d98cfadd956da9584cf781b41a02295575cc9a8620d31404a54dd483792a5b4e

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d98cfadd956da9584cf781b41a02295575cc9a8620d31404a54dd483792a5b4e.exe
Size

88KB
MD5

a8aa99fec666e578a0961a3097cccc49
SHA1

352ecaaf9074d6cef69362991a1065fb9bb63011
SHA256

d98cfadd956da9584cf781b41a02295575cc9a8620d31404a54dd483792a5b4e
SHA512

d123299caeed70343ce091d0b26271d2d63701fb92f120f96d3f5b267a816b3a7f0fc844f9039e12bd0bf4612c6728fd9ecc49bc319926e0a434174c299674b3
SSDEEP

768:5vw9816thKQLroF4/wQkNrfrunMxVFA3V:lEG/0oFlbunMxVS3V

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.exe{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.exe{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.exe{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.exe{0E3614F5-E4ED-43cf-BB43-3AA646A8CE11}.exed98cfadd956da9584cf781b41a02295575cc9a8620d31404a54dd483792a5b4e.exe{8521231F-7661-4ee0-8149-1427C719A524}.exe{006E6770-4FC4-445f-BFA3-76EC55B8C6DF}.exe{C8A93A07-3F7B-4a96-AAE4-E34EA3855174}.exe{C3509517-7823-4636-9464-E702902A5E50}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}	{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3509517-7823-4636-9464-E702902A5E50}\stubpath = "C:\\Windows\\{C3509517-7823-4636-9464-E702902A5E50}.exe"	{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB40DCEE-6973-4593-B227-9EEB3F32D51B}	{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}	{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E3614F5-E4ED-43cf-BB43-3AA646A8CE11}\stubpath = "C:\\Windows\\{0E3614F5-E4ED-43cf-BB43-3AA646A8CE11}.exe"	{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{006E6770-4FC4-445f-BFA3-76EC55B8C6DF}	{0E3614F5-E4ED-43cf-BB43-3AA646A8CE11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{006E6770-4FC4-445f-BFA3-76EC55B8C6DF}\stubpath = "C:\\Windows\\{006E6770-4FC4-445f-BFA3-76EC55B8C6DF}.exe"	{0E3614F5-E4ED-43cf-BB43-3AA646A8CE11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8521231F-7661-4ee0-8149-1427C719A524}	d98cfadd956da9584cf781b41a02295575cc9a8620d31404a54dd483792a5b4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}\stubpath = "C:\\Windows\\{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.exe"	{8521231F-7661-4ee0-8149-1427C719A524}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}\stubpath = "C:\\Windows\\{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.exe"	{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3509517-7823-4636-9464-E702902A5E50}	{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}\stubpath = "C:\\Windows\\{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.exe"	{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8A93A07-3F7B-4a96-AAE4-E34EA3855174}	{006E6770-4FC4-445f-BFA3-76EC55B8C6DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43F76AB6-EB46-41b9-A54A-A2FEEF84584C}	{C8A93A07-3F7B-4a96-AAE4-E34EA3855174}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8521231F-7661-4ee0-8149-1427C719A524}\stubpath = "C:\\Windows\\{8521231F-7661-4ee0-8149-1427C719A524}.exe"	d98cfadd956da9584cf781b41a02295575cc9a8620d31404a54dd483792a5b4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43F76AB6-EB46-41b9-A54A-A2FEEF84584C}\stubpath = "C:\\Windows\\{43F76AB6-EB46-41b9-A54A-A2FEEF84584C}.exe"	{C8A93A07-3F7B-4a96-AAE4-E34EA3855174}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}	{C3509517-7823-4636-9464-E702902A5E50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}\stubpath = "C:\\Windows\\{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.exe"	{C3509517-7823-4636-9464-E702902A5E50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB40DCEE-6973-4593-B227-9EEB3F32D51B}\stubpath = "C:\\Windows\\{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe"	{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E3614F5-E4ED-43cf-BB43-3AA646A8CE11}	{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8A93A07-3F7B-4a96-AAE4-E34EA3855174}\stubpath = "C:\\Windows\\{C8A93A07-3F7B-4a96-AAE4-E34EA3855174}.exe"	{006E6770-4FC4-445f-BFA3-76EC55B8C6DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}	{8521231F-7661-4ee0-8149-1427C719A524}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2140 cmd.exe

pid	process
2140	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{8521231F-7661-4ee0-8149-1427C719A524}.exe{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.exe{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.exe{C3509517-7823-4636-9464-E702902A5E50}.exe{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.exe{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.exe{0E3614F5-E4ED-43cf-BB43-3AA646A8CE11}.exe{006E6770-4FC4-445f-BFA3-76EC55B8C6DF}.exe{C8A93A07-3F7B-4a96-AAE4-E34EA3855174}.exe{43F76AB6-EB46-41b9-A54A-A2FEEF84584C}.exe

pid	process
2632	{8521231F-7661-4ee0-8149-1427C719A524}.exe
2828	{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.exe
2840	{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.exe
2728	{C3509517-7823-4636-9464-E702902A5E50}.exe
2496	{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.exe
1032	{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe
2020	{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.exe
2916	{0E3614F5-E4ED-43cf-BB43-3AA646A8CE11}.exe
1808	{006E6770-4FC4-445f-BFA3-76EC55B8C6DF}.exe
2124	{C8A93A07-3F7B-4a96-AAE4-E34EA3855174}.exe
1412	{43F76AB6-EB46-41b9-A54A-A2FEEF84584C}.exe

Drops file in Windows directory 11 IoCs

Processes:

d98cfadd956da9584cf781b41a02295575cc9a8620d31404a54dd483792a5b4e.exe{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.exe{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.exe{006E6770-4FC4-445f-BFA3-76EC55B8C6DF}.exe{C8A93A07-3F7B-4a96-AAE4-E34EA3855174}.exe{8521231F-7661-4ee0-8149-1427C719A524}.exe{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.exe{C3509517-7823-4636-9464-E702902A5E50}.exe{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.exe{0E3614F5-E4ED-43cf-BB43-3AA646A8CE11}.exe

description	ioc	process
File created	C:\Windows\{8521231F-7661-4ee0-8149-1427C719A524}.exe	d98cfadd956da9584cf781b41a02295575cc9a8620d31404a54dd483792a5b4e.exe
File created	C:\Windows\{C3509517-7823-4636-9464-E702902A5E50}.exe	{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.exe
File created	C:\Windows\{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.exe	{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe
File created	C:\Windows\{0E3614F5-E4ED-43cf-BB43-3AA646A8CE11}.exe	{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.exe
File created	C:\Windows\{C8A93A07-3F7B-4a96-AAE4-E34EA3855174}.exe	{006E6770-4FC4-445f-BFA3-76EC55B8C6DF}.exe
File created	C:\Windows\{43F76AB6-EB46-41b9-A54A-A2FEEF84584C}.exe	{C8A93A07-3F7B-4a96-AAE4-E34EA3855174}.exe
File created	C:\Windows\{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.exe	{8521231F-7661-4ee0-8149-1427C719A524}.exe
File created	C:\Windows\{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.exe	{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.exe
File created	C:\Windows\{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.exe	{C3509517-7823-4636-9464-E702902A5E50}.exe
File created	C:\Windows\{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe	{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.exe
File created	C:\Windows\{006E6770-4FC4-445f-BFA3-76EC55B8C6DF}.exe	{0E3614F5-E4ED-43cf-BB43-3AA646A8CE11}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.execmd.exe{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.execmd.exe{C8A93A07-3F7B-4a96-AAE4-E34EA3855174}.execmd.exed98cfadd956da9584cf781b41a02295575cc9a8620d31404a54dd483792a5b4e.exe{8521231F-7661-4ee0-8149-1427C719A524}.execmd.exe{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.execmd.exe{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.execmd.execmd.exe{C3509517-7823-4636-9464-E702902A5E50}.execmd.execmd.execmd.execmd.exe{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe{0E3614F5-E4ED-43cf-BB43-3AA646A8CE11}.exe{006E6770-4FC4-445f-BFA3-76EC55B8C6DF}.exe{43F76AB6-EB46-41b9-A54A-A2FEEF84584C}.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C8A93A07-3F7B-4a96-AAE4-E34EA3855174}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d98cfadd956da9584cf781b41a02295575cc9a8620d31404a54dd483792a5b4e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8521231F-7661-4ee0-8149-1427C719A524}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C3509517-7823-4636-9464-E702902A5E50}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0E3614F5-E4ED-43cf-BB43-3AA646A8CE11}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{006E6770-4FC4-445f-BFA3-76EC55B8C6DF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{43F76AB6-EB46-41b9-A54A-A2FEEF84584C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

d98cfadd956da9584cf781b41a02295575cc9a8620d31404a54dd483792a5b4e.exe{8521231F-7661-4ee0-8149-1427C719A524}.exe{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.exe{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.exe{C3509517-7823-4636-9464-E702902A5E50}.exe{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.exe{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.exe{0E3614F5-E4ED-43cf-BB43-3AA646A8CE11}.exe{006E6770-4FC4-445f-BFA3-76EC55B8C6DF}.exe{C8A93A07-3F7B-4a96-AAE4-E34EA3855174}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2240	d98cfadd956da9584cf781b41a02295575cc9a8620d31404a54dd483792a5b4e.exe
Token: SeIncBasePriorityPrivilege	2632	{8521231F-7661-4ee0-8149-1427C719A524}.exe
Token: SeIncBasePriorityPrivilege	2828	{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.exe
Token: SeIncBasePriorityPrivilege	2840	{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.exe
Token: SeIncBasePriorityPrivilege	2728	{C3509517-7823-4636-9464-E702902A5E50}.exe
Token: SeIncBasePriorityPrivilege	2496	{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.exe
Token: SeIncBasePriorityPrivilege	1032	{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe
Token: SeIncBasePriorityPrivilege	2020	{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.exe
Token: SeIncBasePriorityPrivilege	2916	{0E3614F5-E4ED-43cf-BB43-3AA646A8CE11}.exe
Token: SeIncBasePriorityPrivilege	1808	{006E6770-4FC4-445f-BFA3-76EC55B8C6DF}.exe
Token: SeIncBasePriorityPrivilege	2124	{C8A93A07-3F7B-4a96-AAE4-E34EA3855174}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2240 wrote to memory of 2632	2240	d98cfadd956da9584cf781b41a02295575cc9a8620d31404a54dd483792a5b4e.exe	{8521231F-7661-4ee0-8149-1427C719A524}.exe
PID 2240 wrote to memory of 2632	2240	d98cfadd956da9584cf781b41a02295575cc9a8620d31404a54dd483792a5b4e.exe	{8521231F-7661-4ee0-8149-1427C719A524}.exe
PID 2240 wrote to memory of 2632	2240	d98cfadd956da9584cf781b41a02295575cc9a8620d31404a54dd483792a5b4e.exe	{8521231F-7661-4ee0-8149-1427C719A524}.exe
PID 2240 wrote to memory of 2632	2240	d98cfadd956da9584cf781b41a02295575cc9a8620d31404a54dd483792a5b4e.exe	{8521231F-7661-4ee0-8149-1427C719A524}.exe
PID 2240 wrote to memory of 2140	2240	d98cfadd956da9584cf781b41a02295575cc9a8620d31404a54dd483792a5b4e.exe	cmd.exe
PID 2240 wrote to memory of 2140	2240	d98cfadd956da9584cf781b41a02295575cc9a8620d31404a54dd483792a5b4e.exe	cmd.exe
PID 2240 wrote to memory of 2140	2240	d98cfadd956da9584cf781b41a02295575cc9a8620d31404a54dd483792a5b4e.exe	cmd.exe
PID 2240 wrote to memory of 2140	2240	d98cfadd956da9584cf781b41a02295575cc9a8620d31404a54dd483792a5b4e.exe	cmd.exe
PID 2632 wrote to memory of 2828	2632	{8521231F-7661-4ee0-8149-1427C719A524}.exe	{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.exe
PID 2632 wrote to memory of 2828	2632	{8521231F-7661-4ee0-8149-1427C719A524}.exe	{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.exe
PID 2632 wrote to memory of 2828	2632	{8521231F-7661-4ee0-8149-1427C719A524}.exe	{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.exe
PID 2632 wrote to memory of 2828	2632	{8521231F-7661-4ee0-8149-1427C719A524}.exe	{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.exe
PID 2632 wrote to memory of 2920	2632	{8521231F-7661-4ee0-8149-1427C719A524}.exe	cmd.exe
PID 2632 wrote to memory of 2920	2632	{8521231F-7661-4ee0-8149-1427C719A524}.exe	cmd.exe
PID 2632 wrote to memory of 2920	2632	{8521231F-7661-4ee0-8149-1427C719A524}.exe	cmd.exe
PID 2632 wrote to memory of 2920	2632	{8521231F-7661-4ee0-8149-1427C719A524}.exe	cmd.exe
PID 2828 wrote to memory of 2840	2828	{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.exe	{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.exe
PID 2828 wrote to memory of 2840	2828	{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.exe	{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.exe
PID 2828 wrote to memory of 2840	2828	{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.exe	{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.exe
PID 2828 wrote to memory of 2840	2828	{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.exe	{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.exe
PID 2828 wrote to memory of 2764	2828	{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.exe	cmd.exe
PID 2828 wrote to memory of 2764	2828	{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.exe	cmd.exe
PID 2828 wrote to memory of 2764	2828	{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.exe	cmd.exe
PID 2828 wrote to memory of 2764	2828	{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.exe	cmd.exe
PID 2840 wrote to memory of 2728	2840	{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.exe	{C3509517-7823-4636-9464-E702902A5E50}.exe
PID 2840 wrote to memory of 2728	2840	{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.exe	{C3509517-7823-4636-9464-E702902A5E50}.exe
PID 2840 wrote to memory of 2728	2840	{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.exe	{C3509517-7823-4636-9464-E702902A5E50}.exe
PID 2840 wrote to memory of 2728	2840	{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.exe	{C3509517-7823-4636-9464-E702902A5E50}.exe
PID 2840 wrote to memory of 2688	2840	{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.exe	cmd.exe
PID 2840 wrote to memory of 2688	2840	{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.exe	cmd.exe
PID 2840 wrote to memory of 2688	2840	{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.exe	cmd.exe
PID 2840 wrote to memory of 2688	2840	{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.exe	cmd.exe
PID 2728 wrote to memory of 2496	2728	{C3509517-7823-4636-9464-E702902A5E50}.exe	{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.exe
PID 2728 wrote to memory of 2496	2728	{C3509517-7823-4636-9464-E702902A5E50}.exe	{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.exe
PID 2728 wrote to memory of 2496	2728	{C3509517-7823-4636-9464-E702902A5E50}.exe	{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.exe
PID 2728 wrote to memory of 2496	2728	{C3509517-7823-4636-9464-E702902A5E50}.exe	{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.exe
PID 2728 wrote to memory of 2656	2728	{C3509517-7823-4636-9464-E702902A5E50}.exe	cmd.exe
PID 2728 wrote to memory of 2656	2728	{C3509517-7823-4636-9464-E702902A5E50}.exe	cmd.exe
PID 2728 wrote to memory of 2656	2728	{C3509517-7823-4636-9464-E702902A5E50}.exe	cmd.exe
PID 2728 wrote to memory of 2656	2728	{C3509517-7823-4636-9464-E702902A5E50}.exe	cmd.exe
PID 2496 wrote to memory of 1032	2496	{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.exe	{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe
PID 2496 wrote to memory of 1032	2496	{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.exe	{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe
PID 2496 wrote to memory of 1032	2496	{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.exe	{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe
PID 2496 wrote to memory of 1032	2496	{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.exe	{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe
PID 2496 wrote to memory of 2944	2496	{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.exe	cmd.exe
PID 2496 wrote to memory of 2944	2496	{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.exe	cmd.exe
PID 2496 wrote to memory of 2944	2496	{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.exe	cmd.exe
PID 2496 wrote to memory of 2944	2496	{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.exe	cmd.exe
PID 1032 wrote to memory of 2020	1032	{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe	{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.exe
PID 1032 wrote to memory of 2020	1032	{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe	{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.exe
PID 1032 wrote to memory of 2020	1032	{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe	{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.exe
PID 1032 wrote to memory of 2020	1032	{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe	{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.exe
PID 1032 wrote to memory of 2008	1032	{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe	cmd.exe
PID 1032 wrote to memory of 2008	1032	{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe	cmd.exe
PID 1032 wrote to memory of 2008	1032	{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe	cmd.exe
PID 1032 wrote to memory of 2008	1032	{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe	cmd.exe
PID 2020 wrote to memory of 2916	2020	{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.exe	{0E3614F5-E4ED-43cf-BB43-3AA646A8CE11}.exe
PID 2020 wrote to memory of 2916	2020	{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.exe	{0E3614F5-E4ED-43cf-BB43-3AA646A8CE11}.exe
PID 2020 wrote to memory of 2916	2020	{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.exe	{0E3614F5-E4ED-43cf-BB43-3AA646A8CE11}.exe
PID 2020 wrote to memory of 2916	2020	{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.exe	{0E3614F5-E4ED-43cf-BB43-3AA646A8CE11}.exe
PID 2020 wrote to memory of 2940	2020	{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.exe	cmd.exe
PID 2020 wrote to memory of 2940	2020	{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.exe	cmd.exe
PID 2020 wrote to memory of 2940	2020	{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.exe	cmd.exe
PID 2020 wrote to memory of 2940	2020	{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\d98cfadd956da9584cf781b41a02295575cc9a8620d31404a54dd483792a5b4e.exe
"C:\Users\Admin\AppData\Local\Temp\d98cfadd956da9584cf781b41a02295575cc9a8620d31404a54dd483792a5b4e.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\{8521231F-7661-4ee0-8149-1427C719A524}.exe
  C:\Windows\{8521231F-7661-4ee0-8149-1427C719A524}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.exe
    C:\Windows\{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.exe
      C:\Windows\{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\{C3509517-7823-4636-9464-E702902A5E50}.exe
        
        C:\Windows\{C3509517-7823-4636-9464-E702902A5E50}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
      - C:\Windows\{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.exe
        
        C:\Windows\{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe
        
        C:\Windows\{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.exe
        
        C:\Windows\{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\{0E3614F5-E4ED-43cf-BB43-3AA646A8CE11}.exe
        
        C:\Windows\{0E3614F5-E4ED-43cf-BB43-3AA646A8CE11}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\{006E6770-4FC4-445f-BFA3-76EC55B8C6DF}.exe
        
        C:\Windows\{006E6770-4FC4-445f-BFA3-76EC55B8C6DF}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
        
        C:\Windows\{C8A93A07-3F7B-4a96-AAE4-E34EA3855174}.exe
        
        C:\Windows\{C8A93A07-3F7B-4a96-AAE4-E34EA3855174}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\{43F76AB6-EB46-41b9-A54A-A2FEEF84584C}.exe
        
        C:\Windows\{43F76AB6-EB46-41b9-A54A-A2FEEF84584C}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8A93~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{006E6~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E361~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CA58~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB40D~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8FEC~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3509~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA016~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C0C7F~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{85212~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D98CFA~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{006E6770-4FC4-445f-BFA3-76EC55B8C6DF}.exe

Filesize
88KB

MD5
7067364ea62455983d9bd7a1c48a425b

SHA1
675e9be5b8748e1481c08ba5c5247e46023fff54

SHA256
fab6084642620282ebd26c321796fd7d6d89d6888e2c777089c0fe002ba9a51f

SHA512
26019188fdb640f69a75fcbd3418a93aa6975ec9f9177643a2b7960af44b20081b4bb07844439fcbf08a42e23e4ecfd7138c9bfa1f3f8fdb66faf72672e6ebb8

Download Submit
C:\Windows\{0E3614F5-E4ED-43cf-BB43-3AA646A8CE11}.exe

Filesize
88KB

MD5
ce5f60d184a5656f4dbea58d07f5a769

SHA1
e4885a7cb33709680e414b1e9908259ea58f6e60

SHA256
a89cd87aaf913d2a1f41584b285c43d78ae49fd64700f06ffbf65090562e7ef5

SHA512
32ddce47d7ac81f5ed7859ae3f71ec0c7657e6b57cd2f957d284a92a064610c8f97c2c223124d128401c947b7b6541d4720a5142c29260c139e014f219d8492f

Download Submit
C:\Windows\{43F76AB6-EB46-41b9-A54A-A2FEEF84584C}.exe

Filesize
88KB

MD5
d45a1c2dcc363a44aa7cb25a86cb9ede

SHA1
5a5634954a5d93f7a00a23653779b9af410327f4

SHA256
3cf249a129dab8bff203aa910763f6438e82ad0278c35d3943eaf08a07bb992e

SHA512
70f7cfb12427a98da25f489f4fb91a80be1231f4cc166067867dd8e03dba8debad11f81bb6ba7ccffabba605b00cca938ba001362f14248ddab65b736d15cca7

Download Submit
C:\Windows\{8521231F-7661-4ee0-8149-1427C719A524}.exe

Filesize
88KB

MD5
91b940e4cba6254a423aca5122c0e850

SHA1
a9e19d86a9179801f4edf1768f63f43a9f85344b

SHA256
581657603733dbdb99c37106989b94450d831c985507f47eac43f982d54ab7d0

SHA512
f06433d6a2ccd7de7651aeb151f07c6e8d00774148df7c16d9855f474049364ab4dc3ed87400d62ef3feeeaca8023d203cddc9067c3e0c9b290a716de7b2925b

Download Submit
C:\Windows\{9CA58BC7-F8AA-43a4-BF04-2593FAF516D8}.exe

Filesize
88KB

MD5
086ff5a530bfcff12dc993f5462167ae

SHA1
8c6c5f152996ee10ac45a05bf6ba825d9a881e6e

SHA256
29ef586145ebd8a96528d4bd5fc4e5deacfb114fe21dad5d7dde683126c5b430

SHA512
eac57f587c78e2d6d54b5d79a129ba79e4e67aeda9fcfe028b117a744bee71f2220f3cdaaca35b0316531cd4bdeb9b32c74b0d631e43529a510305fd0a80d0ce

Download Submit
C:\Windows\{A8FEC164-8557-4e49-AC24-285AF5BCBF6E}.exe

Filesize
88KB

MD5
7dbe8b9ad5691f0852da6ec21864e0f1

SHA1
e7266aa1fbabce4e4c43e56ccd42e8f93494196c

SHA256
21c192f76b8f19757981979f9c22cfb472f88094bb7fb01f931ebbc1b2f5d966

SHA512
82f25456ba6da6e15e671e414a8569d37c5f6c37823b75c3bfeec2d6faaf8cd51f850da7887cd0ee055188a150c91e26a99996cbc28232f1181fcd4c770fb032

Download Submit
C:\Windows\{C0C7FBC8-3B13-454a-B7C6-5BC7D60298EF}.exe

Filesize
88KB

MD5
3518f8f2271fb8ba07275a4c65953b20

SHA1
ffd25e97e1f781beca4eb7936eb6400ffcbd4294

SHA256
506b47419d3a9bbd227662d9210ca4f065cb0cf6564ab7b1014acdc9419d0863

SHA512
b2a19e9722eaa086cd61b180d60ae713dfba97451604316feef4bb7ba09811deac3d55bb63f0fa5f76b986c85e758b83976638dc078a8935fb82216b059ef57a

Download Submit
C:\Windows\{C3509517-7823-4636-9464-E702902A5E50}.exe

Filesize
88KB

MD5
1b467f5dd6e311e67042a3a5f20df681

SHA1
7cd639897d58518abe552e3cc657c961746aee91

SHA256
6c69f363235ed8762cf31e96d3cd6fcbf8cef7c33b195dc02d269867f1685dc8

SHA512
b6504d90b69417cf307b9d07f171d17f72afbf5751f3f8727ddcacafbd107440a146280562af10b1334b56592bda4923729835b712fa2702d363acc86f025525

Download Submit
C:\Windows\{C8A93A07-3F7B-4a96-AAE4-E34EA3855174}.exe

Filesize
88KB

MD5
781c6592913e6b2406a6306abde9deab

SHA1
a4d059a30e7cac1e4fc94658e94184c0f71a47b7

SHA256
23935ad36d236851026e24d017aa69dd96de36daeb48140ad9a437c0f0fed338

SHA512
b91613d41777fade353d3723fedaad24bd6f6012e592bbfbb0e7ae0f3a2bbc725606b6841848c1b51a35e7bc31677f2c8033804e56972979a0d5b87a9b50f702

Download Submit
C:\Windows\{EA016A1D-15D4-4b0b-9DF5-8585AA7BE8C3}.exe

Filesize
88KB

MD5
5354f58efbbbccc9a025bd2a3bef9687

SHA1
d6a8c47237ec394b94cece390938944107f80a27

SHA256
f203bb7205e3fa1673c08d34e3d621e9b723fc0792620aef8522115f241b0e36

SHA512
7967c9c32e8fe4d4f8be2c0bb91034843e7a2fa40e86e775aef0deaa451b83b3611a43a95eacf87c1fe838920966b08acc44cab56481f4d1cd8262fd85d0471d

Download Submit
C:\Windows\{FB40DCEE-6973-4593-B227-9EEB3F32D51B}.exe

Filesize
88KB

MD5
3890526677839a7f7e8cba96ee7eacc4

SHA1
7eb66244f6e28c8f50286d3b6c47687e19cda4d0

SHA256
8fc5c99b022220a86c26a614875319572db3ea8dacff724ff4c9d710a8ed56fb

SHA512
ef40187dbf6d10dafdd07b41c5281f15feb4b149a6e3d9b4ae536b7ee05ae034aea93947c190e5bf4b1b195f8a52167146c1327a79fe4e66cd8215339ad35ca2

Download Submit
memory/1032-62-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/1032-67-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1808-87-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1808-91-0x00000000002E0000-0x00000000002F1000-memory.dmp

Filesize
68KB

Download
memory/1808-93-0x00000000002E0000-0x00000000002F1000-memory.dmp

Filesize
68KB

Download
memory/1808-97-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2020-76-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2020-71-0x0000000000350000-0x0000000000361000-memory.dmp

Filesize
68KB

Download
memory/2124-105-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2124-101-0x0000000000250000-0x0000000000261000-memory.dmp

Filesize
68KB

Download
memory/2240-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2240-3-0x0000000001B60000-0x0000000001B71000-memory.dmp

Filesize
68KB

Download
memory/2240-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2240-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2496-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2496-52-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2496-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2632-13-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/2632-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2728-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2728-48-0x0000000000360000-0x0000000000371000-memory.dmp

Filesize
68KB

Download
memory/2728-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2728-42-0x0000000000360000-0x0000000000371000-memory.dmp

Filesize
68KB

Download
memory/2828-23-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/2828-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2828-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2840-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2840-32-0x0000000000300000-0x0000000000311000-memory.dmp

Filesize
68KB

Download
memory/2916-80-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download
memory/2916-85-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2916-84-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download