2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/02/2025, 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475.exe
Size

772KB
MD5

11efce84e0a22a7cf2cc37e4d70b9d12
SHA1

fdf14b95fe44f020456008604cd31536e423b72b
SHA256

2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475
SHA512

a3ff129fc550c5bc126984d14f0c7cbea78b466636be8608004a30a22d5d179d2e52301015b3e7d9df6fe3455fa7c27fc863e927f1fda4e00b90bee7482c8c15
SSDEEP

12288:gmhjJdUlzn3DSudvsh8Awf3XFaZmBITVJPtSrE37yG2LmxCiZ:Xh1alj3DSudvGM3MXTVhtSQWGtx3Z

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2264	hangmdjrki.exe
1760	gzpcetomeu.exe
2228	SearchUserHost.exe
1196	Explorer.EXE
324	2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475.exe
2324	bindsvc.exe

Loads dropped DLL 14 IoCs

pid	Process
1576	2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475.exe
1576	2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475.exe
1576	2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475.exe
1576	2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475.exe
2800	SearchIndexer.exe
2800	SearchIndexer.exe
2800	SearchIndexer.exe
2228	SearchUserHost.exe
2052	SearchProtocolHost.exe
2264	hangmdjrki.exe
2264	hangmdjrki.exe
1040	SearchFilterHost.exe
1760	gzpcetomeu.exe
1760	gzpcetomeu.exe

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
1540	cmd.exe
1756	ARP.EXE

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wideshut.exe	gzpcetomeu.exe
File created	C:\Windows\system32\msfte.dll	gzpcetomeu.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File created	C:\Windows\System32\bindsvc.exe	gzpcetomeu.exe
File opened for modification	C:\Windows\SysWOW64\wideshut.exe	gzpcetomeu.exe
File created	C:\Windows\SysWOW64\wimsvc.exe	gzpcetomeu.exe
File created	C:\Windows\SysWOW64\racfg.exe	gzpcetomeu.exe
File created	C:\Windows\SysWOW64\bindsvc.exe	gzpcetomeu.exe
File created	C:\Windows\system32\SearchUserHost.exe	SearchIndexer.exe
File opened for modification	C:\Windows\system32\SearchUserHost.exe	SearchIndexer.exe
File created	C:\Windows\system32\oci.dll	gzpcetomeu.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2184	tasklist.exe
1876	tasklist.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000019217-21.dat	upx
behavioral1/memory/1576-20-0x0000000002D30000-0x0000000002EAA000-memory.dmp	upx
behavioral1/memory/1760-27-0x00000000010F0000-0x000000000126A000-memory.dmp	upx
behavioral1/memory/1760-179-0x00000000010F0000-0x000000000126A000-memory.dmp	upx
behavioral1/memory/1760-195-0x00000000010F0000-0x000000000126A000-memory.dmp	upx

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2624	sc.exe
2680	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gzpcetomeu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hangmdjrki.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2444	cmd.exe
1596	PING.EXE

System Network Connections Discovery 1 TTPs 2 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2868	cmd.exe
760	NETSTAT.EXE

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
544	ipconfig.exe
760	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2028	systeminfo.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114 = "Windows Fax and Scan"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101 = "Windows PowerShell ISE"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10303 = "Enjoy the classic strategy game of Chess. Play against the computer, or compete against a friend. The winner is the first to capture the opponent’s king."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\isoburn.exe,-350 = "Disc Image File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\mycomput.dll,-112 = "Manages disks and provides access to other tools to manage local and remote computers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310 = "Data Sources (ODBC)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000 = "Create a System Repair Disc"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008 = "Windows Mobility Center"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f04f287f4677db01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\DVD Maker\DVDMaker.exe,-63385 = "Burn pictures and video to DVD."	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009028cf7d4677db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-308 = "Landscapes"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10055 = "FreeCell"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\ShapeCollector.exe,-299 = "Provide writing samples to help improve the recognition of your handwriting."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10310 = "The aim of the game in Spider Solitaire is to remove cards from play in the fewest moves possible. Line up runs of cards from king through ace, in the same suit, to remove them."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mblctr.exe,-1004 = "Opens the Windows Mobility Center so you can adjust display brightness, volume, power options, and other mobile PC settings."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Msinfo32.exe,-130 = "Display detailed information about your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103 = "Disk Defragmenter"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10055 = "FreeCell"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588 = "Windows Easy Transfer"	SearchProtocolHost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1596	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2800	SearchIndexer.exe
2800	SearchIndexer.exe
2228	SearchUserHost.exe
2184	tasklist.exe
2184	tasklist.exe
2228	SearchUserHost.exe
1760	gzpcetomeu.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2800	SearchIndexer.exe
Token: 33	2800	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2800	SearchIndexer.exe
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeDebugPrivilege	2184	tasklist.exe
Token: SeDebugPrivilege	760	NETSTAT.EXE
Token: SeDebugPrivilege	1876	tasklist.exe
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeDebugPrivilege	2228	SearchUserHost.exe
Token: SeDebugPrivilege	2228	SearchUserHost.exe
Token: SeDebugPrivilege	2228	SearchUserHost.exe
Token: SeDebugPrivilege	2228	SearchUserHost.exe
Token: SeDebugPrivilege	2228	SearchUserHost.exe
Token: SeDebugPrivilege	2228	SearchUserHost.exe
Token: SeDebugPrivilege	2228	SearchUserHost.exe
Token: SeDebugPrivilege	2228	SearchUserHost.exe
Token: SeDebugPrivilege	2228	SearchUserHost.exe
Token: SeDebugPrivilege	2228	SearchUserHost.exe
Token: SeDebugPrivilege	2228	SearchUserHost.exe
Token: SeDebugPrivilege	2228	SearchUserHost.exe
Token: SeDebugPrivilege	2228	SearchUserHost.exe
Token: SeDebugPrivilege	2228	SearchUserHost.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2052	SearchProtocolHost.exe
2052	SearchProtocolHost.exe
2052	SearchProtocolHost.exe
2052	SearchProtocolHost.exe
2052	SearchProtocolHost.exe
2052	SearchProtocolHost.exe
2052	SearchProtocolHost.exe
2052	SearchProtocolHost.exe
2052	SearchProtocolHost.exe
2052	SearchProtocolHost.exe
2052	SearchProtocolHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe
2228	SearchUserHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 2264	1576	2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475.exe	31
PID 1576 wrote to memory of 2264	1576	2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475.exe	31
PID 1576 wrote to memory of 2264	1576	2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475.exe	31
PID 1576 wrote to memory of 2264	1576	2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475.exe	31
PID 1576 wrote to memory of 1760	1576	2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475.exe	32
PID 1576 wrote to memory of 1760	1576	2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475.exe	32
PID 1576 wrote to memory of 1760	1576	2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475.exe	32
PID 1576 wrote to memory of 1760	1576	2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475.exe	32
PID 2800 wrote to memory of 2228	2800	SearchIndexer.exe	34
PID 2800 wrote to memory of 2228	2800	SearchIndexer.exe	34
PID 2800 wrote to memory of 2228	2800	SearchIndexer.exe	34
PID 2228 wrote to memory of 1196	2228	SearchUserHost.exe	21
PID 2800 wrote to memory of 2052	2800	SearchIndexer.exe	35
PID 2800 wrote to memory of 2052	2800	SearchIndexer.exe	35
PID 2800 wrote to memory of 2052	2800	SearchIndexer.exe	35
PID 2800 wrote to memory of 1040	2800	SearchIndexer.exe	36
PID 2800 wrote to memory of 1040	2800	SearchIndexer.exe	36
PID 2800 wrote to memory of 1040	2800	SearchIndexer.exe	36
PID 2228 wrote to memory of 2612	2228	SearchUserHost.exe	37
PID 2228 wrote to memory of 2612	2228	SearchUserHost.exe	37
PID 2228 wrote to memory of 2612	2228	SearchUserHost.exe	37
PID 2612 wrote to memory of 2028	2612	cmd.exe	39
PID 2612 wrote to memory of 2028	2612	cmd.exe	39
PID 2612 wrote to memory of 2028	2612	cmd.exe	39
PID 2264 wrote to memory of 324	2264	hangmdjrki.exe	40
PID 2264 wrote to memory of 324	2264	hangmdjrki.exe	40
PID 2264 wrote to memory of 324	2264	hangmdjrki.exe	40
PID 2264 wrote to memory of 324	2264	hangmdjrki.exe	40
PID 2228 wrote to memory of 2120	2228	SearchUserHost.exe	43
PID 2228 wrote to memory of 2120	2228	SearchUserHost.exe	43
PID 2228 wrote to memory of 2120	2228	SearchUserHost.exe	43
PID 2120 wrote to memory of 2184	2120	cmd.exe	45
PID 2120 wrote to memory of 2184	2120	cmd.exe	45
PID 2120 wrote to memory of 2184	2120	cmd.exe	45
PID 2228 wrote to memory of 2868	2228	SearchUserHost.exe	46
PID 2228 wrote to memory of 2868	2228	SearchUserHost.exe	46
PID 2228 wrote to memory of 2868	2228	SearchUserHost.exe	46
PID 2868 wrote to memory of 760	2868	cmd.exe	48
PID 2868 wrote to memory of 760	2868	cmd.exe	48
PID 2868 wrote to memory of 760	2868	cmd.exe	48
PID 2228 wrote to memory of 932	2228	SearchUserHost.exe	49
PID 2228 wrote to memory of 932	2228	SearchUserHost.exe	49
PID 2228 wrote to memory of 932	2228	SearchUserHost.exe	49
PID 932 wrote to memory of 544	932	cmd.exe	51
PID 932 wrote to memory of 544	932	cmd.exe	51
PID 932 wrote to memory of 544	932	cmd.exe	51
PID 2228 wrote to memory of 1536	2228	SearchUserHost.exe	52
PID 2228 wrote to memory of 1536	2228	SearchUserHost.exe	52
PID 2228 wrote to memory of 1536	2228	SearchUserHost.exe	52
PID 1536 wrote to memory of 3048	1536	cmd.exe	54
PID 1536 wrote to memory of 3048	1536	cmd.exe	54
PID 1536 wrote to memory of 3048	1536	cmd.exe	54
PID 2228 wrote to memory of 1540	2228	SearchUserHost.exe	55
PID 2228 wrote to memory of 1540	2228	SearchUserHost.exe	55
PID 2228 wrote to memory of 1540	2228	SearchUserHost.exe	55
PID 1540 wrote to memory of 1756	1540	cmd.exe	57
PID 1540 wrote to memory of 1756	1540	cmd.exe	57
PID 1540 wrote to memory of 1756	1540	cmd.exe	57
PID 2228 wrote to memory of 2068	2228	SearchUserHost.exe	58
PID 2228 wrote to memory of 2068	2228	SearchUserHost.exe	58
PID 2228 wrote to memory of 2068	2228	SearchUserHost.exe	58
PID 2068 wrote to memory of 1876	2068	cmd.exe	60
PID 2068 wrote to memory of 1876	2068	cmd.exe	60
PID 2068 wrote to memory of 1876	2068	cmd.exe	60

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1196
- C:\Users\Admin\AppData\Local\Temp\2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475.exe
  "C:\Users\Admin\AppData\Local\Temp\2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Users\Admin\AppData\Local\Temp\hangmdjrki.exe
    "C:\Users\Admin\AppData\Local\Temp\hangmdjrki.exe" "C:\Users\Admin\AppData\Local\Temp\cjgmqjekhl.exe" "C:\Users\Admin\AppData\Local\Temp\2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Users\Admin\AppData\Local\Temp\2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475.exe
      "C:\Users\Admin\AppData\Local\Temp\2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:324
- - C:\Users\Admin\AppData\Local\Temp\gzpcetomeu.exe
    C:\Users\Admin\AppData\Local\Temp\gzpcetomeu.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1760
  - - C:\Windows\System32\cmd.exe
      /c sc config msdtc obj= LocalSystem
      4⤵
      PID:2664
    - - C:\Windows\system32\sc.exe
        
        sc config msdtc obj= LocalSystem
        5⤵
        Launches sc.exe
        
        PID:2680
  - - C:\Windows\system32\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\dbHAiHVM.bat"
      4⤵
      PID:2604
  - - C:\Windows\System32\bindsvc.exe
      "C:\Windows\System32\bindsvc.exe"
      4⤵
      Executes dropped EXE
      PID:2324

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\system32\SearchUserHost.exe
  C:\Windows\system32\SearchUserHost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\system32\cmd.exe
    /c systeminfo
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2028
- - C:\Windows\system32\cmd.exe
    /c "tasklist /v"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\system32\tasklist.exe
      tasklist /v
      4⤵
      Enumerates processes with tasklist
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2184
- - C:\Windows\system32\cmd.exe
    /c "netstat -ano"
    3⤵
    - System Network Connections Discovery
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:760
- - C:\Windows\system32\cmd.exe
    /c "ipconfig /all"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:544
- - C:\Windows\system32\cmd.exe
    /c "route print"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:3048
- - C:\Windows\system32\cmd.exe
    /c "arp -a"
    3⤵
    - Network Service Discovery
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:1756
- - C:\Windows\system32\cmd.exe
    /c "tasklist /m msfte.dll"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Windows\system32\tasklist.exe
      tasklist /m msfte.dll
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1876
- - C:\Windows\system32\cmd.exe
    /c "net share"
    3⤵
    PID:316
  - - C:\Windows\system32\net.exe
      net share
      4⤵
      PID:1496
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 share
        5⤵
        
        PID:1872
- - C:\Windows\system32\cmd.exe
    /c "ping server"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2444
  - - C:\Windows\system32\PING.EXE
      ping server
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1596
- - C:\Windows\system32\cmd.exe
    /c "sc query hfile.sys"
    3⤵
    PID:2728
  - - C:\Windows\system32\sc.exe
      sc query hfile.sys
      4⤵
      Launches sc.exe
      PID:2624
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2052
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 544 548 556 65536 552
  2⤵
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
39a8758fe114de92440380a2443303dd

SHA1
c88bc6d65bb530045f4612d754968b697b771ab7

SHA256
611cf970c61d319f35bed7bde6afec882f4097c9fad98273a7e6419f51b887e9

SHA512
d5334865b517f23021ce0b17adb4eb87b157d238c54c6298dd1dd04235815c8a5c2cb9e05b7fa2ff59de62bea9b304eea827d8a9169dc09bfc37fbb6705858c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cjgmqjekhl.exe

Filesize
65KB

MD5
f13ec8a783e0cb0d6dc26a3ca848b7b8

SHA1
6107fb5303a7a886f6f2674fb73c543696779dac

SHA256
0809e3b71709f1343086eeb6c820543c1a7119e74eef8ac1aee1f81093abec66

SHA512
d6d060ff085e3d51b90c913a016ffee9c0266ab2a3a8113abd30d1d9e876652078d9980b1d3a37d8f70c2407c4434df4f64b5c6a6f111b910bb7bf7a4e36f579

Download Submit
C:\Users\Admin\AppData\Local\Temp\dbHAiHVM.bat

Filesize
196B

MD5
75f59bbf1d6e89781d92e7090f7fcf03

SHA1
b5c914e4d2b75357417f5647f91b7dda4f6d0f66

SHA256
5c4404fa03a0e87b14059f23dbaa141dc68ff8cdbf9037c8b012c2f0d83634d7

SHA512
f661bd54c44104cecf04108fa78cadaf1a091b14eb483fdad6ec3c691394600dff256cda16ae2b595ae3d04574c7501dd0a35520a7d89745179464a697158717

Download Submit
C:\Users\Admin\AppData\Local\Temp\gzpcetomeu.exe

Filesize
580KB

MD5
2c2029588ad8b86759c17b7ae885ee03

SHA1
91653b5344d4c210201218e2f215dd5228d76799

SHA256
3ab288c47914e33cc61985e46502158400faa9d7187b55c19039b8795504a290

SHA512
88531fe6b0f2d66ada368a431f912868f74f9ed8ade9dc88887807b761490fe2cc317e1b6b40e7070411924c80971f237dca68ad2faafa7b4b1ecd2ec90c860f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UserSetting\trnmg.sdb

Filesize
1KB

MD5
a5a2226025a98c429c0386a6c5ba5c4c

SHA1
d0e7ce0b0d3eb45ace12874444a49b4a30e75e12

SHA256
cb5e068a1d4d89d917ce3266f01ac8f2b4921fb97e6e87a0e430f57436e953e5

SHA512
5592f20379fc8c321e0031db063d0a24e0c091ea15b2d44bbad82f9bd8a893756ab80062b3b74e1dab5a3146e5db29e67312e5e225dce84182b488ca99ebcfcf

Download Submit
\Users\Admin\AppData\Local\Temp\hangmdjrki.exe

Filesize
51KB

MD5
e48b89715bf5e4c55eb5a1fed67865d9

SHA1
89a287da39e14b02cdc284eb287549462346d724

SHA256
c25d90168fc2026d8ed2a69c066bd5a7e11004c3899928a7db24cb7636fc4d9e

SHA512
4bd77d2fa5da646009ebeeedb5610048c58598ee7e5aeb5660b0c01042f0f34a88f89181e13e86c06cae9984155d0299128a2aee1c2c16f18e284db4745d850c

Download Submit
\Windows\System32\SearchUserHost.exe

Filesize
244KB

MD5
42ec9065d9bf266ade924b066c783a56

SHA1
a8dcf7d63a8bb5abef8787775957a5bb6c0f3f77

SHA256
4ac002e90a52cb0998da78f2995294ee77b89fb2be709b0e3c8e1627212bccdc

SHA512
e49af43aef3f02397098821b81e034ee1f07f8c2f49a9a1768d1522bbc009103a2c88f436f488333f57c7d56b34acbee84588040f56382cc75eaddbb9db19980

Download Submit
\Windows\System32\bindsvc.exe

Filesize
291KB

MD5
7c5b397fb54d5aa06bd2a6fb99c62fee

SHA1
a9e0bf7bbabf6ab9e294156985537ae972ebd743

SHA256
d032bdc64c9451bbb653b346c5bd6ac9f83a91edeb0155497f098c8d6182ddee

SHA512
daa4702eff625b5dd1edca358c653338cff4eeca4e43d12dfd39bbc52acf8dfde3b963d190cf4426e405d9db8bcc9817cd50868055aa0d4a9efe4d1042beaf0c

Download Submit
\Windows\System32\msfte.dll

Filesize
217KB

MD5
d7ddfd90c55ad42200b2a7e51110ad87

SHA1
0c9429f0b51a73423de4cb0ecf10fd3b3bacd84d

SHA256
4fdc7aacb3981434e797106944f27a507201d11cdf194b3fab79747ce98f2446

SHA512
8ba6cd56ce6aeae9481154e93b75d8712e854a19c60f6279abf721c2550a09d9f22cb410a5cc3062d59f17cde35e728d250129abe60f29321a16df7d2fb9c179

Download Submit
memory/1196-38-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/1576-20-0x0000000002D30000-0x0000000002EAA000-memory.dmp

Filesize
1.5MB

Download
memory/1760-179-0x00000000010F0000-0x000000000126A000-memory.dmp

Filesize
1.5MB

Download
memory/1760-195-0x00000000010F0000-0x000000000126A000-memory.dmp

Filesize
1.5MB

Download
memory/1760-27-0x00000000010F0000-0x000000000126A000-memory.dmp

Filesize
1.5MB

Download
memory/2800-121-0x0000000003450000-0x0000000003458000-memory.dmp

Filesize
32KB

Download
memory/2800-86-0x0000000001130000-0x0000000001138000-memory.dmp

Filesize
32KB

Download
memory/2800-87-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/2800-155-0x0000000003CF0000-0x0000000003CF8000-memory.dmp

Filesize
32KB

Download
memory/2800-169-0x0000000003FA0000-0x0000000003FA8000-memory.dmp

Filesize
32KB

Download
memory/2800-170-0x0000000003F90000-0x0000000003F91000-memory.dmp

Filesize
4KB

Download
memory/2800-177-0x0000000003F90000-0x0000000003F98000-memory.dmp

Filesize
32KB

Download
memory/2800-104-0x0000000001140000-0x0000000001148000-memory.dmp

Filesize
32KB

Download
memory/2800-42-0x0000000001E10000-0x0000000001E20000-memory.dmp

Filesize
64KB

Download
memory/2800-59-0x0000000001F20000-0x0000000001F30000-memory.dmp

Filesize
64KB

Download
memory/2800-95-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/2800-93-0x0000000001070000-0x0000000001078000-memory.dmp

Filesize
32KB

Download
memory/2800-212-0x00000000044B0000-0x00000000044B1000-memory.dmp

Filesize
4KB

Download
memory/2800-219-0x00000000044C0000-0x00000000044C8000-memory.dmp

Filesize
32KB

Download
memory/2800-247-0x0000000001780000-0x0000000001788000-memory.dmp

Filesize
32KB

Download
memory/2800-248-0x0000000001770000-0x0000000001771000-memory.dmp

Filesize
4KB

Download