234b8e1aa9c69ab722776ac9ef3dcbe451e5d8f0e7bfdee37470957d5e1dbf2b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 06:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bde0b6cb734c367a026bc5364404a5a3.exe
Size

924KB
MD5

bde0b6cb734c367a026bc5364404a5a3
SHA1

c7ce33ecffe0708d1cada917bf575b92a14589a0
SHA256

234b8e1aa9c69ab722776ac9ef3dcbe451e5d8f0e7bfdee37470957d5e1dbf2b
SHA512

41167ca4016e6bd6eb9f26bbffc432ae0de1b9f34f7c4accd13056fc32c3279e194e5a3d80cc45ff9027797df4ce3228b1e60456bc086632fd16fca789f94626
SSDEEP

24576:kq8wRzYCCKpkwrkTiwYuEFvdG2tUzLHmNYhGtRQ:r8ksKptkFYuEFvcYM7ms/

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	bde0b6cb734c367a026bc5364404a5a3.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bde0b6cb734c367a026bc5364404a5a3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	bde0b6cb734c367a026bc5364404a5a3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe

Executes dropped EXE 9 IoCs

pid	Process
1584	svuhost.exe
732	svuhost.exe
1516	svuhost.exe
3540	svuhost.exe
3892	svuhost.exe
4472	svuhost.exe
920	svuhost.exe
4480	svuhost.exe
2448	svuhost.exe

Loads dropped DLL 30 IoCs

pid	Process
3344	bde0b6cb734c367a026bc5364404a5a3.exe
3344	bde0b6cb734c367a026bc5364404a5a3.exe
3344	bde0b6cb734c367a026bc5364404a5a3.exe
1584	svuhost.exe
1584	svuhost.exe
1584	svuhost.exe
732	svuhost.exe
732	svuhost.exe
732	svuhost.exe
1516	svuhost.exe
1516	svuhost.exe
1516	svuhost.exe
3540	svuhost.exe
3540	svuhost.exe
3540	svuhost.exe
3892	svuhost.exe
3892	svuhost.exe
3892	svuhost.exe
4472	svuhost.exe
4472	svuhost.exe
4472	svuhost.exe
920	svuhost.exe
920	svuhost.exe
920	svuhost.exe
4480	svuhost.exe
4480	svuhost.exe
4480	svuhost.exe
2448	svuhost.exe
2448	svuhost.exe
2448	svuhost.exe

Drops file in System32 directory 40 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\packet.dll	bde0b6cb734c367a026bc5364404a5a3.exe
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	bde0b6cb734c367a026bc5364404a5a3.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	bde0b6cb734c367a026bc5364404a5a3.exe
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	bde0b6cb734c367a026bc5364404a5a3.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tYgI\ = "oPFkDez@NynW_USZe@R"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\xoZkwnulW\ = "qXXWrKra}\\MWEJZwCluG"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\gZklfSrxju\ = "x`mXyJbRcMSOXEtKSRYfZQe]L~^\x7fN"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\xoZkwnulW\ = "qXXWrKraylMWEJY\|\\\|I~"	svuhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\InProcServer32	bde0b6cb734c367a026bc5364404a5a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ogztnehhhPf	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\gZklfSrxju\ = "x`mXyJbRcMSOXEtKSRYfZQe]L~^\x7fN"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ctDbeydiMQg\ = "YRiyzFOxRiah_CYZjAlxhh"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ogztnehhhPf\ = "\x7fsxD^jYSrqOqQqX}]p~b}^dsmLA"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ctDbeydiMQg\ = "YRiyzFOxRiah_CYZjAlxhh"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\xoZkwnulW\ = "qXXWrKrazlMWEJYmx~u_"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ogztnehhhPf\ = "\x7fsxD^kVSrqOqQqX}]p~b}^dsmLA"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\xoZkwnulW\ = "qXXWrKra\|LMWEJZare~f"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ogztnehhhPf\ = "\x7fsxD^jjSrqOqQqX}]p~b}^dsmLA"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tYgI\ = "oPFkDez@NrnW_USZeKR"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\xoZkwnulW\ = "qXXWrKravlMWEJX_Vwgn"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ctDbeydiMQg\ = "YRiyzFOxRiah_CYZjAlxhh"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\xoZkwnulW\ = "qXXWrKra{LMWEJ[Aaok@"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\xoZkwnulW\ = "qXXWrKrayLMWEJZILB\x7fC"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tYgI\ = "oPFkDez@NznW_USZeCR"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\uyMy\ = "`DsuP^mx]AxpMbJUGm{b}bw\|]Ss"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tYgI\ = "oPFkDez@NxnW_USZeAR"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\xoZkwnulW\ = "qXXWrKra\|\|MWEJXW~xwH"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\gZklfSrxju\ = "x`mXyJbRcMSOXEtKSRYfZQe]L~^\x7fN"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ogztnehhhPf\ = "\x7fsxD^jKSrqOqQqX}]p~b}^dsmLA"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\uyMy\ = "`DsuP^mx]AxpMbJUGm{b}bw\|]Ss"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\xoZkwnulW\ = "qXXWrKraz\\MWEJZiJ[Th"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\xoZkwnulW\ = "qXXWrKra{lMWEJYO^KXr"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\uyMy\ = "`DsuP^mx]AxpMbJUGm{b}bw\|]Ss"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\xoZkwnulW\ = "qXXWrKraw\\MWEJ[aJmWT"	svuhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tYgI	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\xoZkwnulW\ = "qXXWrKra}LMWEJXGIzuz"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ogztnehhhPf\ = "\x7fsxD^kgSrqOqQqX}]p~b}^dsmLA"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ctDbeydiMQg\ = "YRiyzFOxRiah_CYZjAlxhh"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shell32.dll"	bde0b6cb734c367a026bc5364404a5a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\uyMy	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ogztnehhhPf\ = "\x7fsxD^jtSrqOqQqX}]p~b}^dsmLA"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\InProcServer32\ThreadingModel = "Apartment"	bde0b6cb734c367a026bc5364404a5a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ctDbeydiMQg\ = "YRiyzFOxRiah_CYZjAlxhh"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tYgI\ = "oPFkDez@N\|nW_USZeER"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tYgI\ = "oPFkDez@NsnW_USZeJR"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tYgI\ = "oPFkDez@N}nW_USZeDR"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\xoZkwnulW\ = "qXXWrKraxLMWEJYtW_wu"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\xoZkwnulW\ = "qXXWrKra\x7f\\MWEJXiOb}U"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ogztnehhhPf\ = "\x7fsxD^kgSrqOqQqX}]p~b}^dsmLA"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\xoZkwnulW\ = "qXXWrKravLMWEJXed\|Kl"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tYgI\ = "oPFkDez@N}nW_USZeDR"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\gZklfSrxju\ = "x`mXyJbRcMSOXEtKSRYfZQe]L~^\x7fN"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ogztnehhhPf\ = "\x7fsxD^j{SrqOqQqX}]p~b}^dsmLA"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\uyMy\ = "`DsuP^mx]AxpMbJUGm{b}bw\|]Ss"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ctDbeydiMQg\ = "YRiyzFOxRiah_CYZjAlxhh"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tYgI\ = "oPFkDez@N~nW_USZeGR"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ogztnehhhPf\ = "\x7fsxD^j{SrqOqQqX}]p~b}^dsmLA"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\xoZkwnulW\ = "qXXWrKrax\\MWEJYoNR\x7ff"	svuhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ctDbeydiMQg	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tYgI\ = "oPFkDez@NxnW_USZeAR"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\xoZkwnulW\ = "qXXWrKrawLMWEJZ\x7fkcea"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\xoZkwnulW\ = "qXXWrKra\x7flMWEJXWzPNZ"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\xoZkwnulW\ = "qXXWrKrayLMWEJZILB\x7fC"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\xoZkwnulW\ = "qXXWrKra{\|MWEJ[\x7fT]XO"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\xoZkwnulW\ = "qXXWrKray\\MWEJZlBVHy"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tYgI\ = "oPFkDez@NqnW_USZeHR"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ = "Csc Sync"	bde0b6cb734c367a026bc5364404a5a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\gZklfSrxju\ = "x`mXyJbRcMSOXEtKSRYfZQe]L~^\x7fN"	svuhost.exe

NTFS ADS 10 IoCs

description	ioc	Process
File created	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: 33	3344	bde0b6cb734c367a026bc5364404a5a3.exe
Token: SeIncBasePriorityPrivilege	3344	bde0b6cb734c367a026bc5364404a5a3.exe
Token: 33	1584	svuhost.exe
Token: SeIncBasePriorityPrivilege	1584	svuhost.exe
Token: 33	732	svuhost.exe
Token: SeIncBasePriorityPrivilege	732	svuhost.exe
Token: 33	1516	svuhost.exe
Token: SeIncBasePriorityPrivilege	1516	svuhost.exe
Token: 33	3540	svuhost.exe
Token: SeIncBasePriorityPrivilege	3540	svuhost.exe
Token: 33	3892	svuhost.exe
Token: SeIncBasePriorityPrivilege	3892	svuhost.exe
Token: 33	4472	svuhost.exe
Token: SeIncBasePriorityPrivilege	4472	svuhost.exe
Token: 33	920	svuhost.exe
Token: SeIncBasePriorityPrivilege	920	svuhost.exe
Token: 33	4480	svuhost.exe
Token: SeIncBasePriorityPrivilege	4480	svuhost.exe
Token: 33	2448	svuhost.exe
Token: SeIncBasePriorityPrivilege	2448	svuhost.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 1584	3344	bde0b6cb734c367a026bc5364404a5a3.exe	89
PID 3344 wrote to memory of 1584	3344	bde0b6cb734c367a026bc5364404a5a3.exe	89
PID 3344 wrote to memory of 1584	3344	bde0b6cb734c367a026bc5364404a5a3.exe	89
PID 1584 wrote to memory of 732	1584	svuhost.exe	100
PID 1584 wrote to memory of 732	1584	svuhost.exe	100
PID 1584 wrote to memory of 732	1584	svuhost.exe	100
PID 732 wrote to memory of 1516	732	svuhost.exe	103
PID 732 wrote to memory of 1516	732	svuhost.exe	103
PID 732 wrote to memory of 1516	732	svuhost.exe	103
PID 1516 wrote to memory of 3540	1516	svuhost.exe	105
PID 1516 wrote to memory of 3540	1516	svuhost.exe	105
PID 1516 wrote to memory of 3540	1516	svuhost.exe	105
PID 3540 wrote to memory of 3892	3540	svuhost.exe	106
PID 3540 wrote to memory of 3892	3540	svuhost.exe	106
PID 3540 wrote to memory of 3892	3540	svuhost.exe	106
PID 3892 wrote to memory of 4472	3892	svuhost.exe	108
PID 3892 wrote to memory of 4472	3892	svuhost.exe	108
PID 3892 wrote to memory of 4472	3892	svuhost.exe	108
PID 4472 wrote to memory of 920	4472	svuhost.exe	109
PID 4472 wrote to memory of 920	4472	svuhost.exe	109
PID 4472 wrote to memory of 920	4472	svuhost.exe	109
PID 920 wrote to memory of 4480	920	svuhost.exe	113
PID 920 wrote to memory of 4480	920	svuhost.exe	113
PID 920 wrote to memory of 4480	920	svuhost.exe	113
PID 4480 wrote to memory of 2448	4480	svuhost.exe	114
PID 4480 wrote to memory of 2448	4480	svuhost.exe	114
PID 4480 wrote to memory of 2448	4480	svuhost.exe	114

C:\Users\Admin\AppData\Local\Temp\bde0b6cb734c367a026bc5364404a5a3.exe
"C:\Users\Admin\AppData\Local\Temp\bde0b6cb734c367a026bc5364404a5a3.exe"
1⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Windows\SysWOW64\svuhost.exe
  C:\Windows\system32\svuhost.exe 1472 "C:\Users\Admin\AppData\Local\Temp\bde0b6cb734c367a026bc5364404a5a3.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\SysWOW64\svuhost.exe
    C:\Windows\system32\svuhost.exe 1456 "C:\Windows\SysWOW64\svuhost.exe"
    3⤵
    - Drops file in Drivers directory
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:732
  - - C:\Windows\SysWOW64\svuhost.exe
      C:\Windows\system32\svuhost.exe 1452 "C:\Windows\SysWOW64\svuhost.exe"
      4⤵
      Drops file in Drivers directory
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1516
    - - C:\Windows\SysWOW64\svuhost.exe
        
        C:\Windows\system32\svuhost.exe 1460 "C:\Windows\SysWOW64\svuhost.exe"
        5⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3540
      - C:\Windows\SysWOW64\svuhost.exe
        
        C:\Windows\system32\svuhost.exe 1440 "C:\Windows\SysWOW64\svuhost.exe"
        6⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\SysWOW64\svuhost.exe
        
        C:\Windows\system32\svuhost.exe 1468 "C:\Windows\SysWOW64\svuhost.exe"
        7⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\svuhost.exe
        
        C:\Windows\system32\svuhost.exe 1476 "C:\Windows\SysWOW64\svuhost.exe"
        8⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\svuhost.exe
        
        C:\Windows\system32\svuhost.exe 1480 "C:\Windows\SysWOW64\svuhost.exe"
        9⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\svuhost.exe
        
        C:\Windows\system32\svuhost.exe 1484 "C:\Windows\SysWOW64\svuhost.exe"
        10⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:466F9D5D

Filesize
107B

MD5
dbd765d19b4cbf0041ce39a00096d4f9

SHA1
205c3dcc76e1f68cd93c14fcc045f7d7b862da37

SHA256
c9c77f029b443d790a6705ff9bf9322d369ab032354b4355516519445a7cdb0a

SHA512
2b980cc434a187b025582c1b88e2dbbf45c332a087db4cde642227defa692c5e90d906037ba5db991d6b02bcb0221feba96a6f6ed3e86aab18c25bf5e00ebef3

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
107B

MD5
07359fd12530ab40369865567500f861

SHA1
373c960ae22a77bbf39021ac5a4090d5ac1f0448

SHA256
2cacde8e236090c3737327f4093bed71663bd81af32c4de937869dbcbfb3f799

SHA512
787e728b705e8df1f8b1ae34b63411bc25f6401f173087ddc6bd5405c5efdaa8f867d3180fc0ac116f4c7b442e6d81bc56d6b3b1cf6ad413ee09687e3ba61542

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
107B

MD5
2c2fad0c915a9c4860cce9e42add4bd4

SHA1
dd617bdae52e3aa90f48d7dd3b272fc4c37ae445

SHA256
382ce6712fddf53f5a495375bcf7a56ce74418e8400db59bdc0edfdb9740a364

SHA512
48bb93507aaaaeb5cfb1e1d0eefc00603ea97c6690fddab90471bd4a489cc16349b039b7c999dcf92f08b70382b02ad9e9182a0d26e73c54625ab3d356be608c

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
107B

MD5
04f97a4e802db6f360503ab73814eb7f

SHA1
1eb568498f7991c0be9bc6a7681e595b3ad78d8c

SHA256
8e915b4e8cdcde5160e186b8496cb6f8d459bad54f08676b9794e8c860884388

SHA512
9d4c865c334c44eabb00756971b39f5e018142efb03b8b95e17712288e27ac5de0e8678f07a524b4a79f5612d4dd371e4b8082bab38cb8c9130159583ed36862

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
107B

MD5
21c9f2d44fc3cbbe233ea2031f63ace4

SHA1
ac53d2b341b1150b52c7d6f8a3b13b4a0bc14695

SHA256
5de08d7f74e68c18b80ba354be7810b7c64bc93629f87aba40688c4368278d3c

SHA512
0ccdbac4caba269d32f2439e56ee20e2b51efd70aee5e92130f13e3d3e78a2a329367e4903a990a12b7fa20e9dd2a0d2b4ead276a8c3caadd1c18b37f363a9bd

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
107B

MD5
c06b1afe0d29b5723ba81739d2a8f3de

SHA1
4d15f38579d6377fc1151b6704f38ecfe7932876

SHA256
ffad690194e35d1e2ee3c49eff92d25ec4edd4a5a7f05167637f99c11e4943ac

SHA512
5d26c4d9314ac65af93b67f974528bc92f39d6821dce573fa7ffd919e1a5586e6a666c04c80d871db261c68fc4c9ca25c1d8f7e8020606c2f9533879b0b76e9c

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
107B

MD5
24bfdbdf9c439b875f93f1aea83ee858

SHA1
a793ce05f72532902684b3654a63c37bcd681fec

SHA256
71f3f45e618f64717e9e0066e39e005d1e6f3c0deff05088b4910e7bd9be8ed6

SHA512
f5070e40648839e352e02842582f13fda1120809c2983c419a0216f9414ddf5ad07875bcf85e706ad17cc1df618b9ffd7744f94591016945a0364949573f31c8

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
107B

MD5
1667ba51809796cf63be54aa5079ab91

SHA1
aec0fa08e98296a5d567e649d4df0a74627a5099

SHA256
e193ae9b36a3d69717eceeda6f47857c6dcdc34d1aaad1a687ba4438fcf00bc5

SHA512
fcde6133d381b539325ae17a68ecb9da40c9d75ceba746f504fbccdedf1f79ca820ee95076e772799824236e37bc03baa4733e2a5b46a6518edc5d63e8133023

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
107B

MD5
cf538cd5260468a86c8ba16d33d78ed4

SHA1
611a5b512ce625e8c7d2291a063fd55742c2c3d5

SHA256
f76a8eab82a0e246c41956eb315e604a74a3eef3b3d6f355f195fea6b9b34e61

SHA512
2c8e2864873a7313d711059bf39a71bb2f962e8f3df3911de55511380a42f8ec56ed228a0f50610a3a305ab881f4bcfcfffb69bc53132baa2cd015fe932ac00e

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
107B

MD5
e44dce771acbf55b4945f7c5c99ae67f

SHA1
c4ee1fc7f4fbe49380bd40681957197e732b00a7

SHA256
0bfe397d9eb1996e9ea4f91a631fa452a42493ac7277d4720f6c05a15329356d

SHA512
19c7ce8b9b9b8b36dab14dd2cfdfe6cd021090e89e43ebae84a1fcfc750c141b86a3e65e2189d6b5e86ee57acd7cc5d7ce2179af001dd481b44d2017c0a65a6e

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
107B

MD5
a09d3f44cae21f922db9dab6293aee27

SHA1
c02977ed774e7f7c61e4654aeaa9e8034bf6ed1f

SHA256
f5c16b242de73c0f6c14eae6177db5d121c250fd37d76c1a600c63eecd9ef746

SHA512
cfce491a29628628f0eb583bd52afe6cf428322880a4bdcc50511994b7435d44654ba959a5b58e7fc06d6e4cfd3887377b183d228fddeb8cc2c052ce0e6e1f18

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
107B

MD5
4c8d2e994bcf1e0944c06c1c2d114b8c

SHA1
357b9b946e7c4290b2387100527d34968b55fb15

SHA256
c7b90c535d7ff93d3783e65504e5e7fe94ff0affe0820ff33387f56b855bddbb

SHA512
811e1b355606423ceae09cbbf7afde827a59b9670dc00a333c155a0f26a51d54019164e7cfec8b387762be4bb0773e9ef5ad6c9249116bc0704160bae023c664

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
107B

MD5
9aa4708c30ee08be05591e64a0b3dbc7

SHA1
b59f0226a5ea243ac1ee50ad8a4e50757562efc8

SHA256
5d6ed633170036b685f5bac0f8a495c5965d43bf40e3815a64db6e7e341da4cd

SHA512
cd523db078243b39fd9dfb68202ec3009d2912f68d749a0bbaba4feee2a28f26352d1b4716b6f73c771756721dd0654fc57969cb4ac826dda400ca2cf0d73b1f

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
107B

MD5
b87d4c5efe6fbe6236d3063c4e55eb6e

SHA1
530aef5ba04e47aad3f008b49db179ceb85503ce

SHA256
459cde4a9382ccd43492a0402dfedaec20625851e3a815dfd1d08cfb4e843248

SHA512
cc74f01c3dffdefbfdb4d5f8db4836cfeebccae5b69ffa30980aa6142debd50e21dd2dc5a1abbdfcc35786239fae5b1d40da9264a70b36dbf5cdabd5a6486c8f

Download Submit
C:\Windows\SysWOW64\drivers\NPF.sys

Filesize
41KB

MD5
243126da7ba441d7c7c3262dcf435a9c

SHA1
42616f7034c0f12e3e4a2166ebe082eb3f08223a

SHA256
80d36efd5b3abb82c421149d423e5019c21f203f085ae2655429a44bb5a9f5c0

SHA512
f5539774d89e8f025da97e7b49d143b7224fcf899db967a34445de70f9228ea5e2d5daffe6444492ce82a3dfb2734786e09140277c208ec1e64580ad74883e68

Download Submit
C:\Windows\SysWOW64\packet.dll

Filesize
86KB

MD5
3eb0beb8e318646104362537570fc6bc

SHA1
3cb48ea9073fcca5835adad307e14ebf0cfe7279

SHA256
ab3f8c80b85aae70f89c8e7919d7dd147c2bc3ec68769e0bdb05fcc4083e3643

SHA512
db5fd16749641de6282d36af7b1921f908850ece3429ffe5ad33d990431bf4990f0314d28af082394af1f4d66516d9d89806a38e2801c34b4dd1ccb69bfafe47

Download Submit
C:\Windows\SysWOW64\svuhost.exe

Filesize
924KB

MD5
bde0b6cb734c367a026bc5364404a5a3

SHA1
c7ce33ecffe0708d1cada917bf575b92a14589a0

SHA256
234b8e1aa9c69ab722776ac9ef3dcbe451e5d8f0e7bfdee37470957d5e1dbf2b

SHA512
41167ca4016e6bd6eb9f26bbffc432ae0de1b9f34f7c4accd13056fc32c3279e194e5a3d80cc45ff9027797df4ce3228b1e60456bc086632fd16fca789f94626

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
234KB

MD5
cb0afba4f0fb6ca2b2ea0d2c3e86b588

SHA1
2459367892e012314b451e05de1f1162448a05fa

SHA256
1b0fe60175c88f7cd3f3765b2f0f3eb1530b2e5e5b51f89a83e0322de32bdcf7

SHA512
a4e2d66af68dee67be5883c4770c1339b6be4847a993619389404af6a7ec9763361d9a14c632ca6704f63d84b05483f4bea2ec035b466fdaf03ce68c5cbca128

Download Submit
memory/732-92-0x0000000002190000-0x0000000002225000-memory.dmp

Filesize
596KB

Download
memory/732-87-0x0000000002190000-0x0000000002225000-memory.dmp

Filesize
596KB

Download
memory/732-83-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/732-80-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/732-84-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/732-106-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/732-103-0x0000000002190000-0x0000000002225000-memory.dmp

Filesize
596KB

Download
memory/732-94-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/732-93-0x0000000002190000-0x0000000002225000-memory.dmp

Filesize
596KB

Download
memory/732-81-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/732-86-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/732-67-0x0000000002190000-0x0000000002225000-memory.dmp

Filesize
596KB

Download
memory/732-72-0x0000000002190000-0x0000000002225000-memory.dmp

Filesize
596KB

Download
memory/732-85-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/920-235-0x0000000002110000-0x00000000021A5000-memory.dmp

Filesize
596KB

Download
memory/920-281-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/920-282-0x0000000002110000-0x00000000021A5000-memory.dmp

Filesize
596KB

Download
memory/1516-113-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1516-97-0x0000000002170000-0x0000000002205000-memory.dmp

Filesize
596KB

Download
memory/1516-145-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1516-114-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1516-111-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1516-110-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1516-147-0x0000000002170000-0x0000000002205000-memory.dmp

Filesize
596KB

Download
memory/1516-102-0x0000000002170000-0x0000000002205000-memory.dmp

Filesize
596KB

Download
memory/1584-55-0x00000000021C0000-0x0000000002255000-memory.dmp

Filesize
596KB

Download
memory/1584-64-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1584-62-0x00000000033E0000-0x00000000033F5000-memory.dmp

Filesize
84KB

Download
memory/1584-52-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1584-54-0x00000000021C0000-0x0000000002255000-memory.dmp

Filesize
596KB

Download
memory/1584-44-0x00000000021C0000-0x0000000002255000-memory.dmp

Filesize
596KB

Download
memory/1584-48-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1584-56-0x00000000021C0000-0x0000000002255000-memory.dmp

Filesize
596KB

Download
memory/1584-50-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1584-47-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1584-53-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1584-51-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1584-74-0x00000000021C0000-0x0000000002255000-memory.dmp

Filesize
596KB

Download
memory/1584-37-0x00000000021C0000-0x0000000002255000-memory.dmp

Filesize
596KB

Download
memory/1584-78-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2448-303-0x0000000002120000-0x00000000021B5000-memory.dmp

Filesize
596KB

Download
memory/3344-43-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3344-9-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3344-15-0x00000000021D0000-0x0000000002265000-memory.dmp

Filesize
596KB

Download
memory/3344-14-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3344-8-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3344-7-0x00000000021D0000-0x0000000002265000-memory.dmp

Filesize
596KB

Download
memory/3344-2-0x00000000021D0000-0x0000000002265000-memory.dmp

Filesize
596KB

Download
memory/3344-13-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3344-12-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3344-42-0x00000000021D0000-0x0000000002265000-memory.dmp

Filesize
596KB

Download
memory/3344-24-0x00000000032A0000-0x00000000032B5000-memory.dmp

Filesize
84KB

Download
memory/3344-0-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3344-11-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3540-132-0x00000000020D0000-0x0000000002165000-memory.dmp

Filesize
596KB

Download
memory/3540-183-0x00000000020D0000-0x0000000002165000-memory.dmp

Filesize
596KB

Download
memory/3540-181-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3892-167-0x0000000002240000-0x00000000022D5000-memory.dmp

Filesize
596KB

Download
memory/3892-216-0x0000000002240000-0x00000000022D5000-memory.dmp

Filesize
596KB

Download
memory/3892-214-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4472-247-0x00000000020C0000-0x0000000002155000-memory.dmp

Filesize
596KB

Download
memory/4472-246-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4472-202-0x00000000020C0000-0x0000000002155000-memory.dmp

Filesize
596KB

Download
memory/4480-269-0x0000000002170000-0x0000000002205000-memory.dmp

Filesize
596KB

Download
memory/4480-312-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4480-314-0x0000000002170000-0x0000000002205000-memory.dmp

Filesize
596KB

Download