floxif | 2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
17-02-2025 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
Size

1.6MB
MD5

c9af5e14702d16021329c78a62c8a1ec
SHA1

a1188edd7da186be09137051b96920568ea4742e
SHA256

2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1
SHA512

b41931cb43f8faa2b2f4c457b0cc8767b31ed6d0a37c04e1852901a81dd8cd40dcb5e39b89e5414d474a7a445a98e1d8e2b1a1755d0bb73982c86080cfde9697
SSDEEP

24576:1nsJ39LyjbJkQFMhmC+6GD9LaHGvMCrrjSnyIQ8+ekGA8PSmMrEH7b:1nsHyjtk2MYC5GD9fvLjlIQxe5Su

Score

10^/10

floxif xred backdoor discovery persistence trojan upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x0008000000023e63-119.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0008000000023e63-119.dat	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation	2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

pid	Process
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
3204	Synaptics.exe
1676	._cache_Synaptics.exe

Loads dropped DLL 7 IoCs

pid	Process
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
1676	._cache_Synaptics.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2764	Process not Found
1784	MicrosoftEdgeUpdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2380-122-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/files/0x0008000000023e63-119.dat	upx
behavioral2/memory/1676-210-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2380-317-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2380-321-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1676-324-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1676-323-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1676-326-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2380-334-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2380-340-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2380-344-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2380-380-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	\??\c:\program files\common files\system\symsrv.dll.000	._cache_Synaptics.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\msedgeupdate.dll	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\msedgeupdate.dll.tmp	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\msedgeupdate.dll.dat	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2848	2764	WerFault.exe	113
1224	1784	WerFault.exe	117

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1784	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3132	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
1676	._cache_Synaptics.exe
1676	._cache_Synaptics.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
Token: SeDebugPrivilege	1676	._cache_Synaptics.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
2380	._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
3132	EXCEL.EXE
3132	EXCEL.EXE
3132	EXCEL.EXE
3132	EXCEL.EXE
3132	EXCEL.EXE
3132	EXCEL.EXE
3132	EXCEL.EXE
3132	EXCEL.EXE
3908	OpenWith.exe
1336	OpenWith.exe
4916	OpenWith.exe
3108	OpenWith.exe
4028	OpenWith.exe
2092	OpenWith.exe
4788	OpenWith.exe
4560	OpenWith.exe
2008	OpenWith.exe
3720	OpenWith.exe
1212	OpenWith.exe
1632	OpenWith.exe
2848	OpenWith.exe
1224	OpenWith.exe
1920	OpenWith.exe
4908	OpenWith.exe
2008	OpenWith.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3868 wrote to memory of 2380	3868	2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe	88
PID 3868 wrote to memory of 2380	3868	2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe	88
PID 3868 wrote to memory of 2380	3868	2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe	88
PID 3868 wrote to memory of 3204	3868	2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe	90
PID 3868 wrote to memory of 3204	3868	2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe	90
PID 3868 wrote to memory of 3204	3868	2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe	90
PID 3204 wrote to memory of 1676	3204	Synaptics.exe	92
PID 3204 wrote to memory of 1676	3204	Synaptics.exe	92
PID 3204 wrote to memory of 1676	3204	Synaptics.exe	92

C:\Users\Admin\AppData\Local\Temp\2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
"C:\Users\Admin\AppData\Local\Temp\2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Users\Admin\AppData\Local\Temp\._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2380
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1676

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3132

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3908

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1336

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4916

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3108

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4028

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2092

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2764 -ip 2764
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 520
1⤵
- Program crash
PID:2848

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QUFFNjIyRjItMUQ0OS00MkZDLUIyNEEtRjUyQTNFMTAxOTk3fSIgdXNlcmlkPSJ7NjRCM0MyQjYtN0REQy00MjIxLThCMjQtNUQ2QjlGNzcxMTNEfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7ODVFRjIwMEQtN0Q1Qy00MDdBLUIzRTEtNUNENEREQzhBMDU1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI5IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY0MzMiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODc1OTU2NTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTMyNTA5ODY3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 520
  2⤵
  - Program crash
  PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1784 -ip 1784
1⤵
PID:3208

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4560

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2008

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3720

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1212

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1632

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2848

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1224

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1920

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4908

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\msedgeupdate.dll.tmp

Filesize
2.2MB

MD5
85a214c853f61421af9ade49fc6ee031

SHA1
a57429dcc3cba6818bc28a1215c8094e45c6053f

SHA256
fe3314c32051138799ca7bf9f54205ef3b65ba1beefa7b2e8c9ecf511223c838

SHA512
3914ab0f5d4d5a4eb359a3bbe2b3d9878fd384bf156d4acca58929cbdf7f31ae3f22d40e99fb7e42decf19ce5ab5c88e82df21ba4b0330b610f0def1dd2dd1a0

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.6MB

MD5
c9af5e14702d16021329c78a62c8a1ec

SHA1
a1188edd7da186be09137051b96920568ea4742e

SHA256
2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1

SHA512
b41931cb43f8faa2b2f4c457b0cc8767b31ed6d0a37c04e1852901a81dd8cd40dcb5e39b89e5414d474a7a445a98e1d8e2b1a1755d0bb73982c86080cfde9697

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe.tmp

Filesize
1.7MB

MD5
ff527bc39fd19f9278b688fa2ff79c6e

SHA1
979c164f017fbecca9ca8775cee243ee4afa11d9

SHA256
2c198960bd04370e4012fa2b9a9cdfece20dfc0f55929aeb7a88ed7c2999790e

SHA512
1316a60d401080d9db5b97f0c5b7628a53c871709496835f6a8226335069ce9a510f495f9a03e99816ef28357dca40750e911f93edd7cbc60fffabec581d089b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.exe

Filesize
879KB

MD5
57012ffb9cb829beece48c27afb015c7

SHA1
6bab4d0e5134382f42e03bf00dfc2c9f003dc5dc

SHA256
e3b279d4598068b8e1f03a0153fc00d6357b8a2778d9705f39d14fb1d4384ffb

SHA512
ca0058efe23dcf7471ba17974237f72c2b7e909c4d2faacde3ef62fb1bb0c1a5a603643792961a1c2cfe39c9762dcbe9d4dc9d9b73c8039e8107c22912b50442

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2e53f769906769387446ad51ef633e61d6ee467416b7d63c6c6d9722a52dc5c1.ini

Filesize
1KB

MD5
1dbccc3e0ffc16bc91d940131a90cd16

SHA1
41924fd703db94fb07ecc5dc3ba56d6b5c0da56d

SHA256
82d39ef4cacaa2702ec7ce4a223a1466a0a86d98b1bab824a095329b6797d43b

SHA512
1341ac244df535d536d251c1f0903e2ad6876098c42a8dbffe252fbec1e86db4c06c8cb85d7e77616d694b96ac694b5101fb1debb240dab5c7fd8b7f8641fb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\5BE75E00

Filesize
25KB

MD5
92922312c30a2ddadb96562975a2ac6d

SHA1
091bba061b9cc7a4f1a8fe9e98ad32f8cdf920b3

SHA256
669990f7669a0501c3bf136689e1ee1654418eb04918149bf867d5031f678ad2

SHA512
dd474add2f54917d387c8f53a5d522803bd20c0d2babcc405634b95e1a6db5e12bb09be5d92d21d08115f5b3ca93a572ec1093c081049066c256576819f24890

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAzu81hM.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdxlevg

Filesize
37KB

MD5
4f4cfdec02b700d2582f27f6943a1f81

SHA1
37027566e228abba3cc596ae860110638231da14

SHA256
18a13223c2587bc03ce14be7a63325f3c60d6f805e1bb96e32025ecdc1d620b7

SHA512
146128ecb8bc682510a92f58cea58bfed68a215438d235b1b79ad6e0ef1f0f6a6b9400c7b83d70ddf7d8a22a5bcaca17b6532650192b4448e811dd7b4335b592

Download Submit
\??\c:\program files\common files\system\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
memory/1676-210-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1676-324-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1676-326-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1676-323-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2380-317-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2380-321-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2380-380-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2380-344-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2380-340-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2380-334-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2380-136-0x0000000000421000-0x0000000000424000-memory.dmp

Filesize
12KB

Download
memory/2380-122-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3132-249-0x00007FFD073B0000-0x00007FFD073C0000-memory.dmp

Filesize
64KB

Download
memory/3132-248-0x00007FFD073B0000-0x00007FFD073C0000-memory.dmp

Filesize
64KB

Download
memory/3132-258-0x00007FFD04A50000-0x00007FFD04A60000-memory.dmp

Filesize
64KB

Download
memory/3132-250-0x00007FFD073B0000-0x00007FFD073C0000-memory.dmp

Filesize
64KB

Download
memory/3132-252-0x00007FFD073B0000-0x00007FFD073C0000-memory.dmp

Filesize
64KB

Download
memory/3132-251-0x00007FFD073B0000-0x00007FFD073C0000-memory.dmp

Filesize
64KB

Download
memory/3132-265-0x00007FFD04A50000-0x00007FFD04A60000-memory.dmp

Filesize
64KB

Download
memory/3204-322-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/3204-135-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3204-318-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3204-375-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/3868-134-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/3868-0-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download