09c91862d6e40c74f6edc233440b5f691d498ede6fb00bb43d309ca24e4e67b9

Analysis

max time kernel
841s
max time network
844s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
Size

1.8MB
MD5

84b51ee1b45d26e08c525d9c87a4945a
SHA1

04d9559bb0ed6e964b05d1583a7410eca837f1cf
SHA256

debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8
SHA512

d3a4c07119ce03d1199ed2e6fb98b1504c171fe1d8ce1d71c33e2f2562ad0149e4fd5018ae837d9500761ad3d73f30c48d8c44d72438b048c8fd5f914d3549c9
SSDEEP

24576:sVLOUsdmcKn0RVIC0GN9eyS7QPkIIgmWmQL3taRHLM36T22CKRJqNE4u6FOcnDs7:stJ6F7PN3taRHwe3clnBowQg7K

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Port Monitors 1 TTPs 5 IoCs

Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

persistence

Port Monitors

T1547.010

Processes:

spoolsv.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port	spoolsv.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe

description	ioc	process
File opened (read-only)	\??\P:	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
File opened (read-only)	\??\R:	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
File opened (read-only)	\??\S:	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
File opened (read-only)	\??\T:	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
File opened (read-only)	\??\K:	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
File opened (read-only)	\??\N:	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
File opened (read-only)	\??\O:	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
File opened (read-only)	\??\Q:	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
File opened (read-only)	\??\V:	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
File opened (read-only)	\??\W:	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
File opened (read-only)	\??\X:	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
File opened (read-only)	\??\Z:	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
File opened (read-only)	\??\H:	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
File opened (read-only)	\??\L:	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
File opened (read-only)	\??\M:	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
File opened (read-only)	\??\J:	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
File opened (read-only)	\??\U:	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
File opened (read-only)	\??\Y:	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
File opened (read-only)	\??\E:	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
File opened (read-only)	\??\G:	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
File opened (read-only)	\??\I:	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

net.exetcpsvcs.exenet.exedebfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.execmd.exenet1.exeIEXPLORE.EXEnet1.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tcpsvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBIOSDate	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5AE0E5C1-A12C-11EF-BA5A-5EE01BAFE073} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000656f10714a87ee59ad8453549ce426fc4e442394b742c13d4800945487a5d732000000000e800000000200002000000000bd08c485fce3f86733e22e21131db64d3d6ea0108967e02aab1ffa77104c7f20000000d1f4a54eb55e41a42b4b6aa8fc2544a5002755b07fb6ae15e7b322ba722a994440000000a523ac8c548cb1182be132780f27805b4c18850c5243ee559408289fa26477abd251ed0f8f77bc8975bb555f2e38776302f9ed1d5484398437ea1dac9dcfe841	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0e8324a3935db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea22000000000200000000001066000000010000200000003e5578c0fd2c31705f060da83869e14a2c510bf96262ee75a1c97102b4d89cfc000000000e80000000020000200000001aec7e3c4cc2b3a830e5f55fd63230bc0803948f06c592e7e73de9d9c1f3e29e90000000eed0eb226a73ccb8851afe984a9a006313874907271c2fb38d9586bd232ee493d98c0ce3eb514b34afd63d26d0e5d4ab34f84a5e1e6e4372f6893f0cde6dcd1b46d57cba97e9d72aafcb284db71badb22761c6aef4f2331fbf84f9776b47b36dbdf7001fa12780d7c5f2a6c8e18895aaa781765a3036c7d35e83445739df1d7a44c66ce845d2a2ef425817cfa1b0ec7c40000000a367420af0b2585e0e3c5ee1dbfd76b4209310a5b9462526709d1c9761bd4620c77ef6e065e6326eece216a3cd69438fde152474f4710b13540917ffc0af7959	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437601602"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Modifies data under HKEY_USERS 14 IoCs

Processes:

spoolsv.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne01:,15,45"	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne01:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne01:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne01:"	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe

pid	process
1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

tcpsvcs.exe

pid process

2644 tcpsvcs.exe

pid	process
2644	tcpsvcs.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

spoolsv.exe

description	pid	process
Token: SeRestorePrivilege	564	spoolsv.exe
Token: SeRestorePrivilege	564	spoolsv.exe
Token: SeRestorePrivilege	564	spoolsv.exe
Token: SeRestorePrivilege	564	spoolsv.exe
Token: SeRestorePrivilege	564	spoolsv.exe
Token: SeRestorePrivilege	564	spoolsv.exe
Token: SeRestorePrivilege	564	spoolsv.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3004 iexplore.exe

pid	process
3004	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exeiexplore.exeIEXPLORE.EXE

pid	process
1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
3004	iexplore.exe
3004	iexplore.exe
1664	IEXPLORE.EXE
1664	IEXPLORE.EXE
1664	IEXPLORE.EXE
1664	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.execmd.exenet.execmd.exenet.exeiexplore.exe

description	pid	process	target process
PID 1820 wrote to memory of 2520	1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe	cmd.exe
PID 1820 wrote to memory of 2520	1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe	cmd.exe
PID 1820 wrote to memory of 2520	1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe	cmd.exe
PID 1820 wrote to memory of 2520	1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe	cmd.exe
PID 2520 wrote to memory of 2784	2520	cmd.exe	net.exe
PID 2520 wrote to memory of 2784	2520	cmd.exe	net.exe
PID 2520 wrote to memory of 2784	2520	cmd.exe	net.exe
PID 2520 wrote to memory of 2784	2520	cmd.exe	net.exe
PID 2784 wrote to memory of 2936	2784	net.exe	net1.exe
PID 2784 wrote to memory of 2936	2784	net.exe	net1.exe
PID 2784 wrote to memory of 2936	2784	net.exe	net1.exe
PID 2784 wrote to memory of 2936	2784	net.exe	net1.exe
PID 1820 wrote to memory of 2644	1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe	tcpsvcs.exe
PID 1820 wrote to memory of 2644	1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe	tcpsvcs.exe
PID 1820 wrote to memory of 2644	1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe	tcpsvcs.exe
PID 1820 wrote to memory of 2644	1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe	tcpsvcs.exe
PID 1820 wrote to memory of 2644	1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe	tcpsvcs.exe
PID 1820 wrote to memory of 2644	1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe	tcpsvcs.exe
PID 1820 wrote to memory of 2644	1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe	tcpsvcs.exe
PID 1820 wrote to memory of 2644	1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe	tcpsvcs.exe
PID 1820 wrote to memory of 2644	1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe	tcpsvcs.exe
PID 1820 wrote to memory of 2644	1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe	tcpsvcs.exe
PID 1820 wrote to memory of 2644	1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe	tcpsvcs.exe
PID 1820 wrote to memory of 2644	1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe	tcpsvcs.exe
PID 1820 wrote to memory of 2644	1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe	tcpsvcs.exe
PID 1820 wrote to memory of 652	1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe	cmd.exe
PID 1820 wrote to memory of 652	1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe	cmd.exe
PID 1820 wrote to memory of 652	1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe	cmd.exe
PID 1820 wrote to memory of 652	1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe	cmd.exe
PID 1820 wrote to memory of 3004	1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe	iexplore.exe
PID 1820 wrote to memory of 3004	1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe	iexplore.exe
PID 1820 wrote to memory of 3004	1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe	iexplore.exe
PID 1820 wrote to memory of 3004	1820	debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe	iexplore.exe
PID 652 wrote to memory of 3048	652	cmd.exe	net.exe
PID 652 wrote to memory of 3048	652	cmd.exe	net.exe
PID 652 wrote to memory of 3048	652	cmd.exe	net.exe
PID 652 wrote to memory of 3048	652	cmd.exe	net.exe
PID 3048 wrote to memory of 2944	3048	net.exe	net1.exe
PID 3048 wrote to memory of 2944	3048	net.exe	net1.exe
PID 3048 wrote to memory of 2944	3048	net.exe	net1.exe
PID 3048 wrote to memory of 2944	3048	net.exe	net1.exe
PID 3004 wrote to memory of 1664	3004	iexplore.exe	IEXPLORE.EXE
PID 3004 wrote to memory of 1664	3004	iexplore.exe	IEXPLORE.EXE
PID 3004 wrote to memory of 1664	3004	iexplore.exe	IEXPLORE.EXE
PID 3004 wrote to memory of 1664	3004	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe
"C:\Users\Admin\AppData\Local\Temp\debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8.exe"
1⤵
- Checks BIOS information in registry
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop Spooler
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\net.exe
    net stop Spooler
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Spooler
      4⤵
      System Location Discovery: System Language Discovery
      PID:2936
- C:\Windows\SysWOW64\tcpsvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d82.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  PID:2644
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net start Spooler
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Windows\SysWOW64\net.exe
    net start Spooler
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start Spooler
      4⤵
      System Location Discovery: System Language Discovery
      PID:2944
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://blog.sina.com.cn/lanyezi725
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1664

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:2540

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
- Boot or Logon Autostart Execution: Port Monitors
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Port Monitors

T1547.010

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Port Monitors

T1547.010

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9bd857dfd109e37bae3be5401227487

SHA1
fa99035d4d9a6019c864dd3b2d6dfdceef0df1fe

SHA256
5bef4342bde33808a9680ae5d7f84f47a8e77a5b7e3719ecec551a6c577e2120

SHA512
98ba68f1486b38367a67d5c98172c35dab50c4327cf79392b69f16520a8f9135d06295f207968f218dcc9b21d246256f5d407adc8ed7ccc41eeb7fd0ffc14591

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d833e90876c7df25ea18b4e200e8f527

SHA1
db22a324b88631deac503aaa2acfdbbd95bb7a7a

SHA256
f45dc197382cdc1e0c970414a38ba963ac51dacead28c0c05c87170a3eeea26c

SHA512
5a964addfc8d9f6c9f1033de63562bf906af051d51d28c3ba5949acec4d7d0f986cc75c3914600aa4c8c35578a85370b96d47886e0c83db483e81a28b906f208

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75eeda0e1409653e16202bfba2b5d56d

SHA1
68542c0bc41e264079a50cb8ed38f07c336fdb53

SHA256
71eb37b591aef5578dc7e8d94f4146dca01aab1aeeec892b4d65c102a1d2933e

SHA512
0c59e76f9fdf165c0baf2ee26b8268ebf1f30971c9ad4bca46aa9fac1a66780ab3fe82b019015357b696742edbd71610a057e66f024573430fccea7e3346095e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
337954bcdf19844d517e7d2a00f6e1b6

SHA1
6998101219356d247721b835c6c0a5db254e2fbe

SHA256
cb1c12160850ee918b46998af67828840856ea3303b18344fe3fe1ee90a71ab6

SHA512
8dcd3a9555f83c71c7935859fa22c1efd82589492a4f28f5866e87a4cfe65950060ba01a772373b35f428bc4410afd2ef06a2dc7369eb47aaa5bc5f261667b9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e96257c4def91e9e15ac3816387c96f8

SHA1
7e3d51b44a7e2541929597dd526b3b9b5d11699b

SHA256
08e55193ef10d8f735d3113af9bd41449de283488781b57bff9adbb4c0b22433

SHA512
a0bd4650a430e7d84f873c62c83777a619ff53194c057dc1d24b3ed5c9846b87cc5b5a67706cd227e5f510e1ee3c2f6ce7b34e2b6aeafd4eec5d52233084f73d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b8078af527855ef5c5caca4f73c9e13

SHA1
fa93389ead56e0a2caed0947b53260826401c245

SHA256
1f12498dd90c4284564692bcd7876df5a5218bde23ab2242b844d167646d97dc

SHA512
6ac05e3ce46fd8bb7e835cfd59d0c3c1cfb8fa77f08f9b7478ae19969f43484017cee132ad24f10340e08fce5f736d527b8f7a6b2b3a2a0a790d7802763d5f88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
097e3688c0fc8eddbb62bbceb5710a3b

SHA1
786f1980cc8de94d1391aee00231ebbfc888dda1

SHA256
2b4d7dbd956d059d809e36f749579f95925067c2e7859a4bc1ec8001681c9fc2

SHA512
330c89097709541daab27bc0ecc4b17bc36995fc4be372b3a9a780f42174fe536dda9b611fca9ce835fc498cbe1ead3fb9a31841377c1873f738bdeaf18f4014

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1334fa81be272db0fd2e1b67537092a5

SHA1
0b80d3b4a9ec94bb787f7b70df8dc3df0a040085

SHA256
f673aefd6ece51cb97f919d41a9fe9e3211d95e36af4f476ecae6ce2e7301e02

SHA512
d441dd046cdf27d59771107d98204528a71e85dbc2933dda28e1a0bb9a73ee96d51d98b955b7514eb263afe24c69612a975449ccfb46e53b4e5b9349b5f2940e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62fbe1c3cf6789f2148bcce404ad9ee0

SHA1
57871c8100cc47a826b1e7bffb9ac132efaab3e1

SHA256
9a83ae4270f7b1a1ebb6c9cae3c5f20552907bce9d52d578c6772c9096f2f7b1

SHA512
97926d3a532ff4587424cb239857fedc2c417ea2f0f41823887464b199563ea3157540e4b4b2028e2a2068fea4fab31bd9686d6fbdb52d9c859c51d3b5306ad9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9a1116b9b3824053aced127b7b0c975

SHA1
943272143b312dd929602d90c1d57b8f544298e0

SHA256
652ebe5c014dbf3993088c7e05335d2a83339e4ba92a2a8e6af5d32ef67467d5

SHA512
a309b78790d9220f83e277d56ebceba52032ed48c4ddd9c1020971751b039f7afb7cf0098649f22ba77199b4a10252fcd9817f6f32763af4bad73ef6503ec719

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17456a3231f24b638af3920673fd805c

SHA1
833a72e518cb73cba51b7d22eca0b79aa168e3fe

SHA256
c47432bed69235d1e35ce15f0dfc148a402cb508f6aba06e493cb41385bec9fc

SHA512
641dce630396b3139ba9ed1f207213d1f54af9b78fd37742cad579cd08442be213f14d1836e7951bb30648181f2f399f0a5c4bbcbec6d409f69b8f461ee59984

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f52f1a0bad2ac4b71818c222ea6a1827

SHA1
6fe8dc882bc5c52e7b6b286dbbe9a5172c3e0e3c

SHA256
813e5bea816d801e53ad1d04ec38837dcb602999f5ef83fff2490fb2d16f3805

SHA512
e00700a6099f315529cf1eb486a40f682a76a884be0273717f797d5fe387205a4263e387ed0f2f33b4e0d9d030ad634aded3a2d25ca2bd098795f8aec0878e25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0f893d65832712248bff9909c3ac067

SHA1
3ec4f421daa8a97ee0ef497aecebdaa999e43e23

SHA256
205f90653381d0235dbc9e661f0dc15c08ae4e73030cd22c8f7c592dec873f98

SHA512
43b125a0e369c7b825e9621062abc52eb4da5e94c996241e0213bedbc8d0888b6d926413d1aa645d1dd52c19c763f4742b690831785875f42c00a448da4cdcf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14f4cd5dc239366ed446a9770bdb4b1a

SHA1
a0cd0c273809deeba84a13935d11e91468818302

SHA256
37da68a38ed10198f28f817f8ef0d4f489ac7296d871f9c3d0e53cb41afcc80f

SHA512
ef9edfd9438f954d59c7969ca3bcf872b0c1defd1249ae87855c8e894b9aaedddfba0c4288c89198ed62dfaf94d73a9489bea319b7804c5403c225fbe55284a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d93383ee2a09b77c15ee7ed36b5f0b9d

SHA1
2e42ed541e8dbbd57b2457f8ec5a08f21460da46

SHA256
b7668fb5a7cf67a487bcfad9cc58c78715899aab03e8216fbc377199eed7b08d

SHA512
b162af7cd8b8efcbc7adb574dea36b802458eead9dbaea4f83f85365ce4c2724ae13d1b58d7e553bf1bcbcb412fbf67408247eb8969d8d8dd62d4f9fb4e07359

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a5d363bb1785cf1fc10d2a773433c39

SHA1
3b4507b7e32d0ac83c4b25fdb8539a8498a2518a

SHA256
f84fe95d4649f367c850b3c6de7b032c75803af531fb3a67eeb69b9fd2006a2d

SHA512
b98184dfc23943f29b2632047beeb1fef36f7a5a1dc1da56dcba09d906d1f9cf1135d2b9e0022778e9325d994826fed37796605e144173856576d8d839b9917b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4d3bbf92f25a63e3774ca16a565cb5b

SHA1
13b5f7885536f9dad63d1efdbc2451bc4e55bf24

SHA256
cd2a48aa57a567dcc537716bd3d316f346fd69ba6b7f3ede75e8224e5ba86f8d

SHA512
2ab8ed9de5b975a49e6d7e2979bf53dd412b982ee76125ebbea9843f863df19a8073457fed31bcd7132de6f6055d2b3b4b83e80983addd80dd158a7aa216f68c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab74C6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7565.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1820-47-0x0000000005050000-0x0000000005214000-memory.dmp

Filesize
1.8MB

Download
memory/1820-42-0x00000000772A0000-0x00000000772A1000-memory.dmp

Filesize
4KB

Download
memory/1820-30-0x00000000772C0000-0x00000000772C1000-memory.dmp

Filesize
4KB

Download
memory/1820-29-0x00000000772D0000-0x00000000772D1000-memory.dmp

Filesize
4KB

Download
memory/1820-28-0x00000000773A0000-0x00000000773A1000-memory.dmp

Filesize
4KB

Download
memory/1820-27-0x00000000777C0000-0x00000000777C1000-memory.dmp

Filesize
4KB

Download
memory/1820-24-0x00000000772F0000-0x00000000772F1000-memory.dmp

Filesize
4KB

Download
memory/1820-23-0x0000000077390000-0x0000000077391000-memory.dmp

Filesize
4KB

Download
memory/1820-22-0x0000000077360000-0x0000000077361000-memory.dmp

Filesize
4KB

Download
memory/1820-21-0x0000000077370000-0x0000000077371000-memory.dmp

Filesize
4KB

Download
memory/1820-20-0x0000000077320000-0x0000000077321000-memory.dmp

Filesize
4KB

Download
memory/1820-19-0x0000000077330000-0x0000000077331000-memory.dmp

Filesize
4KB

Download
memory/1820-18-0x0000000077300000-0x0000000077301000-memory.dmp

Filesize
4KB

Download
memory/1820-17-0x0000000077310000-0x0000000077311000-memory.dmp

Filesize
4KB

Download
memory/1820-15-0x00000000772E0000-0x00000000772E1000-memory.dmp

Filesize
4KB

Download
memory/1820-14-0x0000000077240000-0x0000000077241000-memory.dmp

Filesize
4KB

Download
memory/1820-13-0x0000000000750000-0x000000000075B000-memory.dmp

Filesize
44KB

Download
memory/1820-39-0x00000000772B0000-0x00000000772B1000-memory.dmp

Filesize
4KB

Download
memory/1820-40-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1820-33-0x0000000077210000-0x0000000077211000-memory.dmp

Filesize
4KB

Download
memory/1820-41-0x0000000003550000-0x0000000003651000-memory.dmp

Filesize
1.0MB

Download
memory/1820-43-0x0000000004BE0000-0x0000000004D7D000-memory.dmp

Filesize
1.6MB

Download
memory/1820-44-0x0000000004D80000-0x0000000004DA7000-memory.dmp

Filesize
156KB

Download
memory/1820-45-0x00000000036A0000-0x00000000036B2000-memory.dmp

Filesize
72KB

Download
memory/1820-46-0x0000000004F20000-0x0000000005044000-memory.dmp

Filesize
1.1MB

Download
memory/1820-32-0x0000000077220000-0x0000000077221000-memory.dmp

Filesize
4KB

Download
memory/1820-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1820-1-0x0000000003550000-0x0000000003651000-memory.dmp

Filesize
1.0MB

Download
memory/1820-6-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1820-4-0x0000000003550000-0x0000000003651000-memory.dmp

Filesize
1.0MB

Download
memory/1820-2-0x0000000003550000-0x0000000003651000-memory.dmp

Filesize
1.0MB

Download
memory/1820-16-0x00000000777B0000-0x00000000777B1000-memory.dmp

Filesize
4KB

Download
memory/1820-26-0x0000000077260000-0x0000000077261000-memory.dmp

Filesize
4KB

Download
memory/1820-25-0x0000000077270000-0x0000000077271000-memory.dmp

Filesize
4KB

Download
memory/1820-35-0x0000000003550000-0x0000000003651000-memory.dmp

Filesize
1.0MB

Download
memory/1820-31-0x0000000077230000-0x0000000077231000-memory.dmp

Filesize
4KB

Download
memory/1820-38-0x00000000773B0000-0x00000000773B1000-memory.dmp

Filesize
4KB

Download
memory/1820-37-0x00000000771E0000-0x00000000771E1000-memory.dmp

Filesize
4KB

Download
memory/1820-36-0x00000000771F0000-0x00000000771F1000-memory.dmp

Filesize
4KB

Download
memory/1820-34-0x0000000077200000-0x0000000077201000-memory.dmp

Filesize
4KB

Download
memory/2644-91-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2644-85-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2644-84-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2644-83-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2644-82-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2644-81-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2644-80-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2644-79-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2644-78-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2644-77-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2644-76-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2644-75-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2644-74-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2644-86-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2644-87-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2644-88-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2644-89-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2644-90-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2644-92-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2644-93-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2644-94-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2644-95-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2644-56-0x0000000010000000-0x0000000010101000-memory.dmp

Filesize
1.0MB

Download
memory/2644-55-0x0000000010000000-0x0000000010101000-memory.dmp

Filesize
1.0MB

Download
memory/2644-49-0x0000000010000000-0x0000000010101000-memory.dmp

Filesize
1.0MB

Download
memory/2644-54-0x0000000010000000-0x0000000010101000-memory.dmp

Filesize
1.0MB

Download
memory/2644-51-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/2644-73-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2644-72-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2644-71-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2644-68-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2644-65-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download