xred | 7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed

Analysis

max time kernel
120s
max time network
109s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Size

4.1MB
MD5

d7a3723ed09e9d1510f75ca35aba5ea7
SHA1

b6265bc2091d20ed0a3715f0bb47371d49f9c65f
SHA256

7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed
SHA512

e02e9729de1f37bf8369c0869c3dc11c65f91a8a3a11ee463b26fb8fbd878fe1acb9ee7da32177ad726b7fc13ec7e96892ac3145cf96fe0dfa05c6313d5d836a
SSDEEP

98304:Vnsmtk2aEXzhW148Pd+Tf1mpcOldJQ3/V11v3jypj:pLnFK4s0TfLOdo/HV3epj

Score

10^/10

xred backdoor discovery evasion macro persistence themida trojan

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource
C:\Users\Admin\AppData\Local\Temp\vIFmFsQG.xlsm

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

icsys.icn.exespoolsv.exesvchost.exe._cache_Synaptics.exespoolsv.exe._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exeexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe

Executes dropped EXE 11 IoCs

Processes:

._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exespoolsv.exe._cache_synaptics.exe svchost.exespoolsv.exe._cache_synaptics.exe

pid	process
2612	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
1804	Synaptics.exe
2792	._cache_Synaptics.exe
1988	._cache_synaptics.exe
2708	icsys.icn.exe
1928	explorer.exe
3032	spoolsv.exe
1856	._cache_synaptics.exe
2744	svchost.exe
3020	spoolsv.exe
2716	._cache_synaptics.exe

Loads dropped DLL 11 IoCs

Processes:

7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exeSynaptics.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

pid	process
2368	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
2368	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
2368	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
1804	Synaptics.exe
1804	Synaptics.exe
2792	._cache_Synaptics.exe
2792	._cache_Synaptics.exe
2708	icsys.icn.exe
1928	explorer.exe
3032	spoolsv.exe
2744	svchost.exe

Themida packer 21 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	themida
behavioral1/memory/2612-18-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
\Windows\Resources\Themes\icsys.icn.exe	themida
\Windows\Resources\Themes\explorer.exe	themida
behavioral1/memory/1928-72-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
\Windows\Resources\spoolsv.exe	themida
C:\Windows\Resources\svchost.exe	themida
behavioral1/memory/2744-105-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2612-101-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/3032-84-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2792-117-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/3020-116-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2792-125-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2708-123-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/3032-121-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1928-134-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2744-137-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1928-139-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1928-243-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2744-244-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1928-252-0x0000000000400000-0x0000000000A16000-memory.dmp	themida

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2612	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
2792	._cache_Synaptics.exe
2708	icsys.icn.exe
1928	explorer.exe
3032	spoolsv.exe
2744	svchost.exe
3020	spoolsv.exe

Drops file in Windows directory 6 IoCs

Processes:

._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exemakecab.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20241125013108.cab	makecab.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Synaptics.exeicsys.icn.exeEXCEL.EXE._cache_synaptics.exe schtasks.exe7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe._cache_Synaptics.exeexplorer.exeschtasks.exe._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe._cache_synaptics.exe spoolsv.exesvchost.exespoolsv.exe._cache_synaptics.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

1496 schtasks.exe
3048 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1264 EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1496	schtasks.exe
3048	schtasks.exe

pid	process
1264	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exesvchost.exe

pid	process
2792	._cache_Synaptics.exe
2792	._cache_Synaptics.exe
2792	._cache_Synaptics.exe
2792	._cache_Synaptics.exe
2792	._cache_Synaptics.exe
2792	._cache_Synaptics.exe
2792	._cache_Synaptics.exe
2792	._cache_Synaptics.exe
2792	._cache_Synaptics.exe
2792	._cache_Synaptics.exe
2792	._cache_Synaptics.exe
2792	._cache_Synaptics.exe
2792	._cache_Synaptics.exe
2792	._cache_Synaptics.exe
2792	._cache_Synaptics.exe
2792	._cache_Synaptics.exe
1988	._cache_synaptics.exe
1988	._cache_synaptics.exe
2708	icsys.icn.exe
2708	icsys.icn.exe
2708	icsys.icn.exe
2708	icsys.icn.exe
2708	icsys.icn.exe
2708	icsys.icn.exe
2708	icsys.icn.exe
2708	icsys.icn.exe
2708	icsys.icn.exe
2708	icsys.icn.exe
2708	icsys.icn.exe
2708	icsys.icn.exe
2708	icsys.icn.exe
2708	icsys.icn.exe
2708	icsys.icn.exe
2708	icsys.icn.exe
2708	icsys.icn.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

1928 explorer.exe
2744 svchost.exe

pid	process
1928	explorer.exe
2744	svchost.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

._cache_synaptics.exe ._cache_synaptics.exe

description	pid	process
Token: SeDebugPrivilege	1988	._cache_synaptics.exe
Token: SeAssignPrimaryTokenPrivilege	1988	._cache_synaptics.exe
Token: SeIncreaseQuotaPrivilege	1988	._cache_synaptics.exe
Token: 0	1988	._cache_synaptics.exe
Token: SeDebugPrivilege	1856	._cache_synaptics.exe
Token: SeAssignPrimaryTokenPrivilege	1856	._cache_synaptics.exe
Token: SeIncreaseQuotaPrivilege	1856	._cache_synaptics.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeEXCEL.EXE

pid	process
2792	._cache_Synaptics.exe
2792	._cache_Synaptics.exe
2708	icsys.icn.exe
2708	icsys.icn.exe
1928	explorer.exe
1928	explorer.exe
3032	spoolsv.exe
3032	spoolsv.exe
2744	svchost.exe
2744	svchost.exe
3020	spoolsv.exe
3020	spoolsv.exe
1264	EXCEL.EXE

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exeSynaptics.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2368 wrote to memory of 2612	2368	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
PID 2368 wrote to memory of 2612	2368	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
PID 2368 wrote to memory of 2612	2368	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
PID 2368 wrote to memory of 2612	2368	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
PID 2368 wrote to memory of 1804	2368	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	Synaptics.exe
PID 2368 wrote to memory of 1804	2368	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	Synaptics.exe
PID 2368 wrote to memory of 1804	2368	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	Synaptics.exe
PID 2368 wrote to memory of 1804	2368	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	Synaptics.exe
PID 1804 wrote to memory of 2792	1804	Synaptics.exe	._cache_Synaptics.exe
PID 1804 wrote to memory of 2792	1804	Synaptics.exe	._cache_Synaptics.exe
PID 1804 wrote to memory of 2792	1804	Synaptics.exe	._cache_Synaptics.exe
PID 1804 wrote to memory of 2792	1804	Synaptics.exe	._cache_Synaptics.exe
PID 2792 wrote to memory of 1988	2792	._cache_Synaptics.exe	._cache_synaptics.exe
PID 2792 wrote to memory of 1988	2792	._cache_Synaptics.exe	._cache_synaptics.exe
PID 2792 wrote to memory of 1988	2792	._cache_Synaptics.exe	._cache_synaptics.exe
PID 2792 wrote to memory of 1988	2792	._cache_Synaptics.exe	._cache_synaptics.exe
PID 2792 wrote to memory of 2708	2792	._cache_Synaptics.exe	icsys.icn.exe
PID 2792 wrote to memory of 2708	2792	._cache_Synaptics.exe	icsys.icn.exe
PID 2792 wrote to memory of 2708	2792	._cache_Synaptics.exe	icsys.icn.exe
PID 2792 wrote to memory of 2708	2792	._cache_Synaptics.exe	icsys.icn.exe
PID 2708 wrote to memory of 1928	2708	icsys.icn.exe	explorer.exe
PID 2708 wrote to memory of 1928	2708	icsys.icn.exe	explorer.exe
PID 2708 wrote to memory of 1928	2708	icsys.icn.exe	explorer.exe
PID 2708 wrote to memory of 1928	2708	icsys.icn.exe	explorer.exe
PID 1928 wrote to memory of 3032	1928	explorer.exe	spoolsv.exe
PID 1928 wrote to memory of 3032	1928	explorer.exe	spoolsv.exe
PID 1928 wrote to memory of 3032	1928	explorer.exe	spoolsv.exe
PID 1928 wrote to memory of 3032	1928	explorer.exe	spoolsv.exe
PID 3032 wrote to memory of 2744	3032	spoolsv.exe	svchost.exe
PID 3032 wrote to memory of 2744	3032	spoolsv.exe	svchost.exe
PID 3032 wrote to memory of 2744	3032	spoolsv.exe	svchost.exe
PID 3032 wrote to memory of 2744	3032	spoolsv.exe	svchost.exe
PID 2744 wrote to memory of 3020	2744	svchost.exe	spoolsv.exe
PID 2744 wrote to memory of 3020	2744	svchost.exe	spoolsv.exe
PID 2744 wrote to memory of 3020	2744	svchost.exe	spoolsv.exe
PID 2744 wrote to memory of 3020	2744	svchost.exe	spoolsv.exe
PID 1928 wrote to memory of 2448	1928	explorer.exe	Explorer.exe
PID 1928 wrote to memory of 2448	1928	explorer.exe	Explorer.exe
PID 1928 wrote to memory of 2448	1928	explorer.exe	Explorer.exe
PID 1928 wrote to memory of 2448	1928	explorer.exe	Explorer.exe
PID 2744 wrote to memory of 1496	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 1496	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 1496	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 1496	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 3048	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 3048	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 3048	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 3048	2744	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
"C:\Users\Admin\AppData\Local\Temp\7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:2612
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
      c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1988
    - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        "c:\users\admin\appdata\local\temp\._cache_synaptics.exe " InjUpdate
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
      - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        "c:\users\admin\appdata\local\temp\._cache_synaptics.exe " /TI/ InjUpdate
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2716
  - - C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2708
    - - \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        7⤵
        Modifies visiblity of hidden/system files in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3020
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:33 /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1496
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:34 /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3048
      - C:\Windows\Explorer.exe
        
        C:\Windows\Explorer.exe
        6⤵
        
        PID:2448

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241125013108.log C:\Windows\Logs\CBS\CbsPersist_20241125013108.cab
1⤵
- Drops file in Windows directory
PID:1908

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
4.1MB

MD5
d7a3723ed09e9d1510f75ca35aba5ea7

SHA1
b6265bc2091d20ed0a3715f0bb47371d49f9c65f

SHA256
7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed

SHA512
e02e9729de1f37bf8369c0869c3dc11c65f91a8a3a11ee463b26fb8fbd878fe1acb9ee7da32177ad726b7fc13ec7e96892ac3145cf96fe0dfa05c6313d5d836a

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe

Filesize
3.3MB

MD5
923d00022b92bfbc27f875cf19f03e10

SHA1
5b015ccd1eaf741ef16dc1d7bc97d53dc8cfca98

SHA256
26902e46a1dda71d501c54d348dc242adf97032c630199307f8b432eed4afde6

SHA512
274011c0320b7f242a5e7aac066b7a8b10f4d08b657b4cc348630d7e84dc7e9c2fd260f6d1e818cdcb9eedb30ca374d8f0a6717b95e0388e12fdac96fd6dfb38

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIFmFsQG.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIFmFsQG.xlsm

Filesize
24KB

MD5
b7f250c1ecf2cbf835f64a91793b53d8

SHA1
545d8afc630df3bd47e5715a62ac738663143acb

SHA256
3945333e157536e1cc63c075911871cb3b185a7d112de833b2ddb279cbef3ca4

SHA512
361fd1503f5b58bdd337d0744fc425384a62d290082e2b7b171340a9b9fc478bade75dee8b01855e34ec450ae9e52788733642c67f8e92f92beb0c8a1a8d7536

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIFmFsQG.xlsm

Filesize
31KB

MD5
d233d626b36302f9e485cf96bca6afac

SHA1
d4fa1f2cec94ce0cf094a9d48937fe3d4f460e7d

SHA256
5126aaf37748b5150fc3d5010ac3ece36a2c9dabe3782b146967902054960d0f

SHA512
218291013233da48b3b82de0f23338f61a85e044bc4c2fe86ee0090f76961ae015466903e87fb2227c5c29cd35eb0e6c1cd129bea00c3fd73a059840a235f22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIFmFsQG.xlsm

Filesize
26KB

MD5
679dfcf1bdb4d6c10fa92e0ae8629615

SHA1
3a46a1fba0f88755c514ba7a900050b1bd55ebb7

SHA256
1c4eccef2796c3b0b9848a4c737ef18df72ec768a78d90f748dcdcdf53f642c1

SHA512
726df4d7f4ef9460cfbd6e16bd71234cf339bdf7031b68219ed4eee6514277beb057a576c992cc6041f13f0c60ac248755c8440538787b55c545eff95ab9e2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIFmFsQG.xlsm

Filesize
26KB

MD5
a6301c41178d3f43e8968b52c23b872d

SHA1
bb5a2ba0b8332c1fcbd4ede9a665d26ada6e5d29

SHA256
d50f37379378dff0aaec6d2cd2e6c547df93c828a52d9287ec50813443ca57c1

SHA512
cb9d09741b1d1665d1e0df205e980dc02dd29ff1809110689930bf3ddf110d5d16bf6228e04a1d19f499154f3cff7e58a777eb6b6b3b59cc6cc6a730cf81a5c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$vIFmFsQG.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
2.6MB

MD5
8745f68c874f58f8cfce592884f9a141

SHA1
fb9cd42f152cdd17b3ae33266485fcc0e073fe59

SHA256
77af9a11a13df04aa1d08d0ee31e681b614db01a6ada2849fe65275e3e0cd5f0

SHA512
ddee1d008392ed80dae0b8ea2d1676b8d4d1d0945b2d40360e9ab7a0843671bf833f74a8ed277ff0f95e8dfc3e7865e49e191b0e6b0cf766f3e0d40bb38e7ad4

Download Submit
C:\Windows\Temp\autE189.tmp

Filesize
25KB

MD5
d5c0165d31fb3813f8646555a5758881

SHA1
f517870ae53ddc77512d36debb44468da3edbd8e

SHA256
6916a5d078c6daf3db977ae55853cc4eef93e24328c8e8ef955220d10c7052b9

SHA512
21fa61a736ce0dd802aae7c81efeb5ae2f2319f34aadee941ea87dfeda3431f36a278513fbab6e33a028e6b7ee024cd51333fd31ce645dd92598e078e3313219

Download Submit
C:\Windows\Temp\fuwygcg

Filesize
86KB

MD5
2cc29be38bd5a1e14386c7186a7f6959

SHA1
858df624a55d519b8f1e597850c867b97cbcbc7b

SHA256
1f8a85d2720b2cbeeadfb92ac471a3902c128f13cf04e0d59bbff54f786943a0

SHA512
0a39e8dbf9dad26e085de227679447586f3923fc3d2d3df219e9b837723cbc026af592d30ae25195338b627c1526b114f98527e37d51072a48083213915b0cbe

Download Submit
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe

Filesize
771KB

MD5
fe260da05d0512b65eec3e4cec4ea17c

SHA1
8915d023e9a5dfbba722b6d9678cbafe6a3b3630

SHA256
9dd559318f745949f4b68015033866a5ff02afea3fce22fca28e5bc33de40fc8

SHA512
bf875821c7b4bd21b458e248d657a23378493066a77113786c67ac94d8632f90fcb2da183ab842c5fab1ecedb80e2b143c0ffb24dc864264f3386eff3f929f5b

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
2.6MB

MD5
f06108fa962f6fb246717d788c415662

SHA1
d2fea263c65f71c058a8e8504b826437834d5459

SHA256
61eb2744bf8376c9ef64146afa33b1c94a247bdeda771cda420d5697f76ab75b

SHA512
a3e91c3e3535631bfaa097c76a8a92d1bab502c0032ecc3487ef75f42e4e1c2db6b4062eb9b30cbc7718bcdb2fbe7584a04a39358fd08734d0756ca21d32a94a

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
2.6MB

MD5
02da612c2a12a61524dd5b95f1ad1f0f

SHA1
672ef806475880f58483b111acc7cf8bfd77ce6c

SHA256
d3b0de7c01802869be2c1233a491a2b94945e2fc82a3c3719365a9746477a24d

SHA512
0a4c32617c2a94d7eba6435a72e0b718f2e37ac80b67414bec0d60f8a2df43fb902bc682aa585d03fa04cab145236fe42d541b7d60cee796619c9523fbb322d8

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
2203a2f1b7bd078b0df1bb25633165cc

SHA1
456bc72534051e9984f4a182f29e3b5af683836f

SHA256
2d4e5b02eb8ea62176160781d4ffdd46976985985d1616412d16870393ed9e1c

SHA512
39f4de7a0e7ccb86c3d89e2ae7fd207e6655590a6202d77161ff1f19b960ea3cc036feb4e602a76edf849180843e6d1e690850fddf27a1b84dd03a195e1d7527

Download Submit
memory/1264-138-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1264-217-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1804-115-0x00000000059C0000-0x0000000005FD6000-memory.dmp

Filesize
6.1MB

Download
memory/1804-136-0x0000000000400000-0x0000000000819000-memory.dmp

Filesize
4.1MB

Download
memory/1804-36-0x00000000059C0000-0x0000000005FD6000-memory.dmp

Filesize
6.1MB

Download
memory/1804-281-0x0000000000400000-0x0000000000819000-memory.dmp

Filesize
4.1MB

Download
memory/1804-234-0x0000000000400000-0x0000000000819000-memory.dmp

Filesize
4.1MB

Download
memory/1804-219-0x0000000000400000-0x0000000000819000-memory.dmp

Filesize
4.1MB

Download
memory/1928-72-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1928-82-0x00000000036E0000-0x0000000003CF6000-memory.dmp

Filesize
6.1MB

Download
memory/1928-139-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1928-243-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1928-134-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1928-252-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2368-27-0x0000000000400000-0x0000000000819000-memory.dmp

Filesize
4.1MB

Download
memory/2368-17-0x00000000057F0000-0x0000000005E06000-memory.dmp

Filesize
6.1MB

Download
memory/2368-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2612-101-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2612-18-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2708-71-0x0000000003910000-0x0000000003F26000-memory.dmp

Filesize
6.1MB

Download
memory/2708-123-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2744-105-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2744-137-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2744-141-0x0000000003300000-0x0000000003916000-memory.dmp

Filesize
6.1MB

Download
memory/2744-244-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2792-125-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2792-119-0x00000000033A0000-0x00000000039B6000-memory.dmp

Filesize
6.1MB

Download
memory/2792-117-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2792-58-0x00000000033A0000-0x00000000039B6000-memory.dmp

Filesize
6.1MB

Download
memory/3020-116-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3032-121-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3032-84-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3032-102-0x0000000003630000-0x0000000003C46000-memory.dmp

Filesize
6.1MB

Download