4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748

Analysis

max time kernel
128s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Size

91KB
MD5

256f14fa9fe7b9d368cd067ecded2de0
SHA1

ca3d237606bf17de27862dc027e001c92240097e
SHA256

4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748
SHA512

805aaabab98311d9d008ea3d07fc020eae4ae09683db0d785cc50f09c6a61d71023259f8a2b043fcc415c4b0a7385a2a9904ceed1516da76bfc07f06d4db4509
SSDEEP

768:E3gRYjXbUeHORIC4ZxBMldNKm8Mxm8I+IxrjPfAQ4o3ImumB3gRYjXbUeHORIC40:uT3OA3+KQsxfS4nT3OA3+KQsxfS4u

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 14 IoCs

Processes:

xk.exeIExplorer.exeWINLOGON.EXECSRSS.EXESERVICES.EXELSASS.EXExk.exeIExplorer.exeWINLOGON.EXECSRSS.EXESERVICES.EXELSASS.EXESMSS.EXESMSS.EXE

pid	process
4408	xk.exe
2740	IExplorer.exe
2412	WINLOGON.EXE
948	CSRSS.EXE
4404	SERVICES.EXE
3240	LSASS.EXE
4604	xk.exe
4928	IExplorer.exe
2688	WINLOGON.EXE
3216	CSRSS.EXE
4076	SERVICES.EXE
3900	LSASS.EXE
1712	SMSS.EXE
1420	SMSS.EXE

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

Drops desktop.ini file(s) 4 IoCs

Processes:

4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

description	ioc	process
File created	F:\desktop.ini	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File opened for modification	C:\desktop.ini	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File created	C:\desktop.ini	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File opened for modification	F:\desktop.ini	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

description	ioc	process
File opened (read-only)	\??\M:	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File opened (read-only)	\??\N:	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File opened (read-only)	\??\Q:	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File opened (read-only)	\??\Y:	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File opened (read-only)	\??\J:	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File opened (read-only)	\??\E:	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File opened (read-only)	\??\G:	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File opened (read-only)	\??\H:	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File opened (read-only)	\??\T:	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File opened (read-only)	\??\V:	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File opened (read-only)	\??\W:	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File opened (read-only)	\??\B:	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File opened (read-only)	\??\K:	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File opened (read-only)	\??\O:	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File opened (read-only)	\??\R:	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File opened (read-only)	\??\S:	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File opened (read-only)	\??\U:	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File opened (read-only)	\??\X:	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File opened (read-only)	\??\Z:	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File opened (read-only)	\??\I:	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File opened (read-only)	\??\P:	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File opened (read-only)	\??\L:	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

Drops file in System32 directory 6 IoCs

Processes:

4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Mig2.scr	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File created	C:\Windows\SysWOW64\shell.exe	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

Drops file in Windows directory 2 IoCs

Processes:

4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

description	ioc	process
File created	C:\Windows\xk.exe	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
File opened for modification	C:\Windows\xk.exe	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

Modifies Control Panel 4 IoCs

evasion

Processes:

4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

Modifies registry class 15 IoCs

Processes:

4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

pid	process
1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exexk.exeIExplorer.exeWINLOGON.EXECSRSS.EXESERVICES.EXELSASS.EXExk.exeIExplorer.exeWINLOGON.EXECSRSS.EXESERVICES.EXELSASS.EXESMSS.EXESMSS.EXE

pid	process
1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
4408	xk.exe
2740	IExplorer.exe
2412	WINLOGON.EXE
948	CSRSS.EXE
4404	SERVICES.EXE
3240	LSASS.EXE
4604	xk.exe
4928	IExplorer.exe
2688	WINLOGON.EXE
3216	CSRSS.EXE
4076	SERVICES.EXE
3900	LSASS.EXE
1712	SMSS.EXE
1420	SMSS.EXE

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

description	pid	process	target process
PID 1020 wrote to memory of 4408	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	xk.exe
PID 1020 wrote to memory of 4408	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	xk.exe
PID 1020 wrote to memory of 4408	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	xk.exe
PID 1020 wrote to memory of 2740	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	IExplorer.exe
PID 1020 wrote to memory of 2740	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	IExplorer.exe
PID 1020 wrote to memory of 2740	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	IExplorer.exe
PID 1020 wrote to memory of 2412	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	WINLOGON.EXE
PID 1020 wrote to memory of 2412	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	WINLOGON.EXE
PID 1020 wrote to memory of 2412	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	WINLOGON.EXE
PID 1020 wrote to memory of 948	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	CSRSS.EXE
PID 1020 wrote to memory of 948	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	CSRSS.EXE
PID 1020 wrote to memory of 948	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	CSRSS.EXE
PID 1020 wrote to memory of 4404	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	SERVICES.EXE
PID 1020 wrote to memory of 4404	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	SERVICES.EXE
PID 1020 wrote to memory of 4404	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	SERVICES.EXE
PID 1020 wrote to memory of 3240	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	LSASS.EXE
PID 1020 wrote to memory of 3240	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	LSASS.EXE
PID 1020 wrote to memory of 3240	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	LSASS.EXE
PID 1020 wrote to memory of 4604	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	xk.exe
PID 1020 wrote to memory of 4604	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	xk.exe
PID 1020 wrote to memory of 4604	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	xk.exe
PID 1020 wrote to memory of 4928	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	IExplorer.exe
PID 1020 wrote to memory of 4928	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	IExplorer.exe
PID 1020 wrote to memory of 4928	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	IExplorer.exe
PID 1020 wrote to memory of 2688	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	WINLOGON.EXE
PID 1020 wrote to memory of 2688	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	WINLOGON.EXE
PID 1020 wrote to memory of 2688	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	WINLOGON.EXE
PID 1020 wrote to memory of 3216	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	CSRSS.EXE
PID 1020 wrote to memory of 3216	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	CSRSS.EXE
PID 1020 wrote to memory of 3216	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	CSRSS.EXE
PID 1020 wrote to memory of 4076	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	SERVICES.EXE
PID 1020 wrote to memory of 4076	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	SERVICES.EXE
PID 1020 wrote to memory of 4076	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	SERVICES.EXE
PID 1020 wrote to memory of 3900	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	LSASS.EXE
PID 1020 wrote to memory of 3900	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	LSASS.EXE
PID 1020 wrote to memory of 3900	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	LSASS.EXE
PID 1020 wrote to memory of 1712	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	SMSS.EXE
PID 1020 wrote to memory of 1712	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	SMSS.EXE
PID 1020 wrote to memory of 1712	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	SMSS.EXE
PID 1020 wrote to memory of 1420	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	SMSS.EXE
PID 1020 wrote to memory of 1420	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	SMSS.EXE
PID 1020 wrote to memory of 1420	1020	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe	SMSS.EXE

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe

C:\Users\Admin\AppData\Local\Temp\4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe
"C:\Users\Admin\AppData\Local\Temp\4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1020
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4408
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2740
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2412
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:948
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4404
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3240
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4604
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4928
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2688
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3216
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4076
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3900
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1712
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
1e7137c33383355c953982c58b1b70d0

SHA1
0705f844ec62bdf65aeb537dcb82a4b038a01778

SHA256
2c7f2ca67042ab860789c8b6404148946c3b8b85e1733cde7397b388bcda175a

SHA512
b8079aba76b0ad63d36d5b18102849eca3329ff73d4616741dd929d94a890745264789fb4504e7828ca857cfc705c74b7a3c031ed55efe6b6d7399923222ebd6

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
aa46eef5c929f38cf0bda7231807772f

SHA1
76c11ad400778a41cb1ae27d7d5d21f0c5d4f831

SHA256
f8b7d7cde3c99646805e4a7b878438e9e3df0810906f4d5511bea4a1e941eeb9

SHA512
d891217ee95e7c3124428bd9a8187150d79485e0cceb582a67d6947b2abff552b1f6e9e098b4e9a49d35a30e7cd7b306ffe27a5937a384376b83f9cc6e107c70

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
f3e2c7d42a562cbd52fd96328127eea3

SHA1
2d79c719256dc1abd5a4ec2d9d3861b53766917d

SHA256
84e73f3406488075a0a517adfd32315d247873a8ad72b443360925830ee76d53

SHA512
bcbecde9de89812fd7be369a30c2b784df307db28b248b95d391e21da6000ba1cea0ab1581cb92facc75cf9daac5cdf5a74cd9f52c6d8a62be4e75ed75e42a11

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
ab2c8a238c769d590159c0817b9c3ba3

SHA1
0c238d90ef0f0dd207aa67fcd1a03d8e466c2803

SHA256
6f54b2cc3c00acffd1ad6d53bce1cf9fe81bd257a61c0dc70818f2bbcbfa68e0

SHA512
ac18f436dec431b0d33b98eccf277b643ee4f9268db3ff86d9f1a49ad668a56412de7daa04bc3958c9e49ae4b4c688b660d37444a3be0f56d64330386cbe3aeb

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
a601f675a7686a80a6b358825337d244

SHA1
3c5bf7752ea598dcd7474fc99c9ab9d1cfbfe54c

SHA256
b80ae105c30d22571ce69926c8661df073b6045f1071767f3c00616002a005c5

SHA512
4a7f4b1ee3cd244ae256a4f5d13b7313534c3252eb6374685ec679a3842f13b96d552cabe46872df55c385971c6df7e011baa22177c7f0dcfd948b2caea56339

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
92786adc0a46ed830bac05ee1a419359

SHA1
7f3d5a308c083c12654d6cfcc1c853385ee8dd1d

SHA256
b7c9330e53b380f15b4be937c39189cbd962c8c9281ddc719276cb3e3242afca

SHA512
085679c28a3bda56583cc96de4b7501dc9e7404c1569c47e89b6a15d832ba221e36c8b1a6bced096f6188e0ec9d9195244077244c46dd59666b3950e4a21830c

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
256f14fa9fe7b9d368cd067ecded2de0

SHA1
ca3d237606bf17de27862dc027e001c92240097e

SHA256
4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748

SHA512
805aaabab98311d9d008ea3d07fc020eae4ae09683db0d785cc50f09c6a61d71023259f8a2b043fcc415c4b0a7385a2a9904ceed1516da76bfc07f06d4db4509

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
d850345cb6ea9111f0571a83e66e0343

SHA1
ac4126d9a73b73cc79399eae595446f6751948e6

SHA256
b2f5b5442d091cb5be52a9b249c794c58ba949994ad30d0827e7bae3f3189af6

SHA512
f721a0f95e707b78920ca7b45ae916c9fb30cc9c09268a747109d517f6b56beb2584d69bea611762ac3204c63e0c3ab4ed6e9b1e10cca8972e9b2158ee4bdd83

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
5a6c295861ec3eb6d84f95f76ec7a919

SHA1
62d4887c621e2b22b3f117da3b3d4339fc1631bb

SHA256
ebe9fc1d4862b31f7c7ac5b35c0f2a6c861604ca91fe64980ccf48cdfd2755de

SHA512
4107bd03fd8cfef5d9381ee0c8482a1e4874cc296504bede5ce4bb43cc0090613a0162f5ca4e35bc5edf536a559f4fceb6bc8b6c4c60747aedc2ebc7615d902c

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
1224f108aa81b58017a4ff9e2a867bca

SHA1
dd63223c314ca8229a7596dd76cc71bc9e032cd0

SHA256
3447224ba10dc679be9e864c09500edfb1940d76c40433fa47e21f25941ab11c

SHA512
abed927cffde46b202ceb5baaf8567a9dc8e8e4dbf242246d0c9c5dd95818c227d9d390afe6c5ce4f5fd8715222079d5d6686f97c1702f36607fcdf0566b8a6b

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
41a17fb933db35a7f00e9e8973b276a3

SHA1
b76f6923816d7404876c5f805ed3ae6760df843a

SHA256
8df53e67fb1a0b5cbc23f1268e78630f0634bb1af606746cd471acf6fc8bd42d

SHA512
8f5c65a08c4e61ffc28cc80ce196968596f703c66c54b4db2d00677684491ad8f7975bdc372a5011f5976b61795b296b36e23678eb10949a96b2eb303834ca3a

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
ec280b6b7101cbf9765b96036cf06b6a

SHA1
65d4a389008fee86fc4376610d1e72a6fb635bf0

SHA256
42af3ff89ff7e3e1153ad9ca75b29e1eaf2f6366529cb07e0c241540a0495067

SHA512
5d60781402b590738e10e50bb5f0bec038aad67c37562a258a591119c4839b1a2f51e7a2957b58162d382b2ea62da797d49256c79b34f286d551a0c0eb6f0a82

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
d239e46ec1cc44fa6cc414c04b4ab9df

SHA1
e5812ab397fd41d2df976b2ca7260754ec7a1baf

SHA256
e085fe15b2108c96113d1349d697b0b09df26fd16359a58e44641bf0dd1f8bb8

SHA512
6becee3433e443ea11a5ef609e54e51621dd12c4efaabc323c470efc136909f6d28e5e8fb56e804bbea698780f641d45cf4b247f9b554d15ada810024dd86c36

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
5614a6ec678b8d231586c0b9fffb965b

SHA1
9bae960ba7cfb5aeffff18ef26911f07cf7c924f

SHA256
1cd51dbd40406b87bc1d317115b1c9d48cc0ba9f3fe484299993ab87b52e701a

SHA512
6c03e8f5561b7bf4068d3868535ed10289354aeda97b4a4269fe6919250308254fabb3fcc3e21dd0e57e840934c9c722e7d9938f08e776abfcbb083040d3bd67

Download Submit
memory/948-147-0x0000000074EE0000-0x000000007503D000-memory.dmp

Filesize
1.4MB

Download
memory/948-155-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1020-309-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/1020-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1020-299-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1020-140-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/1020-139-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/1020-308-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1020-4-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/1020-2-0x0000000074EE0000-0x000000007503D000-memory.dmp

Filesize
1.4MB

Download
memory/1020-3-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1020-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/1420-302-0x0000000074EE0000-0x000000007503D000-memory.dmp

Filesize
1.4MB

Download
memory/1420-307-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1712-273-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1712-268-0x0000000074EE0000-0x000000007503D000-memory.dmp

Filesize
1.4MB

Download
memory/2412-143-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2412-141-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2412-135-0x0000000074EE0000-0x000000007503D000-memory.dmp

Filesize
1.4MB

Download
memory/2412-133-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2412-134-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2688-239-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2688-233-0x0000000074EE0000-0x000000007503D000-memory.dmp

Filesize
1.4MB

Download
memory/2740-129-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2740-124-0x0000000074EE0000-0x000000007503D000-memory.dmp

Filesize
1.4MB

Download
memory/3216-243-0x0000000074EE0000-0x000000007503D000-memory.dmp

Filesize
1.4MB

Download
memory/3216-248-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3240-165-0x0000000074EE0000-0x000000007503D000-memory.dmp

Filesize
1.4MB

Download
memory/3240-170-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3900-265-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3900-259-0x0000000074EE0000-0x000000007503D000-memory.dmp

Filesize
1.4MB

Download
memory/4076-258-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4076-251-0x0000000074EE0000-0x000000007503D000-memory.dmp

Filesize
1.4MB

Download
memory/4404-156-0x0000000074EE0000-0x000000007503D000-memory.dmp

Filesize
1.4MB

Download
memory/4404-160-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4408-122-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4408-116-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4408-114-0x0000000074EE0000-0x000000007503D000-memory.dmp

Filesize
1.4MB

Download
memory/4408-113-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4408-111-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4604-219-0x0000000074EE0000-0x000000007503D000-memory.dmp

Filesize
1.4MB

Download
memory/4604-226-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4928-227-0x0000000074EE0000-0x000000007503D000-memory.dmp

Filesize
1.4MB

Download
memory/4928-237-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download