28384587434989df15f8c74201ee3d29e10374c5c9646a070d2948d4ca94052f

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2024 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9efdd0ee4aa9e56e8adcd9d6ad40837.exe
Size

309KB
MD5

c9efdd0ee4aa9e56e8adcd9d6ad40837
SHA1

e96de10714e9e69339d2629661923c4842c59e24
SHA256

28384587434989df15f8c74201ee3d29e10374c5c9646a070d2948d4ca94052f
SHA512

6233c1eb60c000ab0497da92e6513f47ffb58c211c37944bdb9e7014b3f8712b9b5666827cc595c718309c250a0765a625d7ebde9ea93dcddc01eb3106ef8342
SSDEEP

6144:o8ldhm4x6FxHwjstWzUtJnbfvWSKpQ+jOvYBTObn3w01oov0KAb:lldcGEHwYiaJzWMAOvyq51olKAb

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 46 IoCs

pid	Process
2008	.exe
976	.exe
4392	.exe
2164	.exe
732	.exe
4404	.exe
3812	.exe
2068	.exe
3600	.exe
4840	.exe
1620	.exe
1436	.exe
3000	.exe
3868	.exe
4764	.exe
5032	.exe
1620	.exe
5040	.exe
552	.exe
2232	.exe
2528	.exe
2788	.exe
4620	.exe
748	.exe
4716	.exe
4800	.exe
3220	.exe
5112	.exe
2216	.exe
3076	.exe
1144	.exe
4188	.exe
4512	.exe
2120	.exe
2368	.exe
2236	.exe
2288	.exe
2712	.exe
1372	.exe
1508	.exe
1628	.exe
1292	.exe
3084	.exe
1168	.exe
3232	.exe
316	.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1720-0-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/3892-7-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/3892-9-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/3892-8-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/3892-11-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/3892-13-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/1720-12-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/3892-14-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/3892-15-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/3892-23-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/files/0x00090000000231d4-27.dat	upx
behavioral2/memory/2008-28-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/3892-41-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/2008-43-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/976-47-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/3892-44-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/976-45-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/4392-70-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/976-69-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/2164-73-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/2164-72-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/732-84-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/732-97-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/2164-96-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/4404-99-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/4404-100-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/3812-109-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/4404-123-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/3812-125-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/2068-126-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/2068-127-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/2068-149-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/3600-151-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/4840-152-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/4840-174-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/1620-175-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/1436-178-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/1436-179-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/3000-204-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/3868-202-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/1436-205-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/4764-214-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/3868-233-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/5032-232-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/5032-234-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/4764-231-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/5032-258-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/1620-261-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/5040-260-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/552-285-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/2232-286-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/5040-288-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/files/0x00090000000231d4-307.dat	upx
behavioral2/memory/2528-313-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/2232-315-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/2788-314-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/748-342-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/748-340-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/4620-339-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/2788-343-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/files/0x00090000000231d4-353.dat	upx

Drops file in System32 directory 47 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\TMP32$1.Nil	.exe
File created	C:\Windows\SysWOW64\TMP32$26---	.exe
File created	C:\Windows\SysWOW64\TMP32$26---	.exe
File created	C:\Windows\SysWOW64\TMP32$26---	.exe
File created	C:\Windows\SysWOW64\TMP32$1.Nil	.exe
File created	C:\Windows\SysWOW64\TMP32$1.Nil	.exe
File created	C:\Windows\SysWOW64\TMP32$1.Nil	.exe
File created	C:\Windows\SysWOW64\TMP32$1.Nil	.exe
File created	C:\Windows\SysWOW64\TMP32$26---	.exe
File created	C:\Windows\SysWOW64\TMP32$26---	.exe
File created	C:\Windows\SysWOW64\TMP32$1.Nil	.exe
File created	C:\Windows\SysWOW64\TMP32$26---	.exe
File created	C:\Windows\SysWOW64\TMP32$1.Nil	.exe
File created	C:\Windows\SysWOW64\TMP32$26---	.exe
File created	C:\Windows\SysWOW64\TMP32$1.Nil	.exe
File created	C:\Windows\SysWOW64\TMP32$1.Nil	.exe
File created	C:\Windows\SysWOW64\TMP32$1.Nil	.exe
File created	C:\Windows\SysWOW64\TMP32$1.Nil	.exe
File created	C:\Windows\SysWOW64\TMP32$26---	.exe
File created	C:\Windows\SysWOW64\TMP32$1.Nil	.exe
File created	C:\Windows\SysWOW64\TMP32$26---	.exe
File created	C:\Windows\SysWOW64\TMP32$26---	.exe
File created	C:\Windows\SysWOW64\TMP32$26---	.exe
File created	C:\Windows\SysWOW64\TMP32$26---	.exe
File created	C:\Windows\SysWOW64\TMP32$1.Nil	.exe
File created	C:\Windows\SysWOW64\TMP32$26---	.exe
File created	C:\Windows\SysWOW64\TMP32$26---	.exe
File created	C:\Windows\SysWOW64\TMP32$26---	.exe
File created	C:\Windows\SysWOW64\TMP32$1.Nil	.exe
File created	C:\Windows\SysWOW64\TMP32$26---	.exe
File created	C:\Windows\SysWOW64\TMP32$26---	.exe
File created	C:\Windows\SysWOW64\TMP32$1.Nil	.exe
File created	C:\Windows\SysWOW64\TMP32$1.Nil	.exe
File created	C:\Windows\SysWOW64\TMP32$26---	.exe
File created	C:\Windows\SysWOW64\TMP32$1.Nil	.exe
File created	C:\Windows\SysWOW64\TMP32$1.Nil	.exe
File created	C:\Windows\SysWOW64\TMP32$1.Nil	.exe
File created	C:\Windows\SysWOW64\TMP32$26---	.exe
File created	C:\Windows\SysWOW64\TMP32$1.Nil	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe
File created	C:\Windows\SysWOW64\TMP32$26---	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe
File created	C:\Windows\SysWOW64\TMP32$1.Nil	.exe
File created	C:\Windows\SysWOW64\TMP32$1.Nil	.exe
File created	C:\Windows\SysWOW64\TMP32$1.Nil	.exe
File created	C:\Windows\SysWOW64\TMP32$26---	.exe
File created	C:\Windows\SysWOW64\TMP32$26---	.exe
File created	C:\Windows\SysWOW64\TMP32$26---	.exe
File created	C:\Windows\SysWOW64\TMP32$1.Nil	.exe

Suspicious use of SetThreadContext 23 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 3892	1720	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe	89
PID 2008 set thread context of 976	2008	.exe	105
PID 4392 set thread context of 2164	4392	.exe	108
PID 732 set thread context of 4404	732	.exe	110
PID 3812 set thread context of 2068	3812	.exe	113
PID 3600 set thread context of 4840	3600	.exe	116
PID 1620 set thread context of 1436	1620	.exe	118
PID 3000 set thread context of 3868	3000	.exe	120
PID 4764 set thread context of 5032	4764	.exe	122
PID 1620 set thread context of 5040	1620	.exe	124
PID 552 set thread context of 2232	552	.exe	127
PID 2528 set thread context of 2788	2528	.exe	129
PID 4620 set thread context of 748	4620	.exe	131
PID 3220 set thread context of 5112	3220	.exe	135
PID 2216 set thread context of 3076	2216	.exe	140
PID 1144 set thread context of 4188	1144	.exe	142
PID 4512 set thread context of 2120	4512	.exe	144
PID 2368 set thread context of 2236	2368	.exe	146
PID 2288 set thread context of 2712	2288	.exe	148
PID 1372 set thread context of 1508	1372	.exe	150
PID 1628 set thread context of 1292	1628	.exe	152
PID 3084 set thread context of 1168	3084	.exe	157
PID 3232 set thread context of 316	3232	.exe	159

Checks processor information in registry 2 TTPs 48 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	.exe
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	.exe
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	.exe
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	.exe
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	.exe
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	.exe
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	.exe
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	.exe
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	.exe
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	.exe
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	.exe
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	.exe
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	.exe
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	.exe
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	.exe
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	.exe
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	.exe
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	.exe
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	.exe
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	.exe
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	.exe
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	.exe
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3892	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
1720	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe
2008	.exe
4392	.exe
732	.exe
3812	.exe
3600	.exe
1620	.exe
3000	.exe
4764	.exe
1620	.exe
552	.exe
2528	.exe
4620	.exe
3220	.exe
2216	.exe
1144	.exe
4512	.exe
2368	.exe
2288	.exe
1372	.exe
1628	.exe
3084	.exe
3232	.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 3892	1720	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe	89
PID 1720 wrote to memory of 3892	1720	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe	89
PID 1720 wrote to memory of 3892	1720	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe	89
PID 1720 wrote to memory of 3892	1720	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe	89
PID 1720 wrote to memory of 3892	1720	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe	89
PID 1720 wrote to memory of 3892	1720	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe	89
PID 1720 wrote to memory of 3892	1720	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe	89
PID 1720 wrote to memory of 3892	1720	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe	89
PID 3892 wrote to memory of 2008	3892	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe	104
PID 3892 wrote to memory of 2008	3892	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe	104
PID 3892 wrote to memory of 2008	3892	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe	104
PID 2008 wrote to memory of 976	2008	.exe	105
PID 2008 wrote to memory of 976	2008	.exe	105
PID 2008 wrote to memory of 976	2008	.exe	105
PID 2008 wrote to memory of 976	2008	.exe	105
PID 2008 wrote to memory of 976	2008	.exe	105
PID 2008 wrote to memory of 976	2008	.exe	105
PID 2008 wrote to memory of 976	2008	.exe	105
PID 2008 wrote to memory of 976	2008	.exe	105
PID 976 wrote to memory of 4392	976	.exe	107
PID 976 wrote to memory of 4392	976	.exe	107
PID 976 wrote to memory of 4392	976	.exe	107
PID 4392 wrote to memory of 2164	4392	.exe	108
PID 4392 wrote to memory of 2164	4392	.exe	108
PID 4392 wrote to memory of 2164	4392	.exe	108
PID 4392 wrote to memory of 2164	4392	.exe	108
PID 4392 wrote to memory of 2164	4392	.exe	108
PID 4392 wrote to memory of 2164	4392	.exe	108
PID 4392 wrote to memory of 2164	4392	.exe	108
PID 4392 wrote to memory of 2164	4392	.exe	108
PID 2164 wrote to memory of 732	2164	.exe	109
PID 2164 wrote to memory of 732	2164	.exe	109
PID 2164 wrote to memory of 732	2164	.exe	109
PID 732 wrote to memory of 4404	732	.exe	110
PID 732 wrote to memory of 4404	732	.exe	110
PID 732 wrote to memory of 4404	732	.exe	110
PID 732 wrote to memory of 4404	732	.exe	110
PID 732 wrote to memory of 4404	732	.exe	110
PID 732 wrote to memory of 4404	732	.exe	110
PID 732 wrote to memory of 4404	732	.exe	110
PID 732 wrote to memory of 4404	732	.exe	110
PID 4404 wrote to memory of 3812	4404	.exe	112
PID 4404 wrote to memory of 3812	4404	.exe	112
PID 4404 wrote to memory of 3812	4404	.exe	112
PID 3812 wrote to memory of 2068	3812	.exe	113
PID 3812 wrote to memory of 2068	3812	.exe	113
PID 3812 wrote to memory of 2068	3812	.exe	113
PID 3812 wrote to memory of 2068	3812	.exe	113
PID 3812 wrote to memory of 2068	3812	.exe	113
PID 3812 wrote to memory of 2068	3812	.exe	113
PID 3812 wrote to memory of 2068	3812	.exe	113
PID 3812 wrote to memory of 2068	3812	.exe	113
PID 2068 wrote to memory of 3600	2068	.exe	115
PID 2068 wrote to memory of 3600	2068	.exe	115
PID 2068 wrote to memory of 3600	2068	.exe	115
PID 3600 wrote to memory of 4840	3600	.exe	116
PID 3600 wrote to memory of 4840	3600	.exe	116
PID 3600 wrote to memory of 4840	3600	.exe	116
PID 3600 wrote to memory of 4840	3600	.exe	116
PID 3600 wrote to memory of 4840	3600	.exe	116
PID 3600 wrote to memory of 4840	3600	.exe	116
PID 3600 wrote to memory of 4840	3600	.exe	116
PID 3600 wrote to memory of 4840	3600	.exe	116
PID 4840 wrote to memory of 1620	4840	.exe	117

C:\Users\Admin\AppData\Local\Temp\c9efdd0ee4aa9e56e8adcd9d6ad40837.exe
"C:\Users\Admin\AppData\Local\Temp\c9efdd0ee4aa9e56e8adcd9d6ad40837.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\c9efdd0ee4aa9e56e8adcd9d6ad40837.exe
  C:\Users\Admin\AppData\Local\Temp\c9efdd0ee4aa9e56e8adcd9d6ad40837.exe
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:3892
- - C:\Users\Admin\AppData\Local\Temp\.exe
    .exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Users\Admin\AppData\Local\Temp\.exe
      C:\Users\Admin\AppData\Local\Temp\.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Checks processor information in registry
      Suspicious use of WriteProcessMemory
      PID:976
    - - C:\Users\Admin\AppData\Local\Temp\.exe
        
        .exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4392
      - C:\Users\Admin\AppData\Local\Temp\.exe
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        .exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        .exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        .exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        .exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Checks processor information in registry
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        .exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Checks processor information in registry
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        .exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Checks processor information in registry
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        .exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Checks processor information in registry
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        .exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Checks processor information in registry
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        .exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Checks processor information in registry
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        .exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Checks processor information in registry
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        .exe
        27⤵
        Executes dropped EXE
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Checks processor information in registry
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        .exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Checks processor information in registry
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        .exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Checks processor information in registry
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        .exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Checks processor information in registry
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        .exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Checks processor information in registry
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        .exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Checks processor information in registry
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        .exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Checks processor information in registry
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        .exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Checks processor information in registry
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        .exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Checks processor information in registry
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        .exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Checks processor information in registry
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        .exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        
        C:\Users\Admin\AppData\Local\Temp\.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Checks processor information in registry
        
        PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-Crypted2.exe

Filesize
300KB

MD5
b043bf9f22a26621263cc2576a8e074c

SHA1
d499c50f39daa0a423eb44680d5c71ee4ba6d1d0

SHA256
231b9f22701b045b8badfe9e450063a112609bf4b2f91dd12b2bdd5f50e34693

SHA512
6006f91316a0d1f6008bbd64d6ec0504e6af663905f21a296e9381587be85ed844202e796d4f4183fc806b38461141ada3c3b5b23f02230a67cfe4806496198a

Download Submit
C:\Users\Admin\AppData\Local\Temp\.exe

Filesize
309KB

MD5
c9efdd0ee4aa9e56e8adcd9d6ad40837

SHA1
e96de10714e9e69339d2629661923c4842c59e24

SHA256
28384587434989df15f8c74201ee3d29e10374c5c9646a070d2948d4ca94052f

SHA512
6233c1eb60c000ab0497da92e6513f47ffb58c211c37944bdb9e7014b3f8712b9b5666827cc595c718309c250a0765a625d7ebde9ea93dcddc01eb3106ef8342

Download Submit
C:\Users\Admin\AppData\Local\Temp\.exe

Filesize
243KB

MD5
d3c3e94d5ba3aad09e07ccf412b29bb2

SHA1
1f72a973d919907eaca9357b040a6ca7dddee3ab

SHA256
e949bfa07abc656c44adad785fabf49f77515b7a87a40904b47869a0ca68c9e5

SHA512
5f4425428b44fe75c5492c92a9da29f5af0e58da230b82b808d7ea6aa6c55e34d8b2770a5ae1072286570c670cc9eb6e1b3389b518243a424ca6369b94830655

Download Submit
C:\Users\Admin\AppData\Local\Temp\.exe

Filesize
27KB

MD5
276405880b40fcd082b8897d5f327438

SHA1
b7fee38c4c35105596e037ec88974cb54e9cbfb5

SHA256
bb3fea3e45b056875c048e774fe1c7f39b73659c2344f0b2b9873e845bddac9e

SHA512
898da39136f951d21400e0207b9c1d78a3b865a9b0074181a9c1614f7c4b0f41a03588b0513ed10c1f4b1b5e6f47cd66e7e01ef09025ffd64ad866ba7b688b7c

Download Submit
C:\Windows\SysWOW64\TMP32$26---

Filesize
58.9MB

MD5
e52fa8f3e57aeaf601e0f81af36cb6ec

SHA1
e4f32f261e401740055ab540cb52a9dfe8d6102e

SHA256
339b3b05609bb166fc38c2eeca3d4862b47afb77fc845b997af9d26a5df582b4

SHA512
ebcf3f6383bf108478e9a23863f4491a62db47c8847577e2c49221d77bcc1fe0b9bca1aa1c16b52c0825e7aa97e68a715fb680f0d777707b5e29159f868aa0a4

Download Submit
memory/552-285-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/732-97-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/732-84-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/748-344-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/748-342-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/748-340-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/976-45-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/976-48-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/976-69-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/976-54-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/976-47-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/1436-185-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/1436-179-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/1436-205-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/1436-178-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/1436-177-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/1620-261-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1620-175-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1720-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1720-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2008-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2008-28-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2068-126-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2068-149-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2068-134-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/2068-128-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/2068-127-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2164-74-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/2164-96-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2164-72-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2164-73-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2164-80-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/2232-295-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/2232-315-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2232-289-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2232-286-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2528-313-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2788-316-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2788-314-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2788-343-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2788-322-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/3000-204-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3600-151-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3812-109-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3812-125-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3868-233-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3868-212-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/3868-206-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/3868-202-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3892-22-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/3892-7-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3892-9-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3892-8-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3892-11-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3892-13-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3892-14-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3892-15-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3892-16-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/3892-23-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3892-41-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3892-44-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/4392-70-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4404-100-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/4404-107-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/4404-123-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/4404-99-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/4404-101-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/4620-339-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4764-231-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4764-214-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4840-174-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/4840-159-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/4840-153-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/4840-152-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5032-241-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/5032-258-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5032-235-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/5032-234-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5032-232-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5040-262-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/5040-288-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5040-268-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/5040-260-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download