smokeloader | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

08-02-2025 06:10

250208-gw53ea1mhp 10

01-02-2025 10:25

250201-mf4saszmgl 10

01-02-2025 10:23

250201-metkyaxqdt 10

Analysis

max time kernel
150s
max time network
159s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HYDRA.exe
Size

2.6MB
MD5

c52bc39684c52886712971a92f339b23
SHA1

c5cb39850affb7ed322bfb0a4900e17c54f95a11
SHA256

f8c17cb375e8ccad5b0e33dae65694a1bd628f91cac6cf65dd11f50e91130c2d
SHA512

2d50c1aa6ca237b9dbe97f000a082a223618f2164c8ab42ace9f4e142c318b2fc53e91a476dbe9c2dd459942b61507df5c551bd5c692a2b2a2037e4f6bd2a12b
SSDEEP

49152:HnUXzRe4cjAx+L/G/3JHQZutOnmSzZniyui0EJHezdcc/DK9kTO1S:HUD8djA0LOvJdtOmSlniyuiPFePmS61S

Score

10^/10

smokeloader backdoor discovery persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2017

http://92.53.105.14/

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Smokeloader family
smokeloader

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudo.vbs	va.exe

Executes dropped EXE 10 IoCs

pid	Process
2448	yaya.exe
2240	va.exe
2688	ufx.exe
2476	sant.exe
2964	power.exe
1780	starter.exe
1088	usc.exe
2396	services.exe
2436	services.exe
1380	foxcon.exe

Loads dropped DLL 12 IoCs

pid	Process
776	HYDRA.exe
776	HYDRA.exe
776	HYDRA.exe
776	HYDRA.exe
776	HYDRA.exe
776	HYDRA.exe
776	HYDRA.exe
776	HYDRA.exe
2688	ufx.exe
2448	yaya.exe
2688	ufx.exe
2688	ufx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\fvvrugig\\fterwrtd.exe"	explorer.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	sant.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	sant.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT	foxcon.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT	foxcon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HYDRA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yaya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ufx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sant.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	power.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	usc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCHTASKS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies data under HKEY_USERS 21 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\FoxCond\{1945BBS40-8571-3DA1-BB29-HYDRA7A11A1E} = "C:\\Windows\\Temp\\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\\services.exe"	services.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus	foxcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	services.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\FoxCond	services.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	services.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\GDIPlus\FontCachePath = "C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local"	foxcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	foxcon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	services.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Foxcon Service Control = "C:\\Windows\\TEMP\\foxcon.exe"	foxcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	services.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	services.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	services.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\FoxCond\{1945BBS40-8571-3DA1-BB29-HYDRA7A11A1E} = "C:\\Windows\\Temp\\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\\services.exe"	services.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	services.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2896	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
1780	starter.exe
1780	starter.exe
1780	starter.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
1780	starter.exe
1780	starter.exe
1780	starter.exe
2436	services.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
1380	foxcon.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
1780	starter.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe
2476	sant.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2476	sant.exe
2476	sant.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1088	usc.exe
Token: SeDebugPrivilege	1780	starter.exe
Token: SeDebugPrivilege	2396	services.exe
Token: SeDebugPrivilege	2436	services.exe
Token: SeDebugPrivilege	1380	foxcon.exe
Token: SeDebugPrivilege	1632	powershell.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 2448	776	HYDRA.exe	31
PID 776 wrote to memory of 2448	776	HYDRA.exe	31
PID 776 wrote to memory of 2448	776	HYDRA.exe	31
PID 776 wrote to memory of 2448	776	HYDRA.exe	31
PID 776 wrote to memory of 2240	776	HYDRA.exe	32
PID 776 wrote to memory of 2240	776	HYDRA.exe	32
PID 776 wrote to memory of 2240	776	HYDRA.exe	32
PID 776 wrote to memory of 2240	776	HYDRA.exe	32
PID 776 wrote to memory of 2688	776	HYDRA.exe	33
PID 776 wrote to memory of 2688	776	HYDRA.exe	33
PID 776 wrote to memory of 2688	776	HYDRA.exe	33
PID 776 wrote to memory of 2688	776	HYDRA.exe	33
PID 776 wrote to memory of 2688	776	HYDRA.exe	33
PID 776 wrote to memory of 2688	776	HYDRA.exe	33
PID 776 wrote to memory of 2688	776	HYDRA.exe	33
PID 776 wrote to memory of 2476	776	HYDRA.exe	34
PID 776 wrote to memory of 2476	776	HYDRA.exe	34
PID 776 wrote to memory of 2476	776	HYDRA.exe	34
PID 776 wrote to memory of 2476	776	HYDRA.exe	34
PID 776 wrote to memory of 2964	776	HYDRA.exe	35
PID 776 wrote to memory of 2964	776	HYDRA.exe	35
PID 776 wrote to memory of 2964	776	HYDRA.exe	35
PID 776 wrote to memory of 2964	776	HYDRA.exe	35
PID 2688 wrote to memory of 1088	2688	ufx.exe	36
PID 2688 wrote to memory of 1088	2688	ufx.exe	36
PID 2688 wrote to memory of 1088	2688	ufx.exe	36
PID 2688 wrote to memory of 1088	2688	ufx.exe	36
PID 2688 wrote to memory of 1088	2688	ufx.exe	36
PID 2688 wrote to memory of 1088	2688	ufx.exe	36
PID 2688 wrote to memory of 1088	2688	ufx.exe	36
PID 2448 wrote to memory of 1780	2448	yaya.exe	37
PID 2448 wrote to memory of 1780	2448	yaya.exe	37
PID 2448 wrote to memory of 1780	2448	yaya.exe	37
PID 2448 wrote to memory of 1780	2448	yaya.exe	37
PID 1088 wrote to memory of 2896	1088	usc.exe	39
PID 1088 wrote to memory of 2896	1088	usc.exe	39
PID 1088 wrote to memory of 2896	1088	usc.exe	39
PID 1088 wrote to memory of 2896	1088	usc.exe	39
PID 1088 wrote to memory of 2896	1088	usc.exe	39
PID 1088 wrote to memory of 2896	1088	usc.exe	39
PID 1088 wrote to memory of 2896	1088	usc.exe	39
PID 1780 wrote to memory of 1028	1780	starter.exe	41
PID 1780 wrote to memory of 1028	1780	starter.exe	41
PID 1780 wrote to memory of 1028	1780	starter.exe	41
PID 1028 wrote to memory of 308	1028	csc.exe	43
PID 1028 wrote to memory of 308	1028	csc.exe	43
PID 1028 wrote to memory of 308	1028	csc.exe	43
PID 1684 wrote to memory of 2396	1684	cmd.exe	47
PID 1684 wrote to memory of 2396	1684	cmd.exe	47
PID 1684 wrote to memory of 2396	1684	cmd.exe	47
PID 2436 wrote to memory of 1380	2436	services.exe	50
PID 2436 wrote to memory of 1380	2436	services.exe	50
PID 2436 wrote to memory of 1380	2436	services.exe	50
PID 2964 wrote to memory of 1632	2964	power.exe	200
PID 2964 wrote to memory of 1632	2964	power.exe	200
PID 2964 wrote to memory of 1632	2964	power.exe	200
PID 2964 wrote to memory of 1632	2964	power.exe	200
PID 2476 wrote to memory of 2788	2476	sant.exe	202
PID 2476 wrote to memory of 2788	2476	sant.exe	202
PID 2476 wrote to memory of 2788	2476	sant.exe	202
PID 2476 wrote to memory of 2788	2476	sant.exe	202

C:\Users\Admin\AppData\Local\Temp\HYDRA.exe
"C:\Users\Admin\AppData\Local\Temp\HYDRA.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:776
- C:\Users\Admin\AppData\Roaming\yaya.exe
  C:\Users\Admin\AppData\Roaming\yaya.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
    "C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mj4qmjzs.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1028
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA59.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDA58.tmp"
        5⤵
        
        PID:308
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1280
  - - C:\Windows\System32\cmd.exe
      /K services.exe && clear
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1684
    - - C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe
        
        services.exe
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2980
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:772
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2580
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1032
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2392
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2512
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1984
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2544
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2344
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:592
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:304
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2136
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:328
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1968
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2288
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:904
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2000
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1040
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:916
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1812
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:884
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1704
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1708
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2152
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2428
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2172
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1592
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1600
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2364
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2308
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2452
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2468
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2216
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2788
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2328
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2704
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2752
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1876
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2248
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2300
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2868
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:988
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2284
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2864
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2836
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2744
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2804
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2816
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2712
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2880
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2632
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2808
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2928
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2620
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2636
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2732
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2764
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2568
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2652
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2596
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2600
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2612
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1148
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2628
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2668
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2860
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2296
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:3044
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:3048
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:672
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1152
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:108
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1572
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1820
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1484
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1316
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1936
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1760
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2356
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2140
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1872
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2956
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1824
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1452
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1392
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2420
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1300
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2036
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1764
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1980
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2176
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1324
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1772
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2748
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1628
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:112
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1656
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2840
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:684
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1648
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1728
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2504
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2196
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1796
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1288
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2832
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:872
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2488
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2924
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2932
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1720
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1552
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1756
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:3012
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1240
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:608
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1132
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2912
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2496
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2784
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:912
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2440
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2200
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2780
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2008
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1296
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:484
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1340
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2464
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1972
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1608
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1688
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1540
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:952
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:780
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:772
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:796
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1464
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1468
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1032
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1544
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2380
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:468
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2908
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2512
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:1984
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2064
  - - C:\Windows\System32\cmd.exe
      net localgroup administrators %username% /add
      4⤵
      PID:2340
- C:\Users\Admin\AppData\Roaming\va.exe
  C:\Users\Admin\AppData\Roaming\va.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  PID:2240
- C:\Users\Admin\AppData\Roaming\ufx.exe
  C:\Users\Admin\AppData\Roaming\ufx.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\ProgramData\ucp\usc.exe
    "C:\ProgramData\ucp\usc.exe" /ucp/usc.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /Create /SC MINUTE /MO 10 /F /TN SystemOptimize /TR C:\ProgramData\ucp\usc.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2896
- C:\Users\Admin\AppData\Roaming\sant.exe
  C:\Users\Admin\AppData\Roaming\sant.exe
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2788
- C:\Users\Admin\AppData\Roaming\power.exe
  C:\Users\Admin\AppData\Roaming\power.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1632

C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe
C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\TEMP\foxcon.exe
  "C:\Windows\TEMP\foxcon.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ucp\usc.exe

Filesize
4.0MB

MD5
b100b373d645bf59b0487dbbda6c426d

SHA1
44a4ad2913f5f35408b8c16459dcce3f101bdcc7

SHA256
84d7fd0a93d963e9808212917f79fe2d485bb7fbc94ee374a141bbd15da725b7

SHA512
69483fed79f33da065b1cc65a2576ba268c78990545070f6f76fca8f48aaec8274faecdc9bcf92bf84a87809a318b159d1a3c835f848a6eea6c163f41612bf9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDA59.tmp

Filesize
1KB

MD5
e58e1e972a7a86cab5b5f1159cca56ef

SHA1
0c775af8ab4640f36ec5e0c7377e06042a8850cc

SHA256
5e9b5c6e233046c0904d2762671072f7e77a9a009c9500b1597952b999d8f5b5

SHA512
91fe46ae52a52b7b3d248d21ec54d8df4e25c3606dd90bb3bb98f775e8d796af52654c529bc6041cd10ab030dbd89d0212565bfe1a2d5a35158bdf229008a23d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mj4qmjzs.dll

Filesize
5KB

MD5
052e6999445a1f9b54bb1139f2271d42

SHA1
d492cf9fe475ec809c0f3fc050fcaa0a8d9d825a

SHA256
17f1f73496b7b7f212519ed7b25043919d44accef7662e18938cf99aeb20f341

SHA512
724219d74fc2749bcc364e0270f11fbc86628b6f72f7b4340e0d6f9100ce6cd72508302ecc8b9427031dfd8657524473e88d2ebba425a76ee0e0844599eedf59

Download Submit
C:\Users\Admin\AppData\Local\Temp\mj4qmjzs.pdb

Filesize
7KB

MD5
cac5e4a3b7426e8f93e0fb420745dc54

SHA1
a8edf9d096f1e6fd9d37be35816f5b384d9f3b2e

SHA256
81c3f4c7b99e3a6db7346b6c5e9c5b4eba12041ab5c77418e06c951d4daf633b

SHA512
ff3026bae24d09b954a3b1e24208b3261b8b9497101396bdf123185b7b8128304a25d97ecde4016bc53fe121eab9ade05e935a69412564622e5d76511210f810

Download Submit
C:\Users\Admin\AppData\Roaming\power.exe

Filesize
507KB

MD5
743f47ae7d09fce22d0a7c724461f7e3

SHA1
8e98dd1efb70749af72c57344aab409fb927394e

SHA256
1bee45423044b5a6bf0ad0dd2870117824b000784ce81c5f8a1b930bb8bc0465

SHA512
567993c3b798365efa07b7a46fda98494bfe540647f27654764e78b7f60f093d403b77b9abb889cfb09b44f13515ce3c041fc5db05882418313c3b3409dd77bf

Download Submit
C:\Users\Admin\AppData\Roaming\sant.exe

Filesize
12KB

MD5
5effca91c3f1e9c87d364460097f8048

SHA1
28387c043ab6857aaa51865346046cf5dc4c7b49

SHA256
3fd826fc0c032721466b94ab3ec7dcfe006cc284e16132af6b91dfbc064b0907

SHA512
b0dba30fde295d3f7858db9d1463239b30cd84921971032b2afb96f811a53ac12c1e6f72013d2eff397b0b89c371e7c023c951cd2102f94157cba9918cd2c3e0

Download Submit
C:\Users\Admin\AppData\Roaming\ufx.exe

Filesize
960KB

MD5
22e088012519e1013c39a3828bda7498

SHA1
3a8a87cce3f6aff415ee39cf21738663c0610016

SHA256
9e3826138bacac89845c26278f52854117db1652174c1c76dbb2bd24f00f4973

SHA512
5559e279dd3d72b2c9062d88e99212bbc67639fe5a42076efd24ae890cfce72cfe2235adb20bf5ed1f547b6da9e69effa4ccb80c0407b7524f134a24603ea5a8

Download Submit
C:\Users\Admin\AppData\Roaming\va.exe

Filesize
88KB

MD5
c084e736931c9e6656362b0ba971a628

SHA1
ef83b95fc645ad3a161a19ccef3224c72e5472bd

SHA256
3139bf3c4b958c3a019af512aecdb8161b9d6d7432d2c404abda3f42b63f34f1

SHA512
cbd6485840a117b52e24586da536cefa94ca087b41eb460d27bc2bd320217957c9e0e96b0daf74343efde2e23a5242e7a99075aabf5f9e18e03b52eb7151ae1f

Download Submit
C:\Users\Admin\AppData\Roaming\yaya.exe

Filesize
1.7MB

MD5
7d05ab95cfe93d84bc5db006c789a47f

SHA1
aa4aa0189140670c618348f1baad877b8eca04a4

SHA256
5c32e0d2a69fd77e85f2eecaabeb677b6f816de0d82bf7c29c9d124a818f424f

SHA512
40d1461e68994df56f19d9f7b2d96ffdc5300ca933e10dc53f7953471df8dea3aabeb178c3432c6819175475cadcbdb698384e3df57b3606c6fce3173a31fe84

Download Submit
C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\Newtonsoft.Json.dll

Filesize
487KB

MD5
0c33e2f116aaa66d0012a8376d82ce29

SHA1
81cd6b87a9f7b4a174138312986d682f464067f4

SHA256
9a19ef049430af9ac49ff719cbfb73dc6c6b0d0ef53914479dd282260771518b

SHA512
b19dceb47d943bcb40f185e232eb1a0f665f6b6107e6c83c0f0a1aa80013b2756c5a831f3413a4c57ca37f7ec4a95a173e1f3d67e49f1fff2071273acc538317

Download Submit
C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\foxcon.exe

Filesize
15KB

MD5
7b07728b813d26228f10f6cdb7ac8471

SHA1
48418d83ac372c1398753f7a766076750a03a725

SHA256
7e5a9baf4d9ead35e1d9a3b3dda6ee05e670bd721500d82fbf08e1e8091fa911

SHA512
f8a1070d4a0297151c6d55e60bc953a985b82159920e5a6a3a40270f0ad7e06edb1815b6fed1313076f7f6bbf32155d22a5a0e605378525aa3a9055a2c7128aa

Download Submit
C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe

Filesize
27KB

MD5
63602f11993c01a4b36f42187a797128

SHA1
d6c761942dcb32190f924ea7490acc38865f7300

SHA256
2c926cd6c980ff89ced8de49a8d0e7fb7247f58b1face21a1e9883a58b822b84

SHA512
1a13649d6d5917d132f85cae9af206b1959578134db392afd6fec0c68ff1828c87daa2a537678ad1a83c0e273fed7f154f6f6f6f72102733fa6626bcd57ded0e

Download Submit
C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe

Filesize
80KB

MD5
51bf85f3bf56e628b52d61614192359d

SHA1
c1bc90be6a4beb67fb7b195707798106114ec332

SHA256
990dffdc0694858514d6d7ff7fff5dc9f48fab3aa35a4d9301d94fc57e346446

SHA512
131173f3aabcfba484e972424c54201ec4b1facfb2df1efe08df0d43a816d4df03908b006884564c56a6245badd4f9ed442a295f1db2c0c970a8f80985d35474

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCDA58.tmp

Filesize
652B

MD5
036c0fd1e2e2b5c8d5a9a821d362f9f5

SHA1
b80fa41546f5a58057da2d292af9d000f3770207

SHA256
2d49c1dff13c832d587ab45f521646450372516536e52cdec30b691a5540ec5c

SHA512
0e0300b36e157d3cc1a10b47cc6cabf13cfdcb168a90b8c91a8c7d8ea38b057e28712dad48c64ce4cd63bea4741d33e933904faa082d00dba20389046af3bc63

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mj4qmjzs.0.cs

Filesize
4KB

MD5
a0d1b6f34f315b4d81d384b8ebcdeaa5

SHA1
794c1ff4f2a28e0c631a783846ecfffdd4c7ae09

SHA256
0b3a3f8f11eb6f50fe67943f2b73c5824614f31c2e0352cc234927d7cb1a52e0

SHA512
0a89293d731c5bca05e73148f85a740b324fc877f2fb05cde1f68e2098329fbca552d78249a46f4a1da15a450c8e754c73be20c652f7089d5cfec445ce950a0e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mj4qmjzs.cmdline

Filesize
309B

MD5
fa73199cc4d02abb3746cea875256dd0

SHA1
204f6cd7a0cc14dd5365a2514abaed495d42c0ba

SHA256
3cfd4915184e228697db89861430d0a8af134c8bf65a00ee2bcb888c465b19db

SHA512
fb5d9629974a341e1534a96a36b6385b4a77003bdc5e83ea9e119285ae90252cd583a9858a0cf3cda8c1ae5bb1a80979d64b05e0388708a460449e0e9c2f5c2f

Download Submit
memory/776-27-0x00000000003C0000-0x00000000003C4000-memory.dmp

Filesize
16KB

Download
memory/776-22-0x00000000003C0000-0x00000000003C4000-memory.dmp

Filesize
16KB

Download
memory/1780-88-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

Filesize
32KB

Download
memory/2240-36-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2436-102-0x00000000012D0000-0x0000000001350000-memory.dmp

Filesize
512KB

Download
memory/2448-67-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2476-106-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/2476-32-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/2476-42-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/2476-29-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2476-113-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2476-112-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/2788-108-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download
memory/2788-107-0x00000000003E0000-0x0000000000661000-memory.dmp

Filesize
2.5MB

Download
memory/2788-118-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download
memory/2788-120-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download
memory/2964-103-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download