bf782827fee0c2350eef32b486f7750a530d0e253187f85dd6b52af0b30c8a85

Analysis

max time kernel
183s
max time network
178s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-05-2024 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEXU$.exe
Size

27.7MB
MD5

9f7d0bfe3985c340f42f039fbf9c52af
SHA1

8769d102239db1f9befeaa67b25a7c12ea9ccf2b
SHA256

bf782827fee0c2350eef32b486f7750a530d0e253187f85dd6b52af0b30c8a85
SHA512

988f00c929d7d01b887dc511e586cc75a14180b8b65f34cc293bb998174b667cd488d4e4fc777c183f0c29c744cf649fa520f7265e13486226f3f074cdaf3f81
SSDEEP

786432:TBvc42en9y+aJtShY9Q6SZKb0SReIMrRRMVb:T+cUSG8Zw09YVb

Score

9^/10

agilenet evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

NEXU$.exewGPOWxgcqU.exewGPOWxgcqU.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	NEXU$.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	wGPOWxgcqU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	wGPOWxgcqU.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NEXU$.exewGPOWxgcqU.exewGPOWxgcqU.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	NEXU$.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wGPOWxgcqU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	wGPOWxgcqU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wGPOWxgcqU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	wGPOWxgcqU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	NEXU$.exe

Deletes itself 1 IoCs

Processes:

wGPOWxgcqU.exe

pid process

2816 wGPOWxgcqU.exe
Executes dropped EXE 2 IoCs

Processes:

wGPOWxgcqU.exewGPOWxgcqU.exe

pid process

2816 wGPOWxgcqU.exe
2312 wGPOWxgcqU.exe
Loads dropped DLL 3 IoCs

Processes:

NEXU$.exewGPOWxgcqU.exe

pid process

1712 NEXU$.exe
1712 NEXU$.exe
2816 wGPOWxgcqU.exe

pid	process
1712	NEXU$.exe
1712	NEXU$.exe
2816	wGPOWxgcqU.exe

Obfuscated with Agile.Net obfuscator 7 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1712-0-0x0000000000190000-0x0000000000DC0000-memory.dmp	agile_net
behavioral1/memory/1712-3-0x0000000000190000-0x0000000000D72000-memory.dmp	agile_net
behavioral1/memory/1712-101-0x0000000009330000-0x00000000095DE000-memory.dmp	agile_net
behavioral1/memory/1712-99-0x0000000000190000-0x0000000000DC0000-memory.dmp	agile_net
\Users\Admin\AppData\Local\Temp\wGPOWxgcqU.exe	agile_net
behavioral1/memory/2816-305-0x0000000000100000-0x0000000000CE2000-memory.dmp	agile_net
behavioral1/memory/1712-308-0x0000000000190000-0x0000000000D72000-memory.dmp	agile_net

Themida packer 17 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1712-7-0x0000000010000000-0x0000000010C6A000-memory.dmp	themida
behavioral1/memory/1712-15-0x0000000010000000-0x0000000010C6A000-memory.dmp	themida
behavioral1/memory/1712-17-0x0000000005FB0000-0x0000000006602000-memory.dmp	themida
behavioral1/memory/1712-18-0x0000000010000000-0x0000000010C6A000-memory.dmp	themida
behavioral1/memory/1712-20-0x0000000010000000-0x0000000010C6A000-memory.dmp	themida
behavioral1/memory/1712-22-0x0000000010000000-0x0000000010C6A000-memory.dmp	themida
behavioral1/memory/1712-23-0x0000000010000000-0x0000000010C6A000-memory.dmp	themida
behavioral1/memory/1712-21-0x0000000010000000-0x0000000010C6A000-memory.dmp	themida
behavioral1/memory/1712-19-0x0000000010000000-0x0000000010C6A000-memory.dmp	themida
behavioral1/memory/1712-120-0x0000000010000000-0x0000000010C6A000-memory.dmp	themida
behavioral1/memory/1712-302-0x0000000010000000-0x0000000010C6A000-memory.dmp	themida
behavioral1/memory/2816-317-0x0000000010000000-0x0000000010C6A000-memory.dmp	themida
behavioral1/memory/2816-318-0x0000000010000000-0x0000000010C6A000-memory.dmp	themida
behavioral1/memory/2816-319-0x0000000010000000-0x0000000010C6A000-memory.dmp	themida
behavioral1/memory/2816-321-0x0000000010000000-0x0000000010C6A000-memory.dmp	themida
behavioral1/memory/2816-320-0x0000000010000000-0x0000000010C6A000-memory.dmp	themida
behavioral1/memory/2816-322-0x0000000010000000-0x0000000010C6A000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

NEXU$.exewGPOWxgcqU.exewGPOWxgcqU.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NEXU$.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wGPOWxgcqU.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wGPOWxgcqU.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

11 sites.google.com
12 sites.google.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

NEXU$.exewGPOWxgcqU.exewGPOWxgcqU.exe

pid process

1712 NEXU$.exe
2816 wGPOWxgcqU.exe
2312 wGPOWxgcqU.exe
Drops file in Windows directory 1 IoCs

Processes:

wGPOWxgcqU.exe

description ioc process

File created C:\Windows\Fonts\DS-Digital.ttf wGPOWxgcqU.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
11	sites.google.com
12	sites.google.com

pid	process
1712	NEXU$.exe
2816	wGPOWxgcqU.exe
2312	wGPOWxgcqU.exe

description	ioc	process
File created	C:\Windows\Fonts\DS-Digital.ttf	wGPOWxgcqU.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

wGPOWxgcqU.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	wGPOWxgcqU.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	wGPOWxgcqU.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

wGPOWxgcqU.exewGPOWxgcqU.exetaskmgr.exe

pid	process
2816	wGPOWxgcqU.exe
2816	wGPOWxgcqU.exe
2816	wGPOWxgcqU.exe
2312	wGPOWxgcqU.exe
2312	wGPOWxgcqU.exe
2312	wGPOWxgcqU.exe
2816	wGPOWxgcqU.exe
2816	wGPOWxgcqU.exe
2816	wGPOWxgcqU.exe
2816	wGPOWxgcqU.exe
2816	wGPOWxgcqU.exe
2816	wGPOWxgcqU.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

NEXU$.exewGPOWxgcqU.exewGPOWxgcqU.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	1712	NEXU$.exe
Token: SeDebugPrivilege	2816	wGPOWxgcqU.exe
Token: SeDebugPrivilege	2312	wGPOWxgcqU.exe
Token: SeDebugPrivilege	912	taskmgr.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

wGPOWxgcqU.exetaskmgr.exe

pid	process
2816	wGPOWxgcqU.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe

Suspicious use of SendNotifyMessage 36 IoCs

Processes:

wGPOWxgcqU.exetaskmgr.exe

pid	process
2816	wGPOWxgcqU.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

NEXU$.exewGPOWxgcqU.exe

description	pid	process	target process
PID 1712 wrote to memory of 2816	1712	NEXU$.exe	wGPOWxgcqU.exe
PID 1712 wrote to memory of 2816	1712	NEXU$.exe	wGPOWxgcqU.exe
PID 1712 wrote to memory of 2816	1712	NEXU$.exe	wGPOWxgcqU.exe
PID 1712 wrote to memory of 2816	1712	NEXU$.exe	wGPOWxgcqU.exe
PID 2816 wrote to memory of 2312	2816	wGPOWxgcqU.exe	wGPOWxgcqU.exe
PID 2816 wrote to memory of 2312	2816	wGPOWxgcqU.exe	wGPOWxgcqU.exe
PID 2816 wrote to memory of 2312	2816	wGPOWxgcqU.exe	wGPOWxgcqU.exe
PID 2816 wrote to memory of 2312	2816	wGPOWxgcqU.exe	wGPOWxgcqU.exe
PID 2816 wrote to memory of 2404	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2404	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2404	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2404	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2720	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2720	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2720	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2720	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2400	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2400	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2400	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2400	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2420	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2420	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2420	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2420	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2572	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2572	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2572	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2572	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2512	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2512	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2512	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2512	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2568	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2568	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2568	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2568	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2836	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2836	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2836	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2836	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2328	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2328	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2328	2816	wGPOWxgcqU.exe	netsh.exe
PID 2816 wrote to memory of 2328	2816	wGPOWxgcqU.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\NEXU$.exe
"C:\Users\Admin\AppData\Local\Temp\NEXU$.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\Temp\wGPOWxgcqU.exe
"C:\Users\Admin\AppData\Local\Temp\wGPOWxgcqU.exe" NEXU$.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2816

C:\Users\Admin\AppData\Local\Temp\wGPOWxgcqU.exe
"C:\Users\Admin\AppData\Local\Temp\wGPOWxgcqU.exe" "NEXU$.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\SysWOW64\netsh.exe
"netsh" int tcp set heuristics disabled
3⤵
PID:2404

C:\Windows\SysWOW64\netsh.exe
"netsh" int tcp set global autotuninglevel=normal
3⤵
PID:2720

C:\Windows\SysWOW64\netsh.exe
"netsh" int tcp set global congestionprovider=ctcp
3⤵
PID:2400

C:\Windows\SysWOW64\netsh.exe
"netsh" int tcp set global ecncapability=default
3⤵
PID:2420

C:\Windows\SysWOW64\netsh.exe
"netsh" int tcp set global rss=enabled
3⤵
PID:2572

C:\Windows\SysWOW64\netsh.exe
"netsh" int tcp set global chimney=disabled
3⤵
PID:2512

C:\Windows\SysWOW64\netsh.exe
"netsh" int tcp set global dca=enabled
3⤵
PID:2568

C:\Windows\SysWOW64\netsh.exe
"netsh" int tcp set global timestamps=disabled
3⤵
PID:2836

C:\Windows\SysWOW64\netsh.exe
"netsh" int tcp set global rsc=enabled
3⤵
PID:2328

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:912

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7A1F.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.zip
Filesize
1.9MB

MD5
1ca4cecfca2c17a27a3a4a7e337ac1b3

SHA1
b8a5317fa59b127d4606715d204cd39d7f285241

SHA256
fbf60c26906f82b9b19cc39efa6262c63e0af3ca4321a46eea4ec0a19e6ea443

SHA512
b0f2ca8b4ab5b799dc8e5807c101037189cdcf8d0717a8cc2a2cc99a906b4cba191b4eb6a4eff3550f15d44bcdfb9711ebe0ee0a50fcf81be868f7b10cca964e

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb2022.tmp
Filesize
1KB

MD5
169d89f5e98c1ec24910e2f0c1a35690

SHA1
58fe53b51777051cca50f448743088ea73a6feb7

SHA256
bc9c6304c5de48e472289c2c0246866e853d125bd292be635d60361a7618824b

SHA512
c5f45abf6da0a218a1c9051e4b2b7d5088de689bfdebf156de57696ab9d4a2766fc4c8232142d6b0af5a34b1da194a58277f19d3ca4d777692004389e25d5fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb29E9.tmp
Filesize
1KB

MD5
a8d20389688eb5bb2217374daac56135

SHA1
84206edd4f55aeede510e916137c9f3c49a11ff5

SHA256
5a1e88a2bcb9de8eab56724555cad7edf1c35f5a82782e7cd9d953b1e4206172

SHA512
a1b5db7e0ddd8f354e1f4d1eb58f5b73af8e1028b7aa3dcf2802dd4359c3e0331a2a095d1e5bda1249c2869ad302175101401483b0fa2ff41246d6ed26ca8978

Download Submit
C:\Users\Admin\AppData\Local\Temp\wGPOWxgcqU.exe.config
Filesize
2KB

MD5
1c0bf367844bbc08b1542053798dc6e7

SHA1
db3b90ddb434f15ae1ab28a45b201334111b29a0

SHA256
904282ea0017ddd5ca7f62596ea16c30428cf041dbced0efd8f0c1570079b423

SHA512
a5934ec56c4fcb025cf717c2427b80cebc44a1a44379f0eecb7e36c9ac8fc368c80bd2db1fb47142b564479cd93ab6ef91ffcd2a2fd68e06ed1a46f5f019fb1b

Download Submit
C:\Users\Admin\Desktop\NEXUS.lnk
Filesize
1KB

MD5
aacf8f9d2695ab3d4def73bee1f07e44

SHA1
18b27fd07a28a6d4422c958042642f60441ec844

SHA256
53fdf8d911311d74b8b3b071ad848a49c7944590bbf0d766402e3d5050e2e31f

SHA512
6451e28cd8f86f5e0d9fdaad241120b91b220b2dd2157516075ec54042283aa563c910740cb183716e401d80938eec65a9ac1a56a1f9d697e035e39154514a9b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evb1E0F.tmp
Filesize
1KB

MD5
a14bfff0d9a58df81fced932ea122af8

SHA1
e44b008e348c0ca79631548716a3c18a84a5b734

SHA256
121b4c05501609241b7059b18ff412d7e83f215e9af492cf494584fb22957609

SHA512
c633a22844f6177292fec5098210202e0efe8720eaa2084a3fb9b1ea6a99b3940c46f0077557300ef67e70471ce58cf52a3192ce9551147c0fac25e4558779a8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evb1E20.tmp
Filesize
1KB

MD5
7516df78d526c407fea01eba7b083e41

SHA1
f42c285b9d732aa913a5e6f7bf527fe694a62963

SHA256
f506eb96b308d92535cb3539bfdc89023b09de019aae6419ced69f3436229435

SHA512
d6d2091ab00033f6cb188ab2febb0a261843dc94796efb022edad93decbb57f07e7a9d8af4a1c011092176e3c5062096059a74c3a520e1839409688759dbf673

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evb1E53.tmp
Filesize
1KB

MD5
547fa32dd7c005708dd434075f6b1d70

SHA1
ba49acf69c1496447e6899870ccc2238a5c3ed87

SHA256
9062989f7ed30df9cd06e3632c59c3bf2a1e6e970d8f420aadf65d1a1f17036e

SHA512
b8ab3db39b14aa20c8475f8811ba113f7dec215ff449a2f50d44790476ec6b338ad93f9950778256b1a0406df60cd1ff980a3bb0ff6d65c0444073b7794c092f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evb1E65.tmp
Filesize
1KB

MD5
26fc5802d3da1539a5b4a4e9d1c0be94

SHA1
4451ad10ddd3a9910f3706e957ce32ae142fbf58

SHA256
d1781882a8f4ed09d0f0237271a72522b7679aca3112755c75f9b60e5db18840

SHA512
5dd81590049e6574e3e1325b637a4f2fb62bfc77635f8ad86b6125ff2a91f04a88182cc896e855b3054ed281545c6985e0db05c36ed55f0819ed5260ab27b44c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evb1E76.tmp
Filesize
1KB

MD5
394163f4458c968691ec5a8ae5c11ad1

SHA1
32b2d59ce48997dc832df6ec018d5cd08d3592a1

SHA256
b7c700fa8d686d98fd21d87c5788aaa30a39cad5e15f30f2928f8c8bd0c68e77

SHA512
7b56db7842d0ebf7affa8c32a3a1a2acfb06a5f40a265e27d45769ba6720985af404c854c8036dcb958de12c3789870f923e61ea629bae676a805c2c3422c91f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evb1FA3.tmp
Filesize
1KB

MD5
b02ea8cf232a5c2ad2a91ac241b8ab78

SHA1
a460bccd303dae29bdf496ddc343cfd0aa6db8fe

SHA256
5defef4d85dc339c70be3b000d1cecc65fbadf137732ed2fe4ca5514fcaf59e1

SHA512
6416322dae4af0772505885f85ccdd0e33b76e41a56f6381a0a7d4a36e6dfc717e654ae260d0c5c12751d977c4f8a916bcd2239fb1e20a643124f69a0571fda0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evb2012.tmp
Filesize
1KB

MD5
9c6a27a0e7a4e5507eaf2ae53d6cefc4

SHA1
1d2ada0b7c6255bf2d852c7bf16bab962fbdca47

SHA256
5393c6e414f4cb8dae92dd03b6642953e80f2b72bb7968fe0e5250e428e4265a

SHA512
5e3bc5a3f25878ca2b20a5ea6fda8642759b7451ed29b948b219f933b83080e8d0b7c28f57aa68432ea99ee84547bf340b808803d634c5cf9025f90281e0ed43

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evb214E.tmp
Filesize
1KB

MD5
90259af8bab2c4b2a9c1a70ccd22886d

SHA1
056746307495e18972455b488f37931e607e802e

SHA256
2d91617c40e2b4cf5e9f3c0b773846f8eafc8ee2e57f5e1fb466ede694c2f058

SHA512
3aab255150621cc75a29472c1a5dc6ff52050ccf462065f48c27661f3331904ab5a7f35dbfe1bb8d6da0d789d3f35cd158923f0707dd06cee76c5890f8cba471

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evb2333.tmp
Filesize
1KB

MD5
42934c8a30e26034cf40084b75915345

SHA1
a38ac374de3ae245c8799289dac6f5640618b86b

SHA256
8c4ec5491045e156b8e86c2872cdd69c8f72381f3635a0b6a5d6a7340dc6ec87

SHA512
c6427f777643555e228186e9574c86c4dc97fdb60dbf93a05a45d78754ee484f93a15c480986e7ffbe432c660bb0ffdf323a492a00083d80a916ae9b1147e1d4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evb2355.tmp
Filesize
1KB

MD5
65d4545e8b5b4bf89c1393c731617252

SHA1
6cc6f80814bef739e256ff0344f2957d1e649c1e

SHA256
0ad27262f323681cd0240dc075ad7b0db796a7d1510ac9155dd16eacffeba516

SHA512
66b0b315037d24601d6047408e9d8af570c4dc9828381758bf068bcf62b1abc5f5b25bb3345203a73cb9997e144b15f02ec3e8eb08f7a7d8592486cd022dcab6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evb250B.tmp
Filesize
1KB

MD5
63098c2d15b8edd10285033ec1037d37

SHA1
d03b8866ab61dc722d86c957b3d2804ff051ef39

SHA256
3da1cda8365a58794ace3732e5da9e370da9024d36e61ddd1e1b1aa7add4c33d

SHA512
198d0df79eecbbaf5137ade21e00aac5a2f05c13dee7f6c89d378c462ea0d28f9fd79749a85b301a1c3f208a06f440441227dc4ba83449cf16d553f7fc4c5937

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evb252D.tmp
Filesize
1KB

MD5
4e3dbd6001a9c81a5d1d6a8b2d874bb1

SHA1
e01494d70f75a86a63425f743c13b270feefbd9f

SHA256
5b4a8c43dd1111901fa99c6950ee2d8ce0bc549b97144feeedde5ca521ed15b0

SHA512
3b10527efb7d98527d6da61bd443fdb985dd58fe36c98fc8a72211e2ecc089aabc848155d50a0bb0fce5bd516178d54cd0eeea8d8160f0d34b1f9172119c6859

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evb253E.tmp
Filesize
1KB

MD5
094530769342de17b8ab80297ff4c8a8

SHA1
ea86ba51b011e748b69ccd1bf3bea6bf50820928

SHA256
bdabff206a5fba54a1a06fbf3f59606fc66e08882b26216aa053e7b46a20ea31

SHA512
9e7997e53d6f831aa50aba4425d40970aee10364fa3a996a270ffa248ff62187c9ef387f422f644e0bcc1ca9d7f21c4c7f40c6bf8dfa13a3e7558f80641eba8c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evb25DC.tmp
Filesize
1KB

MD5
6ceb6e3be571bdaee3147adb325994f0

SHA1
25b8919e8c917c7d31436a4555d391306b96a3a3

SHA256
3705ac3ba0589b10770f0fb31000372e8f0ccecd2397c96db3ad3c6b986fd002

SHA512
339a1855a13fb844606e1950e430b5593528ec67da884d1b5a172a7740904daf1aaf6ae0cc0316638582742d1189720baba7f75030355ef706031074afd4d772

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evb2726.tmp
Filesize
1KB

MD5
6804eea872fd80ff18fdd41a3fee7291

SHA1
3426bd1435e4d10a0ee748928ea2d52abef840a5

SHA256
ea1b653feddf085f462687015ce7e20331371325b6621b6ffb2b1489e6007342

SHA512
b1ff2394e1dbd8c815fd5fd9422444965a0f9dcbfd101a785b9cb83a3aa96e3df04d9e45fa7e50d9bcd13d168d69c2d5b30688c4b2a301a6ddc7db0a4d717fa1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evb2766.tmp
Filesize
1KB

MD5
93d3032d0ef3ab29374adb476d3a2377

SHA1
ec50554b58da1bcac0867d2aeb191b8c084ebc04

SHA256
04d01a5a96f2f0a32c0f1ad15229ee4e658b4270f234f2c18a6227c7c1d29134

SHA512
3e03560eb58ab03ecf72ff46f509ea7ff1badde2b90bb4b3561458427eda36fbe849f38ecf7676a5a7bc28facd7dadf6cd773c3baa3037c1e6cc729a7ea3bda5

Download Submit
\Users\Admin\AppData\Local\Temp\evb1787.tmp
Filesize
1KB

MD5
57eb881a7adba6335b907ea2bfeab5da

SHA1
fb825489bb35cce81ec1fe1c7da9395b66a3212f

SHA256
eeb4ba320d8953f68267ff13e5ececc0ee7c7dd677bb95013b91b03198c41858

SHA512
b0921a715fe36694ff73428794b70b6289ad9fcfd536bf3b70e037bfbb6b4714fbcaedc164f0323f10d10901ce0526ae9cf1b1d4a66a2ffb24727d75ff56aa84

Download Submit
\Users\Admin\AppData\Local\Temp\wGPOWxgcqU.exe
Filesize
27.7MB

MD5
9f7d0bfe3985c340f42f039fbf9c52af

SHA1
8769d102239db1f9befeaa67b25a7c12ea9ccf2b

SHA256
bf782827fee0c2350eef32b486f7750a530d0e253187f85dd6b52af0b30c8a85

SHA512
988f00c929d7d01b887dc511e586cc75a14180b8b65f34cc293bb998174b667cd488d4e4fc777c183f0c29c744cf649fa520f7265e13486226f3f074cdaf3f81

Download Submit
memory/1712-59-0x0000000009330000-0x00000000093E2000-memory.dmp

Filesize
712KB

Download
memory/1712-205-0x0000000009330000-0x0000000009AD6000-memory.dmp

Filesize
7.6MB

Download
memory/1712-104-0x0000000001160000-0x0000000001186000-memory.dmp

Filesize
152KB

Download
memory/1712-103-0x0000000001160000-0x0000000001186000-memory.dmp

Filesize
152KB

Download
memory/1712-102-0x0000000001160000-0x0000000001172000-memory.dmp

Filesize
72KB

Download
memory/1712-101-0x0000000009330000-0x00000000095DE000-memory.dmp

Filesize
2.7MB

Download
memory/1712-100-0x0000000009330000-0x00000000095DE000-memory.dmp

Filesize
2.7MB

Download
memory/1712-99-0x0000000000190000-0x0000000000DC0000-memory.dmp

Filesize
12.2MB

Download
memory/1712-95-0x0000000009330000-0x00000000095DE000-memory.dmp

Filesize
2.7MB

Download
memory/1712-77-0x0000000009330000-0x00000000093E2000-memory.dmp

Filesize
712KB

Download
memory/1712-67-0x0000000009330000-0x0000000009F9A000-memory.dmp

Filesize
12.4MB

Download
memory/1712-0-0x0000000000190000-0x0000000000DC0000-memory.dmp

Filesize
12.2MB

Download
memory/1712-112-0x0000000000F10000-0x0000000000F1A000-memory.dmp

Filesize
40KB

Download
memory/1712-111-0x0000000000F10000-0x0000000000F1A000-memory.dmp

Filesize
40KB

Download
memory/1712-119-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/1712-117-0x000000007452E000-0x000000007452F000-memory.dmp

Filesize
4KB

Download
memory/1712-113-0x0000000020530000-0x0000000020B5A000-memory.dmp

Filesize
6.2MB

Download
memory/1712-124-0x0000000006330000-0x00000000063D0000-memory.dmp

Filesize
640KB

Download
memory/1712-121-0x0000000020530000-0x0000000020B5A000-memory.dmp

Filesize
6.2MB

Download
memory/1712-134-0x0000000006330000-0x00000000063D0000-memory.dmp

Filesize
640KB

Download
memory/1712-135-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/1712-133-0x0000000006330000-0x00000000063D0000-memory.dmp

Filesize
640KB

Download
memory/1712-137-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/1712-138-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/1712-136-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/1712-87-0x0000000001160000-0x0000000001186000-memory.dmp

Filesize
152KB

Download
memory/1712-120-0x0000000010000000-0x0000000010C6A000-memory.dmp

Filesize
12.4MB

Download
memory/1712-114-0x0000000020530000-0x0000000020B5A000-memory.dmp

Filesize
6.2MB

Download
memory/1712-141-0x0000000009330000-0x0000000009AD6000-memory.dmp

Filesize
7.6MB

Download
memory/1712-140-0x0000000009330000-0x0000000009AD6000-memory.dmp

Filesize
7.6MB

Download
memory/1712-145-0x0000000009330000-0x0000000009F9A000-memory.dmp

Filesize
12.4MB

Download
memory/1712-146-0x0000000009330000-0x0000000009AD6000-memory.dmp

Filesize
7.6MB

Download
memory/1712-149-0x00000000030B0000-0x00000000030FC000-memory.dmp

Filesize
304KB

Download
memory/1712-161-0x0000000009330000-0x000000000965E000-memory.dmp

Filesize
3.2MB

Download
memory/1712-160-0x0000000001160000-0x000000000117A000-memory.dmp

Filesize
104KB

Download
memory/1712-159-0x0000000009330000-0x000000000965E000-memory.dmp

Filesize
3.2MB

Download
memory/1712-156-0x00000000030B0000-0x00000000030FC000-memory.dmp

Filesize
304KB

Download
memory/1712-155-0x00000000030B0000-0x00000000030FC000-memory.dmp

Filesize
304KB

Download
memory/1712-154-0x0000000009330000-0x00000000093E2000-memory.dmp

Filesize
712KB

Download
memory/1712-153-0x0000000009330000-0x00000000093E2000-memory.dmp

Filesize
712KB

Download
memory/1712-168-0x0000000009330000-0x00000000095DE000-memory.dmp

Filesize
2.7MB

Download
memory/1712-170-0x0000000009330000-0x000000000965E000-memory.dmp

Filesize
3.2MB

Download
memory/1712-176-0x0000000001160000-0x0000000001172000-memory.dmp

Filesize
72KB

Download
memory/1712-180-0x0000000001160000-0x000000000119E000-memory.dmp

Filesize
248KB

Download
memory/1712-178-0x0000000001160000-0x0000000001186000-memory.dmp

Filesize
152KB

Download
memory/1712-177-0x0000000001160000-0x0000000001186000-memory.dmp

Filesize
152KB

Download
memory/1712-172-0x0000000001160000-0x000000000119E000-memory.dmp

Filesize
248KB

Download
memory/1712-184-0x0000000005840000-0x00000000058B2000-memory.dmp

Filesize
456KB

Download
memory/1712-183-0x0000000000F10000-0x0000000000F1A000-memory.dmp

Filesize
40KB

Download
memory/1712-182-0x0000000000F10000-0x0000000000F1A000-memory.dmp

Filesize
40KB

Download
memory/1712-196-0x0000000006330000-0x00000000063D0000-memory.dmp

Filesize
640KB

Download
memory/1712-195-0x0000000006330000-0x00000000063D0000-memory.dmp

Filesize
640KB

Download
memory/1712-194-0x0000000000F10000-0x0000000000F1A000-memory.dmp

Filesize
40KB

Download
memory/1712-193-0x0000000020530000-0x0000000020B5A000-memory.dmp

Filesize
6.2MB

Download
memory/1712-191-0x0000000005840000-0x00000000058B2000-memory.dmp

Filesize
456KB

Download
memory/1712-201-0x0000000000F10000-0x0000000000F1A000-memory.dmp

Filesize
40KB

Download
memory/1712-204-0x00000000030B0000-0x00000000030F4000-memory.dmp

Filesize
272KB

Download
memory/1712-200-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/1712-206-0x00000000030B0000-0x00000000030F4000-memory.dmp

Filesize
272KB

Download
memory/1712-82-0x0000000001160000-0x000000000117A000-memory.dmp

Filesize
104KB

Download
memory/1712-199-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/1712-190-0x0000000005840000-0x00000000058B2000-memory.dmp

Filesize
456KB

Download
memory/1712-188-0x0000000020530000-0x0000000020B5A000-memory.dmp

Filesize
6.2MB

Download
memory/1712-167-0x0000000001160000-0x0000000001172000-memory.dmp

Filesize
72KB

Download
memory/1712-166-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/1712-165-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/1712-211-0x0000000009330000-0x0000000009AD6000-memory.dmp

Filesize
7.6MB

Download
memory/1712-217-0x0000000009330000-0x0000000009400000-memory.dmp

Filesize
832KB

Download
memory/1712-216-0x00000000030B0000-0x00000000030FC000-memory.dmp

Filesize
304KB

Download
memory/1712-222-0x0000000009330000-0x000000000942C000-memory.dmp

Filesize
1008KB

Download
memory/1712-225-0x0000000009330000-0x000000000942C000-memory.dmp

Filesize
1008KB

Download
memory/1712-224-0x0000000009330000-0x0000000009400000-memory.dmp

Filesize
832KB

Download
memory/1712-223-0x0000000009330000-0x000000000965E000-memory.dmp

Filesize
3.2MB

Download
memory/1712-215-0x00000000030B0000-0x00000000030FC000-memory.dmp

Filesize
304KB

Download
memory/1712-213-0x0000000009330000-0x0000000009400000-memory.dmp

Filesize
832KB

Download
memory/1712-239-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/1712-247-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/1712-246-0x0000000005840000-0x00000000058B2000-memory.dmp

Filesize
456KB

Download
memory/1712-242-0x0000000000F10000-0x0000000000F1A000-memory.dmp

Filesize
40KB

Download
memory/1712-237-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/1712-236-0x0000000009330000-0x000000000942C000-memory.dmp

Filesize
1008KB

Download
memory/1712-235-0x0000000009330000-0x000000000965E000-memory.dmp

Filesize
3.2MB

Download
memory/1712-88-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/1712-90-0x0000000001160000-0x0000000001172000-memory.dmp

Filesize
72KB

Download
memory/1712-83-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/1712-304-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/1712-302-0x0000000010000000-0x0000000010C6A000-memory.dmp

Filesize
12.4MB

Download
memory/1712-2-0x000000007452E000-0x000000007452F000-memory.dmp

Filesize
4KB

Download
memory/1712-308-0x0000000000190000-0x0000000000D72000-memory.dmp

Filesize
11.9MB

Download
memory/1712-79-0x0000000001160000-0x0000000001172000-memory.dmp

Filesize
72KB

Download
memory/1712-68-0x0000000009330000-0x00000000093E2000-memory.dmp

Filesize
712KB

Download
memory/1712-69-0x0000000001160000-0x000000000117A000-memory.dmp

Filesize
104KB

Download
memory/1712-65-0x0000000001160000-0x000000000117A000-memory.dmp

Filesize
104KB

Download
memory/1712-19-0x0000000010000000-0x0000000010C6A000-memory.dmp

Filesize
12.4MB

Download
memory/1712-21-0x0000000010000000-0x0000000010C6A000-memory.dmp

Filesize
12.4MB

Download
memory/1712-24-0x0000000074320000-0x00000000743A0000-memory.dmp

Filesize
512KB

Download
memory/1712-23-0x0000000010000000-0x0000000010C6A000-memory.dmp

Filesize
12.4MB

Download
memory/1712-22-0x0000000010000000-0x0000000010C6A000-memory.dmp

Filesize
12.4MB

Download
memory/1712-1-0x0000000077520000-0x0000000077521000-memory.dmp

Filesize
4KB

Download
memory/1712-20-0x0000000010000000-0x0000000010C6A000-memory.dmp

Filesize
12.4MB

Download
memory/1712-4-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/1712-3-0x0000000000190000-0x0000000000D72000-memory.dmp

Filesize
11.9MB

Download
memory/1712-7-0x0000000010000000-0x0000000010C6A000-memory.dmp

Filesize
12.4MB

Download
memory/1712-16-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/1712-18-0x0000000010000000-0x0000000010C6A000-memory.dmp

Filesize
12.4MB

Download
memory/1712-14-0x00000000FFE00000-0x00000000FFFA7000-memory.dmp

Filesize
1.7MB

Download
memory/1712-15-0x0000000010000000-0x0000000010C6A000-memory.dmp

Filesize
12.4MB

Download
memory/1712-17-0x0000000005FB0000-0x0000000006602000-memory.dmp

Filesize
6.3MB

Download
memory/2816-323-0x0000000074320000-0x00000000743A0000-memory.dmp

Filesize
512KB

Download
memory/2816-322-0x0000000010000000-0x0000000010C6A000-memory.dmp

Filesize
12.4MB

Download
memory/2816-320-0x0000000010000000-0x0000000010C6A000-memory.dmp

Filesize
12.4MB

Download
memory/2816-321-0x0000000010000000-0x0000000010C6A000-memory.dmp

Filesize
12.4MB

Download
memory/2816-356-0x0000000003030000-0x0000000003038000-memory.dmp

Filesize
32KB

Download
memory/2816-355-0x0000000003120000-0x000000000316C000-memory.dmp

Filesize
304KB

Download
memory/2816-319-0x0000000010000000-0x0000000010C6A000-memory.dmp

Filesize
12.4MB

Download
memory/2816-318-0x0000000010000000-0x0000000010C6A000-memory.dmp

Filesize
12.4MB

Download
memory/2816-505-0x00000000057E0000-0x00000000057F6000-memory.dmp

Filesize
88KB

Download
memory/2816-317-0x0000000010000000-0x0000000010C6A000-memory.dmp

Filesize
12.4MB

Download
memory/2816-305-0x0000000000100000-0x0000000000CE2000-memory.dmp

Filesize
11.9MB

Download