e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374e

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
Size

76KB
MD5

1b4ef5b81501f757d751a986c6fbc4f0
SHA1

2c52e7cebe085f8576498aeee0d69b4d4e109647
SHA256

e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374e
SHA512

3a86d87718c5e67e9981804c26d4f0dfd55a2d94b8d34d6de7df0ece8f03bdf79d8a84d21ffe0a7c1ace1f7915402ac1e2f2720af6ffa335d15db63ae6255df0
SSDEEP

1536:v70ak+ddygXAyy9v7Z+NoykJHBOAFRfBjG3ldoIW:T0aXdfXAyy9DZ+N7eB+IIW

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

SVCHOST.EXESVCHOST.EXEe62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exeSPOOLSV.EXE

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	SVCHOST.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

SVCHOST.EXEe62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exeSPOOLSV.EXESVCHOST.EXE

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SPOOLSV.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exeSPOOLSV.EXESVCHOST.EXESVCHOST.EXE

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE

Executes dropped EXE 12 IoCs

Processes:

SVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESVCHOST.EXESPOOLSV.EXESPOOLSV.EXESVCHOST.EXESPOOLSV.EXE

pid	Process
3004	SVCHOST.EXE
2704	SVCHOST.EXE
2852	SVCHOST.EXE
2584	SVCHOST.EXE
2612	SVCHOST.EXE
2712	SPOOLSV.EXE
2640	SVCHOST.EXE
2968	SVCHOST.EXE
1764	SPOOLSV.EXE
1852	SPOOLSV.EXE
1868	SVCHOST.EXE
1940	SPOOLSV.EXE

Loads dropped DLL 21 IoCs

Processes:

e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exeSVCHOST.EXESVCHOST.EXESPOOLSV.EXE

pid	Process
2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
3004	SVCHOST.EXE
3004	SVCHOST.EXE
3004	SVCHOST.EXE
2852	SVCHOST.EXE
2852	SVCHOST.EXE
2852	SVCHOST.EXE
2852	SVCHOST.EXE
2852	SVCHOST.EXE
2712	SPOOLSV.EXE
2712	SPOOLSV.EXE
2712	SPOOLSV.EXE
2712	SPOOLSV.EXE
2712	SPOOLSV.EXE
3004	SVCHOST.EXE
3004	SVCHOST.EXE
2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe

description	ioc	Process
File opened for modification	C:\Recycled\desktop.ini	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
File opened for modification	F:\Recycled\desktop.ini	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SPOOLSV.EXEe62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exeSVCHOST.EXESVCHOST.EXE

description	ioc	Process
File opened (read-only)	\??\Q:	SPOOLSV.EXE
File opened (read-only)	\??\I:	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
File opened (read-only)	\??\M:	SVCHOST.EXE
File opened (read-only)	\??\T:	SVCHOST.EXE
File opened (read-only)	\??\E:	SPOOLSV.EXE
File opened (read-only)	\??\X:	SPOOLSV.EXE
File opened (read-only)	\??\Y:	SPOOLSV.EXE
File opened (read-only)	\??\Z:	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\I:	SVCHOST.EXE
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\O:	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
File opened (read-only)	\??\R:	SVCHOST.EXE
File opened (read-only)	\??\L:	SPOOLSV.EXE
File opened (read-only)	\??\Q:	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
File opened (read-only)	\??\T:	SVCHOST.EXE
File opened (read-only)	\??\E:	SVCHOST.EXE
File opened (read-only)	\??\L:	SVCHOST.EXE
File opened (read-only)	\??\M:	SVCHOST.EXE
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\H:	SVCHOST.EXE
File opened (read-only)	\??\R:	SPOOLSV.EXE
File opened (read-only)	\??\U:	SPOOLSV.EXE
File opened (read-only)	\??\W:	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
File opened (read-only)	\??\Y:	SVCHOST.EXE
File opened (read-only)	\??\J:	SVCHOST.EXE
File opened (read-only)	\??\K:	SVCHOST.EXE
File opened (read-only)	\??\N:	SVCHOST.EXE
File opened (read-only)	\??\O:	SVCHOST.EXE
File opened (read-only)	\??\O:	SPOOLSV.EXE
File opened (read-only)	\??\N:	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
File opened (read-only)	\??\P:	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
File opened (read-only)	\??\E:	SVCHOST.EXE
File opened (read-only)	\??\I:	SPOOLSV.EXE
File opened (read-only)	\??\J:	SPOOLSV.EXE
File opened (read-only)	\??\P:	SPOOLSV.EXE
File opened (read-only)	\??\H:	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
File opened (read-only)	\??\U:	SVCHOST.EXE
File opened (read-only)	\??\Y:	SVCHOST.EXE
File opened (read-only)	\??\M:	SPOOLSV.EXE
File opened (read-only)	\??\L:	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\I:	SVCHOST.EXE
File opened (read-only)	\??\L:	SVCHOST.EXE
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\N:	SPOOLSV.EXE
File opened (read-only)	\??\W:	SPOOLSV.EXE
File opened (read-only)	\??\K:	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
File opened (read-only)	\??\S:	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
File opened (read-only)	\??\O:	SVCHOST.EXE
File opened (read-only)	\??\Z:	SVCHOST.EXE
File opened (read-only)	\??\Z:	SVCHOST.EXE
File opened (read-only)	\??\H:	SPOOLSV.EXE
File opened (read-only)	\??\V:	SPOOLSV.EXE
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\R:	SVCHOST.EXE
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\S:	SPOOLSV.EXE
File opened (read-only)	\??\T:	SPOOLSV.EXE
File opened (read-only)	\??\G:	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
File opened (read-only)	\??\R:	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
File opened (read-only)	\??\T:	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
File opened (read-only)	\??\U:	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
File opened (read-only)	\??\Y:	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe

Drops file in Windows directory 6 IoCs

Processes:

SVCHOST.EXESPOOLSV.EXEWINWORD.EXEe62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exeSVCHOST.EXE

description	ioc	Process
File opened for modification	C:\Windows\Fonts\ Explorer.exe	SVCHOST.EXE
File opened for modification	C:\Windows\Fonts\ Explorer.exe	SPOOLSV.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\Fonts\ Explorer.exe	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
File opened for modification	C:\Windows\Fonts\ Explorer.exe	SVCHOST.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

SVCHOST.EXESVCHOST.EXESPOOLSV.EXEWINWORD.EXESVCHOST.EXESVCHOST.EXESPOOLSV.EXESPOOLSV.EXESPOOLSV.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEe62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 28 IoCs

Processes:

e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exeSVCHOST.EXESPOOLSV.EXESVCHOST.EXE

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SVCHOST.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SPOOLSV.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG\COMMAND	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SVCHOST.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL\COMMAND	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid	Process
1668	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SVCHOST.EXESVCHOST.EXEe62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exeSPOOLSV.EXE

pid	Process
3004	SVCHOST.EXE
3004	SVCHOST.EXE
3004	SVCHOST.EXE
3004	SVCHOST.EXE
3004	SVCHOST.EXE
3004	SVCHOST.EXE
3004	SVCHOST.EXE
3004	SVCHOST.EXE
3004	SVCHOST.EXE
3004	SVCHOST.EXE
2852	SVCHOST.EXE
2852	SVCHOST.EXE
2852	SVCHOST.EXE
2852	SVCHOST.EXE
2852	SVCHOST.EXE
2852	SVCHOST.EXE
2852	SVCHOST.EXE
2852	SVCHOST.EXE
2852	SVCHOST.EXE
2852	SVCHOST.EXE
2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
2712	SPOOLSV.EXE
2712	SPOOLSV.EXE
2712	SPOOLSV.EXE
2712	SPOOLSV.EXE
2712	SPOOLSV.EXE
2712	SPOOLSV.EXE
2712	SPOOLSV.EXE
2712	SPOOLSV.EXE
2712	SPOOLSV.EXE
2712	SPOOLSV.EXE
3004	SVCHOST.EXE
3004	SVCHOST.EXE
3004	SVCHOST.EXE
3004	SVCHOST.EXE
3004	SVCHOST.EXE
3004	SVCHOST.EXE
3004	SVCHOST.EXE
3004	SVCHOST.EXE
3004	SVCHOST.EXE
3004	SVCHOST.EXE
2852	SVCHOST.EXE
2852	SVCHOST.EXE
2852	SVCHOST.EXE
2852	SVCHOST.EXE
2852	SVCHOST.EXE
2852	SVCHOST.EXE
2852	SVCHOST.EXE
2852	SVCHOST.EXE
2852	SVCHOST.EXE
2852	SVCHOST.EXE
2712	SPOOLSV.EXE
2712	SPOOLSV.EXE
2712	SPOOLSV.EXE
2712	SPOOLSV.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESVCHOST.EXESPOOLSV.EXESPOOLSV.EXESVCHOST.EXESPOOLSV.EXEWINWORD.EXE

pid	Process
2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
3004	SVCHOST.EXE
2704	SVCHOST.EXE
2852	SVCHOST.EXE
2584	SVCHOST.EXE
2612	SVCHOST.EXE
2712	SPOOLSV.EXE
2640	SVCHOST.EXE
2968	SVCHOST.EXE
1764	SPOOLSV.EXE
1852	SPOOLSV.EXE
1868	SVCHOST.EXE
1940	SPOOLSV.EXE
1668	WINWORD.EXE
1668	WINWORD.EXE

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exeSVCHOST.EXESVCHOST.EXESPOOLSV.EXEWINWORD.EXE

description	pid	Process	procid_target
PID 2084 wrote to memory of 3004	2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe	30
PID 2084 wrote to memory of 3004	2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe	30
PID 2084 wrote to memory of 3004	2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe	30
PID 2084 wrote to memory of 3004	2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe	30
PID 3004 wrote to memory of 2704	3004	SVCHOST.EXE	31
PID 3004 wrote to memory of 2704	3004	SVCHOST.EXE	31
PID 3004 wrote to memory of 2704	3004	SVCHOST.EXE	31
PID 3004 wrote to memory of 2704	3004	SVCHOST.EXE	31
PID 3004 wrote to memory of 2852	3004	SVCHOST.EXE	32
PID 3004 wrote to memory of 2852	3004	SVCHOST.EXE	32
PID 3004 wrote to memory of 2852	3004	SVCHOST.EXE	32
PID 3004 wrote to memory of 2852	3004	SVCHOST.EXE	32
PID 2852 wrote to memory of 2584	2852	SVCHOST.EXE	33
PID 2852 wrote to memory of 2584	2852	SVCHOST.EXE	33
PID 2852 wrote to memory of 2584	2852	SVCHOST.EXE	33
PID 2852 wrote to memory of 2584	2852	SVCHOST.EXE	33
PID 2852 wrote to memory of 2612	2852	SVCHOST.EXE	34
PID 2852 wrote to memory of 2612	2852	SVCHOST.EXE	34
PID 2852 wrote to memory of 2612	2852	SVCHOST.EXE	34
PID 2852 wrote to memory of 2612	2852	SVCHOST.EXE	34
PID 2852 wrote to memory of 2712	2852	SVCHOST.EXE	35
PID 2852 wrote to memory of 2712	2852	SVCHOST.EXE	35
PID 2852 wrote to memory of 2712	2852	SVCHOST.EXE	35
PID 2852 wrote to memory of 2712	2852	SVCHOST.EXE	35
PID 2712 wrote to memory of 2640	2712	SPOOLSV.EXE	36
PID 2712 wrote to memory of 2640	2712	SPOOLSV.EXE	36
PID 2712 wrote to memory of 2640	2712	SPOOLSV.EXE	36
PID 2712 wrote to memory of 2640	2712	SPOOLSV.EXE	36
PID 2712 wrote to memory of 2968	2712	SPOOLSV.EXE	37
PID 2712 wrote to memory of 2968	2712	SPOOLSV.EXE	37
PID 2712 wrote to memory of 2968	2712	SPOOLSV.EXE	37
PID 2712 wrote to memory of 2968	2712	SPOOLSV.EXE	37
PID 2712 wrote to memory of 1764	2712	SPOOLSV.EXE	38
PID 2712 wrote to memory of 1764	2712	SPOOLSV.EXE	38
PID 2712 wrote to memory of 1764	2712	SPOOLSV.EXE	38
PID 2712 wrote to memory of 1764	2712	SPOOLSV.EXE	38
PID 3004 wrote to memory of 1852	3004	SVCHOST.EXE	39
PID 3004 wrote to memory of 1852	3004	SVCHOST.EXE	39
PID 3004 wrote to memory of 1852	3004	SVCHOST.EXE	39
PID 3004 wrote to memory of 1852	3004	SVCHOST.EXE	39
PID 2084 wrote to memory of 1868	2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe	40
PID 2084 wrote to memory of 1868	2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe	40
PID 2084 wrote to memory of 1868	2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe	40
PID 2084 wrote to memory of 1868	2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe	40
PID 2084 wrote to memory of 1940	2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe	41
PID 2084 wrote to memory of 1940	2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe	41
PID 2084 wrote to memory of 1940	2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe	41
PID 2084 wrote to memory of 1940	2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe	41
PID 2084 wrote to memory of 1668	2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe	42
PID 2084 wrote to memory of 1668	2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe	42
PID 2084 wrote to memory of 1668	2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe	42
PID 2084 wrote to memory of 1668	2084	e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe	42
PID 1668 wrote to memory of 292	1668	WINWORD.EXE	44
PID 1668 wrote to memory of 292	1668	WINWORD.EXE	44
PID 1668 wrote to memory of 292	1668	WINWORD.EXE	44
PID 1668 wrote to memory of 292	1668	WINWORD.EXE	44

C:\Users\Admin\AppData\Local\Temp\e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
"C:\Users\Admin\AppData\Local\Temp\e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084
- C:\recycled\SVCHOST.EXE
  C:\recycled\SVCHOST.EXE :agent
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\recycled\SVCHOST.EXE
    C:\recycled\SVCHOST.EXE :agent
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2704
- - F:\recycled\SVCHOST.EXE
    F:\recycled\SVCHOST.EXE :agent
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2584
  - - F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2612
  - - C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\recycled\SVCHOST.EXE
        
        C:\recycled\SVCHOST.EXE :agent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2640
    - - F:\recycled\SVCHOST.EXE
        
        F:\recycled\SVCHOST.EXE :agent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2968
    - - C:\recycled\SPOOLSV.EXE
        
        C:\recycled\SPOOLSV.EXE :agent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1764
- - C:\recycled\SPOOLSV.EXE
    C:\recycled\SPOOLSV.EXE :agent
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1852
- F:\recycled\SVCHOST.EXE
  F:\recycled\SVCHOST.EXE :agent
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1868
- C:\recycled\SPOOLSV.EXE
  C:\recycled\SPOOLSV.EXE :agent
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1940
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.doc"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recycled\SPOOLSV.EXE

Filesize
76KB

MD5
a319f7059aa01384af800814eb3e643f

SHA1
60c9bace786705712af571415e522e51b3093e1c

SHA256
9f893cbc57854012a7ac757e14be202eb5bfef711444d482c85f4e5fc1bb5a06

SHA512
5f8bc5eaaff1ea9ebe19013f9b0adf14ebea01c9c6cc1b8a8a075788be31fd7f281b310dc2c2eea089b0bd776d4f01c477bc24e522f69ce05c4db23b3f558dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
2KB

MD5
1a1dce35d60d2c70ca8894954fd5d384

SHA1
58547dd65d506c892290755010d0232da34ee000

SHA256
2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

SHA512
4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

Download Submit
C:\Windows\Fonts\ Explorer.exe

Filesize
76KB

MD5
44f7f47ee2a45fcd141b39f883760b64

SHA1
78ca7ae96506cc01377a4d62e5bd5dbbd125c086

SHA256
047de47e72d95efb7610dc2ab4864411fd516407b3cf7fb930f42aa4b3d8032f

SHA512
1da6eeaac6e0d686a132a1579f1cc527435b518152db3a8e7e6dcae7fdb3345b6b558652f397e49b771802b8839ffc0a50ee264abbd1d105625f93e49dd3824d

Download Submit
C:\Windows\Fonts\ Explorer.exe

Filesize
76KB

MD5
09091cf40b579e0e63e51b63fb00b3cb

SHA1
ff1bb2cd40c5e95b2ec91ad4d3c8c445bc073c8c

SHA256
3abaf0c450bc362bd5be8bef60d2a356c1572e75c4afe7fb22c4d0895ddb9edd

SHA512
17dc70009d5768e9a0773b61c938cc42be4e7dff1aaf0fd8dd41c28fb105da61ce12bb5b8e009a03b8afcf5fc2b2f9f1de2205bd2481676e02f000979e2502a8

Download Submit
C:\Windows\Fonts\ Explorer.exe

Filesize
76KB

MD5
bb61abe37ed2932b9442966a2c7c325d

SHA1
8f563c807a6ad33c7c3effca27d95e0981948b37

SHA256
4271ee14401bc7edb6c886f021b49a09ece00fdf12077f9f6bb929d177474184

SHA512
2be6956a5355e41f081666e754eb469f5427c8dc1e267f3be928480f231ae48b0e2a68451bc002242b84bacd0bd5b5166bfa56df76c2f29c4d5f9824876a8c73

Download Submit
C:\begolu.txt

Filesize
2B

MD5
2b9d4fa85c8e82132bde46b143040142

SHA1
a02431cf7c501a5b368c91e41283419d8fa9fb03

SHA256
4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

SHA512
c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

Download Submit
F:\Recycled\SVCHOST.EXE

Filesize
76KB

MD5
794102224f571ae7a10e530040df7ff4

SHA1
a83aad6952ce256b01ad84217fbaf210564c8bf7

SHA256
addd309020de3d1a1d44fb04a77daf9de7cc8d55c3d905b7d94b40616d8fadbd

SHA512
05e767f673685f761d5dfc264cc488af0019f16f27eaff25649db587f42534ab1b3d27c58688e27bf166cf9b7bb3948016591d3aeb6bc276508bfa66df206685

Download Submit
\Recycled\SVCHOST.EXE

Filesize
76KB

MD5
cff946405c45745d0821f28aa78fc187

SHA1
288e8cd5a28c9f223a5f79725c33891976b04edd

SHA256
443a8a4c7c7c2d36532e23451234778fcef850b9f15cb874c9c7279762105456

SHA512
fc0b0a531d378f74dedb47b30ce3cd645c9626e4fc3237f42f75d5bf87f7c3d4954d3f91cc178f08b272cc58ce03c4e909e6846a009f8b759186d71b79ae842c

Download Submit
memory/1668-121-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1764-97-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1852-104-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1868-111-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1940-117-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2084-118-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/2084-114-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/2084-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2084-120-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2084-22-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/2084-23-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/2584-64-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2612-62-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2612-69-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2640-85-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2704-40-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2712-86-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/2712-91-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/2712-183-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2712-189-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/2712-188-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/2712-79-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/2712-184-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/2852-68-0x0000000000470000-0x000000000048A000-memory.dmp

Filesize
104KB

Download
memory/2852-54-0x0000000000470000-0x000000000048A000-memory.dmp

Filesize
104KB

Download
memory/2852-53-0x0000000000470000-0x000000000048A000-memory.dmp

Filesize
104KB

Download
memory/2852-61-0x0000000000470000-0x000000000048A000-memory.dmp

Filesize
104KB

Download
memory/2852-45-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2852-175-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2852-182-0x0000000000470000-0x000000000048A000-memory.dmp

Filesize
104KB

Download
memory/2968-93-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3004-43-0x00000000007A0000-0x00000000007BA000-memory.dmp

Filesize
104KB

Download
memory/3004-174-0x00000000007A0000-0x00000000007BA000-memory.dmp

Filesize
104KB

Download
memory/3004-173-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3004-25-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3004-34-0x00000000007A0000-0x00000000007BA000-memory.dmp

Filesize
104KB

Download
memory/3004-99-0x00000000007A0000-0x00000000007BA000-memory.dmp

Filesize
104KB

Download
memory/3004-100-0x00000000007A0000-0x00000000007BA000-memory.dmp

Filesize
104KB

Download
memory/3004-193-0x00000000007A0000-0x00000000007BA000-memory.dmp

Filesize
104KB

Download