hawkeye | b4c515ace87a3f6c263475f9e9fa57851d872f7ae91a0f32c4c901132ddf549c

Analysis

max time kernel
150s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
19-04-2024 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
Size

998KB
MD5

88d19703623192e4ddf73cec4aa24a89
SHA1

c23025a02259e6da9a7db46ce7a12274a3cd4b18
SHA256

dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7
SHA512

83e366948e5a8e80fc31e98771029add13293387fa876a2ba8a420032db9b23c043e2ee228eaafce8c7224d1d3b5081a1c9de26b003b7877657d44741abc03e6
SSDEEP

24576:M1eKhP8/X0LknDY1zhdpACe+0RJ7Vz5xDIaTyEYKlZUOXJ:MXhP9LkD4T0htmJWt

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral3/memory/964-34-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral3/memory/964-37-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral3/memory/964-36-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral3/memory/3544-70-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 5 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral3/memory/4972-43-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral3/memory/4972-45-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral3/memory/4972-46-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral3/memory/4972-52-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral3/memory/3544-70-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView

Nirsoft 15 IoCs

Processes:

resource	yara_rule
behavioral3/memory/964-34-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral3/memory/964-37-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral3/memory/964-36-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral3/memory/4972-43-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral3/memory/4972-45-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral3/memory/4972-46-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral3/memory/4972-52-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral3/memory/1420-59-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral3/memory/1420-61-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral3/memory/1420-62-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral3/memory/1420-65-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral3/memory/3544-70-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft
behavioral3/memory/2944-90-0x0000000000400000-0x000000000044F000-memory.dmp	Nirsoft
behavioral3/memory/2944-92-0x0000000000400000-0x000000000044F000-memory.dmp	Nirsoft
behavioral3/memory/2944-97-0x0000000000400000-0x000000000044F000-memory.dmp	Nirsoft

Executes dropped EXE 8 IoCs

Processes:

LookupSvi.exesecdrv.exesecdrv.exeLookupSvi.exeLookupSvi.exesecdrv.exesecdrv.exeLookupSvi.exe

pid process

2600 LookupSvi.exe
1652 secdrv.exe
3544 secdrv.exe
5068 LookupSvi.exe
4756 LookupSvi.exe
1616 secdrv.exe
4288 secdrv.exe
2348 LookupSvi.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2600	LookupSvi.exe
1652	secdrv.exe
3544	secdrv.exe
5068	LookupSvi.exe
4756	LookupSvi.exe
1616	secdrv.exe
4288	secdrv.exe
2348	LookupSvi.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

LookupSvi.exeLookupSvi.exeLookupSvi.exeLookupSvi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ Macrovision Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe"	LookupSvi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ Macrovision Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe"	LookupSvi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ Macrovision Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe"	LookupSvi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ Macrovision Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe"	LookupSvi.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 whatismyipaddress.com
4 whatismyipaddress.com

flow	ioc
1	whatismyipaddress.com
4	whatismyipaddress.com

Suspicious use of SetThreadContext 8 IoCs

Processes:

dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exedcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exesecdrv.exetakshost.exesecdrv.exe

description	pid	process	target process
PID 1476 set thread context of 756	1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
PID 756 set thread context of 964	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 set thread context of 4972	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 set thread context of 1420	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 1652 set thread context of 3544	1652	secdrv.exe	secdrv.exe
PID 756 set thread context of 2944	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 1032 set thread context of 1448	1032	takshost.exe	takshost.exe
PID 1616 set thread context of 4288	1616	secdrv.exe	secdrv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exedcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe

pid	process
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe

pid process

1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exedcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exeLookupSvi.exesecdrv.exeLookupSvi.exetakshost.exeLookupSvi.exesecdrv.exeLookupSvi.exe

description	pid	process
Token: SeDebugPrivilege	1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
Token: SeDebugPrivilege	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
Token: SeDebugPrivilege	2600	LookupSvi.exe
Token: SeDebugPrivilege	1652	secdrv.exe
Token: SeDebugPrivilege	5068	LookupSvi.exe
Token: SeDebugPrivilege	1032	takshost.exe
Token: SeDebugPrivilege	4756	LookupSvi.exe
Token: SeDebugPrivilege	1616	secdrv.exe
Token: SeDebugPrivilege	2348	LookupSvi.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe

pid process

756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe

pid	process
756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exeLookupSvi.exedcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exesecdrv.exe

description	pid	process	target process
PID 1476 wrote to memory of 756	1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
PID 1476 wrote to memory of 756	1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
PID 1476 wrote to memory of 756	1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
PID 1476 wrote to memory of 756	1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
PID 1476 wrote to memory of 756	1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
PID 1476 wrote to memory of 756	1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
PID 1476 wrote to memory of 756	1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
PID 1476 wrote to memory of 756	1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
PID 1476 wrote to memory of 2600	1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	LookupSvi.exe
PID 1476 wrote to memory of 2600	1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	LookupSvi.exe
PID 1476 wrote to memory of 2600	1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	LookupSvi.exe
PID 2600 wrote to memory of 1652	2600	LookupSvi.exe	secdrv.exe
PID 2600 wrote to memory of 1652	2600	LookupSvi.exe	secdrv.exe
PID 2600 wrote to memory of 1652	2600	LookupSvi.exe	secdrv.exe
PID 756 wrote to memory of 964	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 964	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 964	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 964	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 964	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 964	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 964	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 964	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 964	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 4972	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 4972	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 4972	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 4972	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 4972	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 4972	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 4972	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 4972	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 4972	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 1476 wrote to memory of 1032	1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	takshost.exe
PID 1476 wrote to memory of 1032	1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	takshost.exe
PID 1476 wrote to memory of 1032	1476	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	takshost.exe
PID 756 wrote to memory of 1420	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 1420	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 1420	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 1420	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 1420	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 1420	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 1420	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 1420	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 1420	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 1652 wrote to memory of 3544	1652	secdrv.exe	secdrv.exe
PID 1652 wrote to memory of 3544	1652	secdrv.exe	secdrv.exe
PID 1652 wrote to memory of 3544	1652	secdrv.exe	secdrv.exe
PID 1652 wrote to memory of 3544	1652	secdrv.exe	secdrv.exe
PID 1652 wrote to memory of 3544	1652	secdrv.exe	secdrv.exe
PID 1652 wrote to memory of 3544	1652	secdrv.exe	secdrv.exe
PID 1652 wrote to memory of 3544	1652	secdrv.exe	secdrv.exe
PID 1652 wrote to memory of 3544	1652	secdrv.exe	secdrv.exe
PID 1652 wrote to memory of 5068	1652	secdrv.exe	LookupSvi.exe
PID 1652 wrote to memory of 5068	1652	secdrv.exe	LookupSvi.exe
PID 1652 wrote to memory of 5068	1652	secdrv.exe	LookupSvi.exe
PID 756 wrote to memory of 2944	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 2944	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 2944	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 2944	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 2944	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 2944	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 2944	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 2944	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe
PID 756 wrote to memory of 2944	756	dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
"C:\Users\Admin\AppData\Local\Temp\dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476

C:\Users\Admin\AppData\Local\Temp\dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
"C:\Users\Admin\AppData\Local\Temp\dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
PID:964

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
3⤵
PID:4972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt"
3⤵
PID:1420

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderskypeview.txt"
3⤵
PID:2944

C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
4⤵
- Executes dropped EXE
PID:3544

C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
3⤵
PID:1448

C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
5⤵
- Executes dropped EXE
PID:4288

C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2348

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\LookupSvi.exe.log
Filesize
128B

MD5
92bbf9af7d2dce28ff72dad3bbffa852

SHA1
b25288849fb939b02ce73a01a0252c4a2fd6c724

SHA256
6a304948382083a059262e7792a1773ebd35e9e8d77d2cbfebc0e661a8956fa3

SHA512
62f0ee8d580a1b73f4953fa998f6d0c892547bd8c93bb1644d907af7fd2471ce4b599bf6eb6118152a18f42182cb87a3dbf1f24276d171864fee8b9eb4877f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\secdrv.exe.log
Filesize
774B

MD5
fd61b64fd2d3ee1cff51b55ab65bdd7d

SHA1
9c0cc4248004e7da57ac99f12daa6f461d41d6c1

SHA256
8d7b77655763d9dd3be5b08e74fcaf2a8266ca400ead7d84c90ef145e76bd9aa

SHA512
e7e472ed8cc5488d4aa4114f26cef3d6360719b096b420022647ee9b0ff836d0deefe0ab2c44950dca4cd553469e28a2cb7b5907b5253b6b993b0317600a566a

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt
Filesize
725B

MD5
1dc27dfdd9bb31edae68bfaa7fe2a755

SHA1
cc6d6eaee5d71d2ede042a131ccbd19c4724330f

SHA256
78f06cc329abc11c31de49842956005f100a850c3c0bf8357a45fd9cccdff843

SHA512
1d1227d93456287e29cdef5f6768f95cb7651383071c1ca53c7c914edb2db64d64cecd7e84011c9927ce5093bf30a944d1b51dc88abfff477bc9646568ab4fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
Filesize
7KB

MD5
c283efa34a736e2e98e64da9b1f927ae

SHA1
53c991156979b3a7ecdcdb799fb33440cb73ed55

SHA256
2a11fd8fdb1108cdac9c38d9b3fee701ece885e9de4766ab26779c4a994aabfa

SHA512
9b7c433a2f0362d82af4d31000b108962ca2d6090f5d3aaaae4dd4be41c9cde3c27cf2869193755da8bd0880732f815b9875cbbb2d44f30b64d55659a38c90ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
Filesize
998KB

MD5
88d19703623192e4ddf73cec4aa24a89

SHA1
c23025a02259e6da9a7db46ce7a12274a3cd4b18

SHA256
dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7

SHA512
83e366948e5a8e80fc31e98771029add13293387fa876a2ba8a420032db9b23c043e2ee228eaafce8c7224d1d3b5081a1c9de26b003b7877657d44741abc03e6

Download Submit
memory/756-38-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/756-39-0x0000000001010000-0x0000000001020000-memory.dmp

Filesize
64KB

Download
memory/756-42-0x0000000001010000-0x0000000001020000-memory.dmp

Filesize
64KB

Download
memory/756-10-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/756-11-0x0000000001010000-0x0000000001020000-memory.dmp

Filesize
64KB

Download
memory/756-12-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/964-37-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/964-34-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/964-36-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1032-99-0x0000000001150000-0x0000000001160000-memory.dmp

Filesize
64KB

Download
memory/1032-56-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/1032-57-0x0000000001150000-0x0000000001160000-memory.dmp

Filesize
64KB

Download
memory/1032-58-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/1032-98-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/1032-104-0x0000000001150000-0x0000000001160000-memory.dmp

Filesize
64KB

Download
memory/1032-130-0x0000000001150000-0x0000000001160000-memory.dmp

Filesize
64KB

Download
memory/1032-133-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/1420-62-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1420-65-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1420-61-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1420-59-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1448-108-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/1448-124-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/1448-109-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/1476-0-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/1476-6-0x0000000000F00000-0x0000000000F10000-memory.dmp

Filesize
64KB

Download
memory/1476-2-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/1476-55-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/1476-3-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/1476-30-0x0000000000F00000-0x0000000000F10000-memory.dmp

Filesize
64KB

Download
memory/1476-4-0x0000000000F00000-0x0000000000F10000-memory.dmp

Filesize
64KB

Download
memory/1476-1-0x0000000000F00000-0x0000000000F10000-memory.dmp

Filesize
64KB

Download
memory/1476-5-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/1616-135-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/1616-128-0x00000000017A0000-0x00000000017B0000-memory.dmp

Filesize
64KB

Download
memory/1616-127-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/1616-129-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/1616-136-0x00000000017A0000-0x00000000017B0000-memory.dmp

Filesize
64KB

Download
memory/1652-53-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/1652-102-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/1652-100-0x00000000016A0000-0x00000000016B0000-memory.dmp

Filesize
64KB

Download
memory/1652-33-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/1652-68-0x00000000016A0000-0x00000000016B0000-memory.dmp

Filesize
64KB

Download
memory/1652-32-0x00000000016A0000-0x00000000016B0000-memory.dmp

Filesize
64KB

Download
memory/1652-31-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/2348-153-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/2348-154-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/2600-25-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/2600-40-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/2600-24-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/2600-23-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/2600-67-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/2600-41-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/2944-92-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2944-97-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2944-90-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3544-80-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/3544-89-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/3544-70-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3544-72-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/4288-144-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/4288-141-0x0000000000F90000-0x0000000000FA0000-memory.dmp

Filesize
64KB

Download
memory/4288-140-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/4756-121-0x0000000000F70000-0x0000000000F80000-memory.dmp

Filesize
64KB

Download
memory/4756-131-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/4756-134-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/4756-122-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/4756-120-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/4972-52-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4972-46-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4972-45-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4972-43-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5068-85-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/5068-86-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/5068-87-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/5068-103-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download