xred | 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/01/2025, 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe
Size

3.6MB
MD5

575b18de3bde4f0bac81569918c71040
SHA1

fedcaebb7ac62e2cc2f792a6efd7b5feadfd387c
SHA256

95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4
SHA512

c131d03c17da866ffbb97c56c1fd0798f12ed60c17253f6fdabbb77eadd3650b18d20ad6e16e938219e54899b32c412006d0a2ff2a5aecf4cf572df00d0df6fb
SSDEEP

49152:/YZnsHyjtk2MYC5GD/YKnsHyjtk2MYC5GDsYS1Q+09xqoWh5GisYxMGyN0F:QZnsmtk2a/Knsmtk2aGS6bRWTGZYaG8Q

Score

10^/10

xred backdoor defense_evasion discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 17 IoCs

pid	Process
2436	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe
2968	icsys.icn.exe
2744	explorer.exe
2516	spoolsv.exe
2520	svchost.exe
2244	spoolsv.exe
1656	Synaptics.exe
1444	._cache_Synaptics.exe
2080	._cache_synaptics.exe
2332	icsys.icn.exe
660	explorer.exe
1188	Synaptics.exe
2876	._cache_Synaptics.exe
1660	._cache_synaptics.exe
2984	icsys.icn.exe
1732	explorer.exe
1696	Synaptics.exe

Loads dropped DLL 39 IoCs

pid	Process
1048	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe
1048	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe
1048	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe
1048	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe
2968	icsys.icn.exe
2968	icsys.icn.exe
2744	explorer.exe
2744	explorer.exe
2516	spoolsv.exe
2516	spoolsv.exe
2520	svchost.exe
2520	svchost.exe
2436	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe
2436	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe
2436	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe
1656	Synaptics.exe
1656	Synaptics.exe
1656	Synaptics.exe
1444	._cache_Synaptics.exe
1444	._cache_Synaptics.exe
1444	._cache_Synaptics.exe
1444	._cache_Synaptics.exe
2332	icsys.icn.exe
2080	._cache_synaptics.exe
2080	._cache_synaptics.exe
2080	._cache_synaptics.exe
1188	Synaptics.exe
1188	Synaptics.exe
1188	Synaptics.exe
1188	Synaptics.exe
2876	._cache_Synaptics.exe
2876	._cache_Synaptics.exe
1660	._cache_synaptics.exe
2876	._cache_Synaptics.exe
2876	._cache_Synaptics.exe
2984	icsys.icn.exe
1660	._cache_synaptics.exe
1660	._cache_synaptics.exe
1660	._cache_synaptics.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1992	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2968	icsys.icn.exe
2744	explorer.exe
2744	explorer.exe
2744	explorer.exe
2744	explorer.exe
2520	svchost.exe
2520	svchost.exe
2744	explorer.exe
2520	svchost.exe
2744	explorer.exe
2520	svchost.exe
2744	explorer.exe
2520	svchost.exe
2520	svchost.exe
2744	explorer.exe
2744	explorer.exe
2520	svchost.exe
2520	svchost.exe
2744	explorer.exe
2520	svchost.exe
2744	explorer.exe
2744	explorer.exe
2520	svchost.exe
2520	svchost.exe
2080	._cache_synaptics.exe
2080	._cache_synaptics.exe
2080	._cache_synaptics.exe
2080	._cache_synaptics.exe
2080	._cache_synaptics.exe
2080	._cache_synaptics.exe
2080	._cache_synaptics.exe
2520	svchost.exe
2520	svchost.exe
2744	explorer.exe
2744	explorer.exe
2520	svchost.exe
2520	svchost.exe
2744	explorer.exe
2520	svchost.exe
2744	explorer.exe
2744	explorer.exe
2520	svchost.exe
2520	svchost.exe
2744	explorer.exe
2744	explorer.exe
2520	svchost.exe
2520	svchost.exe
2744	explorer.exe
2744	explorer.exe
2520	svchost.exe
2520	svchost.exe
2744	explorer.exe
2520	svchost.exe
2744	explorer.exe
2744	explorer.exe
2520	svchost.exe
2520	svchost.exe
2744	explorer.exe
2744	explorer.exe
2520	svchost.exe
2520	svchost.exe
1660	._cache_synaptics.exe
2520	svchost.exe
2520	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2744	explorer.exe
2520	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSystemProfilePrivilege	2080	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2080	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2080	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2080	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2080	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2080	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2080	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1660	._cache_synaptics.exe

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
1048	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe
1048	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe
2968	icsys.icn.exe
2968	icsys.icn.exe
2744	explorer.exe
2744	explorer.exe
2516	spoolsv.exe
2516	spoolsv.exe
2520	svchost.exe
2520	svchost.exe
2244	spoolsv.exe
2244	spoolsv.exe
2744	explorer.exe
2744	explorer.exe
1444	._cache_Synaptics.exe
1444	._cache_Synaptics.exe
2332	icsys.icn.exe
1992	EXCEL.EXE
2332	icsys.icn.exe
660	explorer.exe
660	explorer.exe
2876	._cache_Synaptics.exe
2876	._cache_Synaptics.exe
2984	icsys.icn.exe
2984	icsys.icn.exe
1732	explorer.exe
1732	explorer.exe
1856	EXCEL.EXE
2776	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2436	1048	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe	28
PID 1048 wrote to memory of 2436	1048	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe	28
PID 1048 wrote to memory of 2436	1048	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe	28
PID 1048 wrote to memory of 2436	1048	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe	28
PID 1048 wrote to memory of 2968	1048	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe	29
PID 1048 wrote to memory of 2968	1048	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe	29
PID 1048 wrote to memory of 2968	1048	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe	29
PID 1048 wrote to memory of 2968	1048	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe	29
PID 2968 wrote to memory of 2744	2968	icsys.icn.exe	30
PID 2968 wrote to memory of 2744	2968	icsys.icn.exe	30
PID 2968 wrote to memory of 2744	2968	icsys.icn.exe	30
PID 2968 wrote to memory of 2744	2968	icsys.icn.exe	30
PID 2744 wrote to memory of 2516	2744	explorer.exe	31
PID 2744 wrote to memory of 2516	2744	explorer.exe	31
PID 2744 wrote to memory of 2516	2744	explorer.exe	31
PID 2744 wrote to memory of 2516	2744	explorer.exe	31
PID 2516 wrote to memory of 2520	2516	spoolsv.exe	32
PID 2516 wrote to memory of 2520	2516	spoolsv.exe	32
PID 2516 wrote to memory of 2520	2516	spoolsv.exe	32
PID 2516 wrote to memory of 2520	2516	spoolsv.exe	32
PID 2520 wrote to memory of 2244	2520	svchost.exe	33
PID 2520 wrote to memory of 2244	2520	svchost.exe	33
PID 2520 wrote to memory of 2244	2520	svchost.exe	33
PID 2520 wrote to memory of 2244	2520	svchost.exe	33
PID 2436 wrote to memory of 1656	2436	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe	34
PID 2436 wrote to memory of 1656	2436	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe	34
PID 2436 wrote to memory of 1656	2436	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe	34
PID 2436 wrote to memory of 1656	2436	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe	34
PID 2520 wrote to memory of 268	2520	svchost.exe	35
PID 2520 wrote to memory of 268	2520	svchost.exe	35
PID 2520 wrote to memory of 268	2520	svchost.exe	35
PID 2520 wrote to memory of 268	2520	svchost.exe	35
PID 1656 wrote to memory of 1444	1656	Synaptics.exe	37
PID 1656 wrote to memory of 1444	1656	Synaptics.exe	37
PID 1656 wrote to memory of 1444	1656	Synaptics.exe	37
PID 1656 wrote to memory of 1444	1656	Synaptics.exe	37
PID 1444 wrote to memory of 2080	1444	._cache_Synaptics.exe	39
PID 1444 wrote to memory of 2080	1444	._cache_Synaptics.exe	39
PID 1444 wrote to memory of 2080	1444	._cache_Synaptics.exe	39
PID 1444 wrote to memory of 2080	1444	._cache_Synaptics.exe	39
PID 1444 wrote to memory of 2332	1444	._cache_Synaptics.exe	40
PID 1444 wrote to memory of 2332	1444	._cache_Synaptics.exe	40
PID 1444 wrote to memory of 2332	1444	._cache_Synaptics.exe	40
PID 1444 wrote to memory of 2332	1444	._cache_Synaptics.exe	40
PID 2332 wrote to memory of 660	2332	icsys.icn.exe	41
PID 2332 wrote to memory of 660	2332	icsys.icn.exe	41
PID 2332 wrote to memory of 660	2332	icsys.icn.exe	41
PID 2332 wrote to memory of 660	2332	icsys.icn.exe	41
PID 2080 wrote to memory of 1188	2080	._cache_synaptics.exe	42
PID 2080 wrote to memory of 1188	2080	._cache_synaptics.exe	42
PID 2080 wrote to memory of 1188	2080	._cache_synaptics.exe	42
PID 2080 wrote to memory of 1188	2080	._cache_synaptics.exe	42
PID 1188 wrote to memory of 2876	1188	Synaptics.exe	43
PID 1188 wrote to memory of 2876	1188	Synaptics.exe	43
PID 1188 wrote to memory of 2876	1188	Synaptics.exe	43
PID 1188 wrote to memory of 2876	1188	Synaptics.exe	43
PID 2876 wrote to memory of 1660	2876	._cache_Synaptics.exe	45
PID 2876 wrote to memory of 1660	2876	._cache_Synaptics.exe	45
PID 2876 wrote to memory of 1660	2876	._cache_Synaptics.exe	45
PID 2876 wrote to memory of 1660	2876	._cache_Synaptics.exe	45
PID 2876 wrote to memory of 2984	2876	._cache_Synaptics.exe	46
PID 2876 wrote to memory of 2984	2876	._cache_Synaptics.exe	46
PID 2876 wrote to memory of 2984	2876	._cache_Synaptics.exe	46
PID 2876 wrote to memory of 2984	2876	._cache_Synaptics.exe	46

C:\Users\Admin\AppData\Local\Temp\95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe
"C:\Users\Admin\AppData\Local\Temp\95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048
- \??\c:\users\admin\appdata\local\temp\95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe
  c:\users\admin\appdata\local\temp\95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1444
    - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
      - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2984
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1732
    - - C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2332
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:660
- C:\Users\Admin\AppData\Local\icsys.icn.exe
  C:\Users\Admin\AppData\Local\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2968
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visiblity of hidden/system files in Explorer
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - \??\c:\windows\system\spoolsv.exe
      c:\windows\system\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2516
    - - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2520
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2244
      - C:\Windows\SysWOW64\at.exe
        
        at 22:46 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:268
      - C:\Windows\SysWOW64\at.exe
        
        at 22:47 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1596

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1856

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\RCX8AD2.tmp

Filesize
753KB

MD5
ceab064b6d1d8ba57444371889936da1

SHA1
ed748ba18c6dadf05e9a6aa008443d055375e71e

SHA256
6e0d8597ac91fcebce2757d5ccdff21f256c857b7a3ab06d7da3113ac24c6b3b

SHA512
c65afe84060cdf24a8ebca454eca6aa0eb73cb5898c6106dec490f2c37cbac6173d3ea5302812787ff137fea219b4d7506b68f193b4709aff03a46157fc82b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_synaptics.exe

Filesize
1.7MB

MD5
bc95b2206dd7637fe20a16798c406745

SHA1
e77612a366109cd0359917b9a177aa114ba7ca83

SHA256
09b41d9c265effd7b2bc78cbaee81c3e977c718ddcedcb506f69ffa178eb5a74

SHA512
1d081aea628f10327649404114fa571cc87b053ae195a90ff5d4d59c21c8a932d716a32ea252aac324fa0c39bdab8c46bcc9fe85dccc7dc7312d1d22fb4f6540

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_synaptics.exe

Filesize
2.4MB

MD5
6aea658a809df0b4e0f2b52204fa1e31

SHA1
a1819c28ce05dd8521d74dae1375ad9699791dc0

SHA256
ea4087068126db22d789769a45831897cdd3060ea0d7f6368f515b479dde1208

SHA512
9ed22b45fdbb4d17fce304d578b3387bfdf1fdca353c2011249987f25d264f443a3b6d1099449fb558f9821c634c2c0a4b5b16dda2c7a1b25076acb4d93c20d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdbmUgNg.xlsm

Filesize
22KB

MD5
04df9b4bafc1dd46f88317048e1c9613

SHA1
960b4d2c826eed55e3fd94aeb7639fa4cffc399d

SHA256
21ddd7c9a4200a5ab55165435a8f2a7eba626179f9352275c56214ab147aa713

SHA512
becaf3413a8e5c43b46a111cdf581c53dda3ad93e94aefde847d0fefa739e200313d26b84768bd3b6b23c933d823d148e378058f38115c111995bbc68c6c391b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdbmUgNg.xlsm

Filesize
23KB

MD5
ca0d4caafdb0e68b837eabb999992200

SHA1
3d91172b06f5cce2bdd91df80b98e11ca8bc6252

SHA256
ec2980acd7735671a44050a5756a802c918eeca3420f947e3c0c3a3a638f2000

SHA512
a53c40e145197189d5c1d3cb6cf2d4f53992eb305a223051a49de2887792f7af665cc5d17fbdd168b913f86101d965ccb98085116d52ca5d535bd1e7a44906d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdbmUgNg.xlsm

Filesize
26KB

MD5
7d6215645778866a175f9bbe2f7fb71c

SHA1
1c6971ad647c47472720cd919884016c2643df10

SHA256
7190f6c2bcd8ad580a908e610492198d043b5f503f0867e4e486693e528b8eb3

SHA512
99bd01ae076605f972066481fa5909a3e03f2d0230d13e6520f9eeb7393b780d6d8a804a1d15daf83241cb587506acb653a468020b587ddc4c1e661a15cad85e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdbmUgNg.xlsm

Filesize
24KB

MD5
b8498de4a89ae9c248063d6414de8b3f

SHA1
3009b932155b15706867b102e0acccd1a0901c92

SHA256
f455f3e4239b50d3c8cd054d92161687ccd8407a4c6255589969825582ca8d01

SHA512
cbf605802c8638ec8973922820a80c2528ee30f410963937302495e19fda9480de7386404f185e73075db482b12a53b4718c8577dd5332924796ad2d011fbb6a

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
83b3035df04728252d66100272d85e01

SHA1
15d784205aea26a3a93b7fcc7d56bad010c56890

SHA256
d4dbb6ca603866cfa2168690ea3a523aa1c6d04d780da787451bdaada77e7269

SHA512
a7ba03bf9cad80dc0449976b834cb91dafd2a51b037d8e9af7ee5325e172e9e1e963a5c6befeb5e758b7e42c38ac045a48e04b7414e2489f8448cc2984ed466a

Download Submit
C:\Users\Admin\Downloads\~$CompareClear.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
207KB

MD5
1f9347ad916292acadc5468dd88adad0

SHA1
689f8eb2168459ce92d8e1210afdd0d979fe4578

SHA256
71ecbde4cd282b00873c25e98b4bb2736c3b29666ca148b933e8cd0022cdf24e

SHA512
25485170a4afdb52304601dd48a9734b4a63a5aeb9ab7e86f0909232cc1c684586a7c9c5bf3d1448c818f2c2d382ca9353fd0243d489ce4b4385b5252df4dae0

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
2.6MB

MD5
ffa2e235448687e2b7e37bb8a99f38c9

SHA1
153b873d572fb6bc8794f7aeec9c208d50182489

SHA256
e6edb39132b26125704af6d10cd43f9153cadafa9e8692b809749ef0bb973161

SHA512
32d3829bb1d0e0ac21b7cc3d3d3f0e71a5944ebccbdbe7837b0f8608a91859865cad7b26469ff230a2c7720d2f19784ae51cc62cc27c86553d01451cb72d792b

Download Submit
\Users\Admin\AppData\Local\Temp\95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe

Filesize
3.4MB

MD5
b7de67b0a46cb2b9323b251d34d34708

SHA1
993564e1f3bde5422da5b8e74711868725e2c9df

SHA256
4c3a7ee11791b181152ba80fc0c29eef05f6a6617aff56ef0edbb4919fde9581

SHA512
b407a869cc5b5e86afff7bbfb24ee4c060cd4600d2fc5ef88de3c804299edcf63a0376209a6f2a9175da659608c12ddf0cea5225106646b83dbda10103fdf25f

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
bd7b5016453c5b3414a4eb30747f0f5e

SHA1
f143f1bdaaafe645607024424dc8d8178ca89868

SHA256
a3a6970b431c34714ee58bccf9668115194262a7e39f19a58fd8d94249568aae

SHA512
82af27b4408c84bca5bad2737da410cb64f691131a603aad4aa4029d8b76194077118bd5147208d8a952248e0077de8db6c74aba247abefc6a1eadb2f0fbd139

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
3343be9774d2c669a6cd6f1296ebeae8

SHA1
cf675b229c99320d12201e2a1a3d7d32d26c8485

SHA256
efc65b4655e6adef136bf0413e6fe45f70fe990528887fac719f9a03e945a0e2

SHA512
f9048d3b02ed7ee56d48c9aa21e5ef2e7bfe1ae6a7517741238fc765568024de65fe82ac94e19e7ef8ac17666407462ed664be059db6b5f5c734f6f8780c14b1

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
2174e16c77811eb61e9df75fd0f42e3e

SHA1
8c77d969048243715388e0627c7d58b2c0bace43

SHA256
8fe86c314757a64803245fec53ef165d3513bec666bf94f498fc2eacb8c5c620

SHA512
a27eb03b11dfd8c44a6852ddbc27d0de5bd062e080d81be9902cf151977630f4fb9a25b68430df21afc35477f43093b752e9563c7f30ea8cb217eca03a102ef3

Download Submit
\Windows\system\svchost.exe

Filesize
207KB

MD5
5cfe2fabee79270106ebf0c0a9cff3cf

SHA1
a0dc3dbda456f05fe2a87bbfd0300c2a8108d4c5

SHA256
289a0d3cdbe55f47a79bc93516902b4f777faed4a4956d139559c50852e86542

SHA512
2dcf65eba28328f180d482f00ef6676e33324c0f251d3a4c62c7d764eb8bde4ad03e50f2a9a14ebfa4a8c79b6821e9e355050279aeeb4152ab1bcaf4b0d7bfbe

Download Submit
memory/660-154-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1048-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1048-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1048-22-0x0000000002CB0000-0x0000000002CF1000-memory.dmp

Filesize
260KB

Download
memory/1188-183-0x0000000004160000-0x00000000041A1000-memory.dmp

Filesize
260KB

Download
memory/1188-220-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/1188-178-0x0000000000700000-0x0000000000741000-memory.dmp

Filesize
260KB

Download
memory/1444-136-0x00000000025F0000-0x0000000002631000-memory.dmp

Filesize
260KB

Download
memory/1444-121-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1444-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1656-152-0x0000000000400000-0x0000000000767000-memory.dmp

Filesize
3.4MB

Download
memory/1656-112-0x0000000005620000-0x0000000005661000-memory.dmp

Filesize
260KB

Download
memory/1660-230-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/1660-199-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/1696-342-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1696-306-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1696-307-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1732-217-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1992-137-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2080-176-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/2244-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2332-155-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2332-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2436-96-0x0000000000400000-0x0000000000767000-memory.dmp

Filesize
3.4MB

Download
memory/2436-13-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2516-101-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2520-313-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2520-77-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2520-83-0x0000000001E70000-0x0000000001EB1000-memory.dmp

Filesize
260KB

Download
memory/2744-61-0x0000000003100000-0x0000000003141000-memory.dmp

Filesize
260KB

Download
memory/2744-311-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2876-208-0x0000000003220000-0x0000000003261000-memory.dmp

Filesize
260KB

Download
memory/2876-219-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2876-207-0x0000000003220000-0x0000000003261000-memory.dmp

Filesize
260KB

Download
memory/2968-102-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2968-36-0x0000000002830000-0x0000000002871000-memory.dmp

Filesize
260KB

Download
memory/2968-37-0x0000000002830000-0x0000000002871000-memory.dmp

Filesize
260KB

Download
memory/2984-209-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2984-218-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download