorer.exe
2228	svchost.exe
2228	svchost.exe
2832	explorer.exe
2832	explorer.exe
2228	svchost.exe
2228	svchost.exe
2832	explorer.exe
2832	explorer.exe
2228	svchost.exe
2228	svchost.exe
2832	explorer.exe
2832	explorer.exe
2228	svchost.exe
2228	svchost.exe
2832	explorer.exe
2832	explorer.exe
2228	svchost.exe
2228	svchost.exe
2832	explorer.exe
2832	explorer.exe
2228	svchost.exe
2228	svchost.exe
2832	explorer.exe
2832	explorer.exe
2228	svchost.exe
2228	svchost.exe
2832	explorer.exe
2832	explorer.exe
2228	svchost.exe
2228	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2832 explorer.exe
2228 svchost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

gpuasx.exe

pid process

1100 gpuasx.exe

pid	process
2832	explorer.exe
2228	svchost.exe

pid	process
1100	gpuasx.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

wfilmorav13060-zmco.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeGPUASX.exeicsys.icn.exeexplorer.exe

pid	process
1292	wfilmorav13060-zmco.exe
1292	wfilmorav13060-zmco.exe
2200	icsys.icn.exe
2200	icsys.icn.exe
2832	explorer.exe
2832	explorer.exe
2696	spoolsv.exe
2696	spoolsv.exe
2228	svchost.exe
2228	svchost.exe
988	spoolsv.exe
988	spoolsv.exe
2832	explorer.exe
2832	explorer.exe
1236	GPUASX.exe
1236	GPUASX.exe
2232	icsys.icn.exe
2232	icsys.icn.exe
2780	explorer.exe
2780	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

wfilmorav13060-zmco.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exewfilmorav13060-zmco.exe RZSBKB.exeGPUASX.exeicsys.icn.exe

description	pid	process	target process
PID 1292 wrote to memory of 1356	1292	wfilmorav13060-zmco.exe	wfilmorav13060-zmco.exe
PID 1292 wrote to memory of 1356	1292	wfilmorav13060-zmco.exe	wfilmorav13060-zmco.exe
PID 1292 wrote to memory of 1356	1292	wfilmorav13060-zmco.exe	wfilmorav13060-zmco.exe
PID 1292 wrote to memory of 1356	1292	wfilmorav13060-zmco.exe	wfilmorav13060-zmco.exe
PID 1292 wrote to memory of 2200	1292	wfilmorav13060-zmco.exe	icsys.icn.exe
PID 1292 wrote to memory of 2200	1292	wfilmorav13060-zmco.exe	icsys.icn.exe
PID 1292 wrote to memory of 2200	1292	wfilmorav13060-zmco.exe	icsys.icn.exe
PID 1292 wrote to memory of 2200	1292	wfilmorav13060-zmco.exe	icsys.icn.exe
PID 2200 wrote to memory of 2832	2200	icsys.icn.exe	explorer.exe
PID 2200 wrote to memory of 2832	2200	icsys.icn.exe	explorer.exe
PID 2200 wrote to memory of 2832	2200	icsys.icn.exe	explorer.exe
PID 2200 wrote to memory of 2832	2200	icsys.icn.exe	explorer.exe
PID 2832 wrote to memory of 2696	2832	explorer.exe	spoolsv.exe
PID 2832 wrote to memory of 2696	2832	explorer.exe	spoolsv.exe
PID 2832 wrote to memory of 2696	2832	explorer.exe	spoolsv.exe
PID 2832 wrote to memory of 2696	2832	explorer.exe	spoolsv.exe
PID 2696 wrote to memory of 2228	2696	spoolsv.exe	svchost.exe
PID 2696 wrote to memory of 2228	2696	spoolsv.exe	svchost.exe
PID 2696 wrote to memory of 2228	2696	spoolsv.exe	svchost.exe
PID 2696 wrote to memory of 2228	2696	spoolsv.exe	svchost.exe
PID 2228 wrote to memory of 988	2228	svchost.exe	spoolsv.exe
PID 2228 wrote to memory of 988	2228	svchost.exe	spoolsv.exe
PID 2228 wrote to memory of 988	2228	svchost.exe	spoolsv.exe
PID 2228 wrote to memory of 988	2228	svchost.exe	spoolsv.exe
PID 1356 wrote to memory of 2184	1356	wfilmorav13060-zmco.exe	RZSBKB.exe
PID 1356 wrote to memory of 2184	1356	wfilmorav13060-zmco.exe	RZSBKB.exe
PID 1356 wrote to memory of 2184	1356	wfilmorav13060-zmco.exe	RZSBKB.exe
PID 1356 wrote to memory of 2184	1356	wfilmorav13060-zmco.exe	RZSBKB.exe
PID 2228 wrote to memory of 3028	2228	svchost.exe	at.exe
PID 2228 wrote to memory of 3028	2228	svchost.exe	at.exe
PID 2228 wrote to memory of 3028	2228	svchost.exe	at.exe
PID 2228 wrote to memory of 3028	2228	svchost.exe	at.exe
PID 2184 wrote to memory of 1432	2184	RZSBKB.exe	RZSBKB.exe
PID 2184 wrote to memory of 1432	2184	RZSBKB.exe	RZSBKB.exe
PID 2184 wrote to memory of 1432	2184	RZSBKB.exe	RZSBKB.exe
PID 1356 wrote to memory of 1236	1356	wfilmorav13060-zmco.exe	GPUASX.exe
PID 1356 wrote to memory of 1236	1356	wfilmorav13060-zmco.exe	GPUASX.exe
PID 1356 wrote to memory of 1236	1356	wfilmorav13060-zmco.exe	GPUASX.exe
PID 1356 wrote to memory of 1236	1356	wfilmorav13060-zmco.exe	GPUASX.exe
PID 1236 wrote to memory of 1100	1236	GPUASX.exe	gpuasx.exe
PID 1236 wrote to memory of 1100	1236	GPUASX.exe	gpuasx.exe
PID 1236 wrote to memory of 1100	1236	GPUASX.exe	gpuasx.exe
PID 1236 wrote to memory of 1100	1236	GPUASX.exe	gpuasx.exe
PID 1236 wrote to memory of 2232	1236	GPUASX.exe	icsys.icn.exe
PID 1236 wrote to memory of 2232	1236	GPUASX.exe	icsys.icn.exe
PID 1236 wrote to memory of 2232	1236	GPUASX.exe	icsys.icn.exe
PID 1236 wrote to memory of 2232	1236	GPUASX.exe	icsys.icn.exe
PID 2232 wrote to memory of 2780	2232	icsys.icn.exe	explorer.exe
PID 2232 wrote to memory of 2780	2232	icsys.icn.exe	explorer.exe
PID 2232 wrote to memory of 2780	2232	icsys.icn.exe	explorer.exe
PID 2232 wrote to memory of 2780	2232	icsys.icn.exe	explorer.exe
PID 2228 wrote to memory of 2020	2228	svchost.exe	at.exe
PID 2228 wrote to memory of 2020	2228	svchost.exe	at.exe
PID 2228 wrote to memory of 2020	2228	svchost.exe	at.exe
PID 2228 wrote to memory of 2020	2228	svchost.exe	at.exe
PID 2228 wrote to memory of 2552	2228	svchost.exe	at.exe
PID 2228 wrote to memory of 2552	2228	svchost.exe	at.exe
PID 2228 wrote to memory of 2552	2228	svchost.exe	at.exe
PID 2228 wrote to memory of 2552	2228	svchost.exe	at.exe
PID 2228 wrote to memory of 2808	2228	svchost.exe	at.exe
PID 2228 wrote to memory of 2808	2228	svchost.exe	at.exe
PID 2228 wrote to memory of 2808	2228	svchost.exe	at.exe
PID 2228 wrote to memory of 2808	2228	svchost.exe	at.exe
PID 2228 wrote to memory of 2840	2228	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\Patch\wfilmorav13060-zmco.exe
"C:\Users\Admin\AppData\Local\Temp\Patch\wfilmorav13060-zmco.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292

\??\c:\users\admin\appdata\local\temp\patch\wfilmorav13060-zmco.exe
c:\users\admin\appdata\local\temp\patch\wfilmorav13060-zmco.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\RZSBKB.exe
"C:\Users\Admin\AppData\Local\Temp\RZSBKB.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184

C:\Users\Admin\AppData\Local\Temp\RZSBKB.exe
"C:\Users\Admin\AppData\Local\Temp\RZSBKB.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1432

C:\Users\Admin\AppData\Local\Temp\GPUASX.exe
"C:\Users\Admin\AppData\Local\Temp\GPUASX.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236

\??\c:\users\admin\appdata\local\temp\gpuasx.exe
c:\users\admin\appdata\local\temp\gpuasx.exe
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1100

C:\Users\Admin\AppData\Local\icsys.icn.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2780

C:\Users\Admin\AppData\Local\icsys.icn.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:988

C:\Windows\SysWOW64\at.exe
at 17:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:3028

C:\Windows\SysWOW64\at.exe
at 17:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:2020

C:\Windows\SysWOW64\at.exe
at 17:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:2552

C:\Windows\SysWOW64\at.exe
at 17:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:2808

C:\Windows\SysWOW64\at.exe
at 17:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:2840

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GPUASX.exe

Filesize
4.1MB

MD5
4a05d8618626eaef679d2c2dcbb6a736

SHA1
42eec890d9a33a1190cc7abec845285d845b70cf

SHA256
2b7a582cfa64f07c3a523f46fffe003b783ea88f2a7732f36ed346ddb449ce4b

SHA512
ced2c97e40a86029d948373e92f9134f51b29ee1241bd709e2d34c825eee76911c67ffe235e76866a575f7ea25cb8c0f4b34fe28fcfa95a87b6cd90d224f629d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Patch\wfilmorav13060-zmco.exe

Filesize
16.7MB

MD5
31f04618c3dd182e5f216d0fc10bb481

SHA1
f15d51a5bcf74dff84e21aef7bd4c5ec0458f691

SHA256
a45f900f2c2d857fb24b2f54adcd16a3f60936fbaa3308b1158480cc43981d30

SHA512
ac1a5dec6837ca1b2a0900f62e39f67242b58471ba7ce7cdc2ef6d0c2fa4ebec7483fb186bf94870e0224c6b1b96bfa5fed5e62f4e73cb0e3a72a00f9c5b7dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RZSBKB.exe

Filesize
5.2MB

MD5
7a478f7b8a04be358fed064fb3a2f547

SHA1
3ba752181bff3f86a7c6eeb9ae8d490c8169ac10

SHA256
b7e8fcd24b9d5d8a341386a019bd81b4cabef654211ddf29d33d146db0c5bf65

SHA512
4d26ed30e8a47a7cc40e6c7730fa0c6444cfcf85057c198b8c9cdbfd8adb10bbdb3ee9e33a18d7ae224c0a31249e92f640a1056fa02c5282446e76cb1f8a3eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RZSBKB.exe

Filesize
2.8MB

MD5
1f853bb947feeb01e2995e30a107d891

SHA1
757e3eaf8b8012cacf4954c50d6579f31de84dcf

SHA256
559bb34bb8a2c9f21a0309f128065c840b85b42f07d8c2a7747828fc65608047

SHA512
b21a22f6bae71ae3ee78de3599e1543375fb2d483347da87266efa69b29f1c9ca2c43cb440786607cfd475d6011669a55d7055799f15d78b1bddcb326d561b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\RZSBKB.exe

Filesize
4.7MB

MD5
04b15068d6ef99e303270d6946d15d96

SHA1
55f729e5893fa8fa527d0078d2911b64299c620e

SHA256
22d7f009403018c2f51e3c302e9f322333246a1028a23a42dbda5832c284bc37

SHA512
b7df62946c9817f39f3c2eac19bb04f4b923c68b78c095408c042742435360047289fe43aef025b8dd37d6c5bf56ffaa3a364d9bc06b38161dcfe562904b3499

Download Submit
C:\Users\Admin\AppData\Local\Temp\RZSBKB.exe

Filesize
5.6MB

MD5
da61cb7a0cbbfe608d22b0198ef79842

SHA1
7c612564139b6154a3442ce8eb132b68a4a35087

SHA256
b0beaf149edb369eeabcc1f539a09fd7790c38376f4adabd4a07db797fabf6b0

SHA512
470304c3c29952bc0992be3129a888f2a6c3deed23fddd84afd1b3e52883d8a32e04651bfd36e9eaa6f8f191e4821c65db8a6128c3d701e36567b9786dcc74e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skyp\Microsoft Office Click-to-Run.exe

Filesize
1.5MB

MD5
cd9700e6c703767c3169ed78415226ff

SHA1
e3d7423c7576fad29b3d2e6496c98fdb111809dc

SHA256
c554a53910cf08254f3185fd48016fb3ec26a54ed149fb47999a10d444c1e24b

SHA512
41a708d6d0b4514930a69432527ffda249ef3c719300b5be7226046465c3f04c6fb8de1b564b8da94edbe476eacc409848a1f2f2d5f75542822b3b18b7926f9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21842\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
bcb8b9f6606d4094270b6d9b2ed92139

SHA1
bd55e985db649eadcb444857beed397362a2ba7b

SHA256
fa18d63a117153e2ace5400ed89b0806e96f0627d9db935906be9294a3038118

SHA512
869b2b38fd528b033b3ec17a4144d818e42242b83d7be48e2e6da6992111758b302f48f52e0dd76becb526a90a2b040ce143c6d4f0e009a513017f06b9a8f2b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21842\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21842\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
20ddf543a1abe7aee845de1ec1d3aa8e

SHA1
0eaf5de57369e1db7f275a2fffd2d2c9e5af65bf

SHA256
d045a72c3e4d21165e9372f76b44ff116446c1e0c221d9cea3ab0a1134a310e8

SHA512
96dd48df315a7eea280ca3da0965a937a649ee77a82a1049e3d09b234439f7d927d7fb749073d7af1b23dadb643978b70dcdadc6c503fe850b512b0c9c1c78dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21842\python311.dll

Filesize
1.1MB

MD5
933e4e3015a4da47050e312c1680925c

SHA1
4f1a2ce586321376c8ba11585b30b9049dd4d36f

SHA256
c53d619b732a02a94bf813316099e70da5530af0891553007f4b8ce515059c71

SHA512
2cee9f292bbe34608c3fa5ddd29a45bc4b580426b40b52a62e14323b93f70f6f0d069285307f081f28afc78200374ea706b420d785839c74ea124479b3006489

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21842\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpuasx.exe

Filesize
1.9MB

MD5
2652382d49646ad8dc17fe8604db082c

SHA1
ca59b72b140294e152bb66762277b356cf6e0bb6

SHA256
f621575d8733177ac119f04e0be2932ee3f4162fee3e355364e4ddfc5e4d0ecd

SHA512
6a6b02b1e0fd1ea972712c464ddfebda9f8a47fc75cb2ab234725884e20fdb3d4de146c78a19609aed7d230298cbdda0c7db71c8db6484c99a09dab2ef01b7d1

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
207KB

MD5
f34d0f1e8828392a5af2d17bc4ad1f65

SHA1
194506bbe29fb342d291a47b42a12b62151e9cb9

SHA256
6c5c9cd33eb448a9cc891c5d0c6affed6d852628663609b758ed8550de85946e

SHA512
8317ced68a0cc6c9f72b946996e5f8890ddbee57effa6d3326c47de2a2a48019ab8e83d5d9536f469addf30be22941df6e04692552adac7aa19ccb7267de109a

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
ea264cac0306f3d2917dc5e3f6dd8408

SHA1
a012b9fa0135f75069e2ba3deb4d196fcfa579f3

SHA256
5612cb1aecf6caac04d049d790b666ce38cfbd4307ea7d094822e4d0a6831ef5

SHA512
c3159efb05449543f6ca40488562420f11efdea53dc0efa128014e39f0c14ab6e456fddcecc8e6c2426a790df3520b93711b66c262ca63d64eee81623ba5cf6a

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\users\admin\appdata\local\temp\gpuasx.exe

Filesize
1.8MB

MD5
9640780e1aba4f9bec0b76bd3bd35431

SHA1
72d931e52b3b37ad48ea1bb71eb0dc65861838f4

SHA256
b208b63842c7a89455afec928c2e6000b6399ddf7bd6eaf362d5e9e4df592014

SHA512
ca881a9d26f0e94b1582ff00ac9afe0dcc579eaa5a9807ff19365ca9ec6f1bf4788664e48f6da8a41104880d9d27d1fad3683e981c358f384ee264fa36a4b9a4

Download Submit
\??\c:\users\admin\appdata\local\temp\gpuasx.exe

Filesize
1.8MB

MD5
9d37884b39641a667fb7f08f67941d7d

SHA1
a803ab00933c5a11630e54dfb291e95d589c1eb7

SHA256
da8fc882501515b7fc4ab75135091357ccbe4d52bf11e506bf30fc2b2921909e

SHA512
eaed7aa426eca8f5a6938c12e7ff1e8d25de85d2e2d9ef050c2514e65b96626c9f4183adc8364a440236c77ff0c91318aebf0228e9962128e2b2b92b33d852be

Download Submit
\??\c:\users\admin\appdata\local\temp\patch\wfilmorav13060-zmco.exe

Filesize
1.1MB

MD5
8dcac35c581598fea6537a43908454ad

SHA1
27d25306e5fffc6b650785eb261afff8d206de63

SHA256
b29ebb4ce90cf0c05ece5e524307f81113153128b281914de7802577b023d708

SHA512
8a9b2e20d28ebac5a0094ebe9a080a04565847b688088b1a9e94e4109edc681aa78295600008f453f52a9cc5871487fb253fb42cc1a6777561edaa194a00ee5e

Download Submit
\Users\Admin\AppData\Local\Temp\GPUASX.exe

Filesize
3.1MB

MD5
555c7863a37cb624f269d9cccef0f56d

SHA1
c72b70228aa897addb66b72cf567cdb8af9f3c2c

SHA256
44fc07e6d4fd76c57a7e48d861657c3e50da1138f648707ae5e80b697cc4fbdd

SHA512
047c0d28ccc6dc321453d2b8dd3dd2fb3dccf355d653585024a4965cc3a4abf545dee00b86554877f7cca4329bcd3c28397ca9993e58b5f7db9131d782040fc5

Download Submit
\Users\Admin\AppData\Local\Temp\GPUASX.exe

Filesize
4.7MB

MD5
02c0b10e571deca6290dcdb9710b5315

SHA1
138f8d0fed7a62ddd19991351b763b953377ef03

SHA256
4ddf0c98d6d62f733206f325db69c9e65fc5fa0323edfd9a305f06a867f4dc9b

SHA512
d5a650cd9fe07c8f56256dbd4fce83babe5e1b3f1026c25018b8635bfb23880a3495248a47729abfd11a214d771d008e7f3e953bf9dec4e0580ce636f4699bb9

Download Submit
\Users\Admin\AppData\Local\Temp\GPUASX.exe

Filesize
3.3MB

MD5
b7843d2e888c5946920e7db90039160a

SHA1
09580327d96c228ee3e97d2b08d63da80a36e764

SHA256
525fe1722fa23131e3cfaac57b6d41a3991a28bbdeabe9c076b0c6415e6bf551

SHA512
e3239fb2617564dd50e4505411b8d67cec89b49a46f819785ddc860184d48e9427734c0352bb10783fe784234079c18ac81af7cae08c6bb67bc19874bff8debf

Download Submit
\Users\Admin\AppData\Local\Temp\GPUASX.exe

Filesize
3.1MB

MD5
e65c1569527142ee61d29df9520d58bd

SHA1
ec80159fa2a177f7abad66902aba5ef5365c21b8

SHA256
35d42c77453bdd9a8479836d02317ef039cb5050c3e029fb4c4ea88158ebde69

SHA512
f942261a261cfdc95c7dacff0e77a509d12255f182798fae06012e5167dced3b1c782c1e49ef3b4e43ed2a1e048ab2bde12536da319113c5b54f607bd83ba86f

Download Submit
\Users\Admin\AppData\Local\Temp\GPUASX.exe

Filesize
2.9MB

MD5
0b51508451f9b37f3ddba5c76f958cb8

SHA1
b36b5e63dd9a07cac5bcf0de3eac5e56e152c10c

SHA256
e55de6d9e3e8bdf6a957c8f0a613bbdfc5190963581719d7ac065716949b9793

SHA512
5f2c1a57dcad052c266f0d2d852d5cb3012408b62daf130e59f04441f1e8c2732091d9a4ad8c0ccfd7a0833e99765d630c8b0e275aa3a07ffdc9c4f1962d8713

Download Submit
\Users\Admin\AppData\Local\Temp\Patch\wfilmorav13060-zmco.exe

Filesize
12.9MB

MD5
78f0bc7a45045b34a9dbd3129dc103f6

SHA1
efe170b90ca16dc4ffce9b597cc631533568e993

SHA256
352dd98280ef2031cd127d0a3dff8d22ad31dff0a815d028f924d8328a1bfa9c

SHA512
52e6033a6147e49bf6214a9a9e961df13b357fc204e8888f2bd657114beb32874a3007b28dfed561265b78f6f9994a1436d2965f8badff75c1befdb986ebc8aa

Download Submit
\Users\Admin\AppData\Local\Temp\RZSBKB.exe

Filesize
2.8MB

MD5
cd79989347efaa4459f90f4fd9130ba0

SHA1
8f332956814cf45db53f7077d57adf4cf2950016

SHA256
3531108210202e5375aa8946ea09ea0e1eebe0d945458d7e3752ed2add7d096c

SHA512
1a0fb26045ae0e16d5fffbf55bc140ca98f35217b93f559f9141db2200f224466b6e9e0ec263381e4caf3eac6fe66b2af30f2c6e8f6bbe3d449c813776e45e17

Download Submit
\Users\Admin\AppData\Local\Temp\RZSBKB.exe

Filesize
1.1MB

MD5
622d076a38ef8fd44c2cb3ba927e8e6a

SHA1
894c5ad3a171af5bc1d8732829b3183572dddce2

SHA256
16d2ec82d649f797de78eca6c1d3cdcd77b36cfffbce0905021f08f005ae5932

SHA512
65bfabeac7dabeac8c0783c0d05e9147c6c68f9061033f29580462b1b119ed1f0c26049770b662c5190b7ff835dc0c62814a3d240c36dfc3bfc614e94f838fb4

Download Submit
\Users\Admin\AppData\Local\Temp\RZSBKB.exe

Filesize
1024KB

MD5
dfb69581319d8bf550061c97b5a2aab1

SHA1
8026cb1a50a01b85a2a083561ef27190cb5fe311

SHA256
10b5706471b456cf40879de95a9e685f2dabe11fa6c333f2f05f288a89845377

SHA512
11493cff14e8cf25c7faaa6ad4c1c3240f51de90f69b30ebce869d10e5574ea2efabfe0dff1a13b883e6567d9cfd26fabf7ca798a522fdc4c0d65c21349cdc64

Download Submit
\Users\Admin\AppData\Local\Temp\RZSBKB.exe

Filesize
7.7MB

MD5
caf24f221f56e4b0696bd4120aee4a32

SHA1
a932eef1254c0764e7a9c4e3d9d28315a1139c0d

SHA256
3d02656923425eb2771aedd203fc20343b71c22cae609ae6a07741758e577c23

SHA512
2d831fc546dfdb9aee5d719232d718d7b61a18703f1c92b915a471a92df8ac23e91b48f7bd705d0bc33391ef79a3d84c67d4a84d033773713f3ca2e82fa8f711

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21842\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
4380d56a3b83ca19ea269747c9b8302b

SHA1
0c4427f6f0f367d180d37fc10ecbe6534ef6469c

SHA256
a79c7f86462d8ab8a7b73a3f9e469514f57f9fe456326be3727352b092b6b14a

SHA512
1c29c335c55f5f896526c8ee0f7160211fd457c1f1b98915bcc141112f8a730e1a92391ab96688cbb7287e81e6814cc86e3b057e0a6129cbb02892108bfafaf4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21842\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
2554060f26e548a089cab427990aacdf

SHA1
8cc7a44a16d6b0a6b7ed444e68990ff296d712fe

SHA256
5ab003e899270b04abc7f67be953eaccf980d5bbe80904c47f9aaf5d401bb044

SHA512
fd4d5a7fe4da77b0222b040dc38e53f48f7a3379f69e2199639b9f330b2e55939d89ce8361d2135182b607ad75e58ee8e34b90225143927b15dcc116b994c506

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21842\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
\Users\Admin\AppData\Local\Temp\gpuasx.exe

Filesize
256KB

MD5
7d1aebd90be42a58b1d86e09b58b561b

SHA1
ef88ccf6f584bcffaa0d6b01e4fa469a6648eff6

SHA256
c5ae65b41bcc9546a108c3cb7e0a81813e03f442421c04af60e68035b9bd44ae

SHA512
58e769bf984bea245104f5c54909b7b6c0cddd25e98b6ad0de9a508211a7dce267a6948dce0d929133dc595503d538b14ecfbdf9093e89b4d2857aa77d69d342

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
d6937eb63a966562f0cd37f2dd6a8a83

SHA1
120e925c465fd6ace313ccf14802f7ab15bb3cf1

SHA256
a94e0f80f6f4698bf3b27bcc9e96768aeb98bb4c4209ce64a65892642b2fc2ad

SHA512
72547a98ab87c89632944bb2f1baeaef670c4296c11198dc3816d3787683bc9206170e44a3da7445c9131e615f606b8adc08e05f79913d68bd4c98d5ea191c76

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
d6d6acfb908de9da919255ebc5b522fd

SHA1
926c422fd7cb532403c402b3e8b96fb1ef22b6d5

SHA256
3e44002300ced34c81d4bf820a1e4a1b3e57af54107dcf7d67cc8df421f427c4

SHA512
28a76f5c36cd4639d5e43fa6ace7fbb5c6f42029f7e8b1625de648ecc6bceb6206905eecf43d7dba76e53e10ac8c5fdb70a0ea0c252260cc0d71b004aa6c5214

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
0c1bddcf7b3bbcab23bdad21894b7337

SHA1
60947e8a6c0cb9e5e7c66a98b1cf23fef6ecc2fd

SHA256
d11dd47d09052c951f7bdb14b68c217644f5ff1d5b07fa816f1d929c103d1b1b

SHA512
e50c21085a24bfbe1d257759c6aa6c92157c9a6b714da87486947e3c48bc5efc1f9e57cc278371de551605675d9bc9379247dce4106f32378c006e795d1a49bd

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
a75fe8e5e743d77fcd0c48cc04105f08

SHA1
081afb9c7274b752611407c8cb9553d31e75aa22

SHA256
b66a0dfc29b9c17834bca02b273ca6d17b274e8891e37a6873b2f13bc8f13777

SHA512
ec56f0947274cc27316fa534aaee7ca745a5e5126c2b6c3a8c857d18cd056c5bd84f34fd18fe21d3af199c83b5b5acb03b8eb019c0f94c81d38b41360146feca

Download Submit
memory/988-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1100-229-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/1100-240-0x0000000004190000-0x0000000004191000-memory.dmp

Filesize
4KB

Download
memory/1100-260-0x00000000052B0000-0x0000000005330000-memory.dmp

Filesize
512KB

Download
memory/1100-261-0x00000000052B0000-0x0000000005330000-memory.dmp

Filesize
512KB

Download
memory/1100-262-0x00000000052B0000-0x0000000005330000-memory.dmp

Filesize
512KB

Download
memory/1100-263-0x00000000052B0000-0x0000000005330000-memory.dmp

Filesize
512KB

Download
memory/1100-264-0x00000000052B0000-0x0000000005330000-memory.dmp

Filesize
512KB

Download
memory/1100-265-0x00000000052B0000-0x0000000005330000-memory.dmp

Filesize
512KB

Download
memory/1100-266-0x00000000052B0000-0x0000000005330000-memory.dmp

Filesize
512KB

Download
memory/1100-247-0x00000000052B0000-0x0000000005330000-memory.dmp

Filesize
512KB

Download
memory/1100-248-0x00000000052B0000-0x0000000005330000-memory.dmp

Filesize
512KB

Download
memory/1100-250-0x00000000052B0000-0x0000000005330000-memory.dmp

Filesize
512KB

Download
memory/1100-251-0x0000000003F80000-0x0000000003F81000-memory.dmp

Filesize
4KB

Download
memory/1100-252-0x00000000052B0000-0x0000000005330000-memory.dmp

Filesize
512KB

Download
memory/1100-220-0x0000000000400000-0x0000000002630000-memory.dmp

Filesize
34.2MB

Download
memory/1100-221-0x0000000003E20000-0x0000000003E80000-memory.dmp

Filesize
384KB

Download
memory/1100-222-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1100-224-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1100-225-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1100-226-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/1100-227-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1100-228-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1100-259-0x00000000052B0000-0x0000000005330000-memory.dmp

Filesize
512KB

Download
memory/1100-230-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1100-231-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1100-233-0x0000000003FC0000-0x0000000003FC1000-memory.dmp

Filesize
4KB

Download
memory/1100-234-0x0000000003F90000-0x0000000003F91000-memory.dmp

Filesize
4KB

Download
memory/1100-232-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/1100-235-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/1100-236-0x00000000040F0000-0x00000000040F1000-memory.dmp

Filesize
4KB

Download
memory/1100-237-0x00000000052B0000-0x0000000005330000-memory.dmp

Filesize
512KB

Download
memory/1100-238-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download
memory/1100-239-0x0000000004130000-0x0000000004131000-memory.dmp

Filesize
4KB

Download
memory/1100-253-0x00000000052B0000-0x0000000005330000-memory.dmp

Filesize
512KB

Download
memory/1100-241-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/1100-242-0x0000000004160000-0x0000000004161000-memory.dmp

Filesize
4KB

Download
memory/1100-243-0x00000000052B0000-0x0000000005330000-memory.dmp

Filesize
512KB

Download
memory/1100-246-0x00000000052B0000-0x0000000005330000-memory.dmp

Filesize
512KB

Download
memory/1100-245-0x00000000052B0000-0x0000000005330000-memory.dmp

Filesize
512KB

Download
memory/1100-244-0x0000000004180000-0x0000000004181000-memory.dmp

Filesize
4KB

Download
memory/1100-249-0x00000000052B0000-0x0000000005330000-memory.dmp

Filesize
512KB

Download
memory/1100-258-0x00000000052B0000-0x0000000005330000-memory.dmp

Filesize
512KB

Download
memory/1100-257-0x00000000052B0000-0x0000000005330000-memory.dmp

Filesize
512KB

Download
memory/1100-256-0x0000000000400000-0x0000000002630000-memory.dmp

Filesize
34.2MB

Download
memory/1100-255-0x00000000052B0000-0x0000000005330000-memory.dmp

Filesize
512KB

Download
memory/1100-254-0x00000000052B0000-0x0000000005330000-memory.dmp

Filesize
512KB

Download
memory/1236-218-0x0000000002E80000-0x00000000050B0000-memory.dmp

Filesize
34.2MB

Download
memory/1236-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1292-93-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1292-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1292-25-0x00000000004C0000-0x0000000000500000-memory.dmp

Filesize
256KB

Download
memory/1292-26-0x00000000004C0000-0x0000000000500000-memory.dmp

Filesize
256KB

Download
memory/1356-203-0x0000000003D70000-0x0000000003DB0000-memory.dmp

Filesize
256KB

Download
memory/1356-186-0x0000000003D60000-0x0000000003DA0000-memory.dmp

Filesize
256KB

Download
memory/1356-200-0x0000000003D70000-0x0000000003DB0000-memory.dmp

Filesize
256KB

Download
memory/1432-183-0x000007FEF5670000-0x000007FEF5C58000-memory.dmp

Filesize
5.9MB

Download
memory/2200-42-0x00000000026D0000-0x0000000002710000-memory.dmp

Filesize
256KB

Download
memory/2200-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2200-92-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2228-99-0x0000000000590000-0x00000000005D0000-memory.dmp

Filesize
256KB

Download
memory/2228-491-0x0000000003470000-0x000000000387B000-memory.dmp

Filesize
4.0MB

Download
memory/2228-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2696-91-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2832-56-0x0000000002850000-0x0000000002890000-memory.dmp

Filesize
256KB

Download
memory/2832-62-0x0000000002850000-0x0000000002890000-memory.dmp

Filesize
256KB

Download