7ac4ba6a0c6fcc5e815308e7a27b0b2148f9e7642651092db997ca178a024c3d

Analysis

max time kernel
140s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

793KB
MD5

e20a655b86160ccf447335a2c46f26b5
SHA1

d4ab242cb31486f3157e671c66a6928877153e33
SHA256

7ac4ba6a0c6fcc5e815308e7a27b0b2148f9e7642651092db997ca178a024c3d
SHA512

96d5d459c5788dea9c497a1bb8152caeb43595b768e5d432896dff2dceafc0abd2eadff6f9b3356882ff9530a795101191b07f91932eb346c05a2d9183356a73
SSDEEP

24576:hLAt3ieGOGoNOcfLtAz2QFPlePWBoytIj:te/VNLFIAPxGY

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

hioirkxfyzyjyjky.exeDameon.exe

pid process

460 hioirkxfyzyjyjky.exe
1600 Dameon.exe
Loads dropped DLL 6 IoCs

Processes:

file.exe

pid process

1088 file.exe
1088 file.exe
1088 file.exe
1088 file.exe
1088 file.exe
1088 file.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
460	hioirkxfyzyjyjky.exe
1600	Dameon.exe

pid	process
1088	file.exe
1088	file.exe
1088	file.exe
1088	file.exe
1088	file.exe
1088	file.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hioirkxfyzyjyjky.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dameon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\tools\\Dameon.exe"	hioirkxfyzyjyjky.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 checkip.amazonaws.com
25 checkip.amazonaws.com
42 checkip.amazonaws.com
43 checkip.amazonaws.com
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1588 1088 WerFault.exe file.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1368 schtasks.exe

flow	ioc
24	checkip.amazonaws.com
25	checkip.amazonaws.com
42	checkip.amazonaws.com
43	checkip.amazonaws.com

pid	pid_target	process	target process
1588	1088	WerFault.exe	file.exe

pid	process
1368	schtasks.exe

GoLang User-Agent 10 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	36	Go-http-client/1.1
HTTP User-Agent header	37	Go-http-client/1.1
HTTP User-Agent header	40	Go-http-client/1.1
HTTP User-Agent header	19	Go-http-client/1.1
HTTP User-Agent header	20	Go-http-client/1.1
HTTP User-Agent header	38	Go-http-client/1.1
HTTP User-Agent header	39	Go-http-client/1.1
HTTP User-Agent header	16	Go-http-client/1.1
HTTP User-Agent header	17	Go-http-client/1.1
HTTP User-Agent header	18	Go-http-client/1.1

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

hioirkxfyzyjyjky.exeDameon.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	hioirkxfyzyjyjky.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	hioirkxfyzyjyjky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Dameon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Dameon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Dameon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Dameon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	hioirkxfyzyjyjky.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	hioirkxfyzyjyjky.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1580 powershell.exe
768 powershell.exe
1972 powershell.exe
1380 powershell.exe

pid	process
1580	powershell.exe
768	powershell.exe
1972	powershell.exe
1380	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1044	WMIC.exe
Token: SeSecurityPrivilege	1044	WMIC.exe
Token: SeTakeOwnershipPrivilege	1044	WMIC.exe
Token: SeLoadDriverPrivilege	1044	WMIC.exe
Token: SeSystemProfilePrivilege	1044	WMIC.exe
Token: SeSystemtimePrivilege	1044	WMIC.exe
Token: SeProfSingleProcessPrivilege	1044	WMIC.exe
Token: SeIncBasePriorityPrivilege	1044	WMIC.exe
Token: SeCreatePagefilePrivilege	1044	WMIC.exe
Token: SeBackupPrivilege	1044	WMIC.exe
Token: SeRestorePrivilege	1044	WMIC.exe
Token: SeShutdownPrivilege	1044	WMIC.exe
Token: SeDebugPrivilege	1044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1044	WMIC.exe
Token: SeRemoteShutdownPrivilege	1044	WMIC.exe
Token: SeUndockPrivilege	1044	WMIC.exe
Token: SeManageVolumePrivilege	1044	WMIC.exe
Token: 33	1044	WMIC.exe
Token: 34	1044	WMIC.exe
Token: 35	1044	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1044	WMIC.exe
Token: SeSecurityPrivilege	1044	WMIC.exe
Token: SeTakeOwnershipPrivilege	1044	WMIC.exe
Token: SeLoadDriverPrivilege	1044	WMIC.exe
Token: SeSystemProfilePrivilege	1044	WMIC.exe
Token: SeSystemtimePrivilege	1044	WMIC.exe
Token: SeProfSingleProcessPrivilege	1044	WMIC.exe
Token: SeIncBasePriorityPrivilege	1044	WMIC.exe
Token: SeCreatePagefilePrivilege	1044	WMIC.exe
Token: SeBackupPrivilege	1044	WMIC.exe
Token: SeRestorePrivilege	1044	WMIC.exe
Token: SeShutdownPrivilege	1044	WMIC.exe
Token: SeDebugPrivilege	1044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1044	WMIC.exe
Token: SeRemoteShutdownPrivilege	1044	WMIC.exe
Token: SeUndockPrivilege	1044	WMIC.exe
Token: SeManageVolumePrivilege	1044	WMIC.exe
Token: 33	1044	WMIC.exe
Token: 34	1044	WMIC.exe
Token: 35	1044	WMIC.exe
Token: SeIncreaseQuotaPrivilege	292	WMIC.exe
Token: SeSecurityPrivilege	292	WMIC.exe
Token: SeTakeOwnershipPrivilege	292	WMIC.exe
Token: SeLoadDriverPrivilege	292	WMIC.exe
Token: SeSystemProfilePrivilege	292	WMIC.exe
Token: SeSystemtimePrivilege	292	WMIC.exe
Token: SeProfSingleProcessPrivilege	292	WMIC.exe
Token: SeIncBasePriorityPrivilege	292	WMIC.exe
Token: SeCreatePagefilePrivilege	292	WMIC.exe
Token: SeBackupPrivilege	292	WMIC.exe
Token: SeRestorePrivilege	292	WMIC.exe
Token: SeShutdownPrivilege	292	WMIC.exe
Token: SeDebugPrivilege	292	WMIC.exe
Token: SeSystemEnvironmentPrivilege	292	WMIC.exe
Token: SeRemoteShutdownPrivilege	292	WMIC.exe
Token: SeUndockPrivilege	292	WMIC.exe
Token: SeManageVolumePrivilege	292	WMIC.exe
Token: 33	292	WMIC.exe
Token: 34	292	WMIC.exe
Token: 35	292	WMIC.exe
Token: SeIncreaseQuotaPrivilege	292	WMIC.exe
Token: SeSecurityPrivilege	292	WMIC.exe
Token: SeTakeOwnershipPrivilege	292	WMIC.exe
Token: SeLoadDriverPrivilege	292	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exehioirkxfyzyjyjky.execmd.execmd.exepowershell.exetaskeng.exeDameon.execmd.exe

description	pid	process	target process
PID 1088 wrote to memory of 460	1088	file.exe	hioirkxfyzyjyjky.exe
PID 1088 wrote to memory of 460	1088	file.exe	hioirkxfyzyjyjky.exe
PID 1088 wrote to memory of 460	1088	file.exe	hioirkxfyzyjyjky.exe
PID 1088 wrote to memory of 460	1088	file.exe	hioirkxfyzyjyjky.exe
PID 460 wrote to memory of 1128	460	hioirkxfyzyjyjky.exe	cmd.exe
PID 460 wrote to memory of 1128	460	hioirkxfyzyjyjky.exe	cmd.exe
PID 460 wrote to memory of 1128	460	hioirkxfyzyjyjky.exe	cmd.exe
PID 460 wrote to memory of 1128	460	hioirkxfyzyjyjky.exe	cmd.exe
PID 1128 wrote to memory of 1044	1128	cmd.exe	WMIC.exe
PID 1128 wrote to memory of 1044	1128	cmd.exe	WMIC.exe
PID 1128 wrote to memory of 1044	1128	cmd.exe	WMIC.exe
PID 1128 wrote to memory of 1044	1128	cmd.exe	WMIC.exe
PID 460 wrote to memory of 1368	460	hioirkxfyzyjyjky.exe	cmd.exe
PID 460 wrote to memory of 1368	460	hioirkxfyzyjyjky.exe	cmd.exe
PID 460 wrote to memory of 1368	460	hioirkxfyzyjyjky.exe	cmd.exe
PID 460 wrote to memory of 1368	460	hioirkxfyzyjyjky.exe	cmd.exe
PID 1368 wrote to memory of 292	1368	cmd.exe	WMIC.exe
PID 1368 wrote to memory of 292	1368	cmd.exe	WMIC.exe
PID 1368 wrote to memory of 292	1368	cmd.exe	WMIC.exe
PID 1368 wrote to memory of 292	1368	cmd.exe	WMIC.exe
PID 460 wrote to memory of 1252	460	hioirkxfyzyjyjky.exe	wmic.exe
PID 460 wrote to memory of 1252	460	hioirkxfyzyjyjky.exe	wmic.exe
PID 460 wrote to memory of 1252	460	hioirkxfyzyjyjky.exe	wmic.exe
PID 460 wrote to memory of 1252	460	hioirkxfyzyjyjky.exe	wmic.exe
PID 1088 wrote to memory of 1588	1088	file.exe	WerFault.exe
PID 1088 wrote to memory of 1588	1088	file.exe	WerFault.exe
PID 1088 wrote to memory of 1588	1088	file.exe	WerFault.exe
PID 1088 wrote to memory of 1588	1088	file.exe	WerFault.exe
PID 460 wrote to memory of 1580	460	hioirkxfyzyjyjky.exe	powershell.exe
PID 460 wrote to memory of 1580	460	hioirkxfyzyjyjky.exe	powershell.exe
PID 460 wrote to memory of 1580	460	hioirkxfyzyjyjky.exe	powershell.exe
PID 460 wrote to memory of 1580	460	hioirkxfyzyjyjky.exe	powershell.exe
PID 460 wrote to memory of 768	460	hioirkxfyzyjyjky.exe	powershell.exe
PID 460 wrote to memory of 768	460	hioirkxfyzyjyjky.exe	powershell.exe
PID 460 wrote to memory of 768	460	hioirkxfyzyjyjky.exe	powershell.exe
PID 460 wrote to memory of 768	460	hioirkxfyzyjyjky.exe	powershell.exe
PID 460 wrote to memory of 1972	460	hioirkxfyzyjyjky.exe	powershell.exe
PID 460 wrote to memory of 1972	460	hioirkxfyzyjyjky.exe	powershell.exe
PID 460 wrote to memory of 1972	460	hioirkxfyzyjyjky.exe	powershell.exe
PID 460 wrote to memory of 1972	460	hioirkxfyzyjyjky.exe	powershell.exe
PID 460 wrote to memory of 1380	460	hioirkxfyzyjyjky.exe	powershell.exe
PID 460 wrote to memory of 1380	460	hioirkxfyzyjyjky.exe	powershell.exe
PID 460 wrote to memory of 1380	460	hioirkxfyzyjyjky.exe	powershell.exe
PID 460 wrote to memory of 1380	460	hioirkxfyzyjyjky.exe	powershell.exe
PID 1380 wrote to memory of 1368	1380	powershell.exe	schtasks.exe
PID 1380 wrote to memory of 1368	1380	powershell.exe	schtasks.exe
PID 1380 wrote to memory of 1368	1380	powershell.exe	schtasks.exe
PID 1380 wrote to memory of 1368	1380	powershell.exe	schtasks.exe
PID 1880 wrote to memory of 1600	1880	taskeng.exe	Dameon.exe
PID 1880 wrote to memory of 1600	1880	taskeng.exe	Dameon.exe
PID 1880 wrote to memory of 1600	1880	taskeng.exe	Dameon.exe
PID 1880 wrote to memory of 1600	1880	taskeng.exe	Dameon.exe
PID 1600 wrote to memory of 1308	1600	Dameon.exe	cmd.exe
PID 1600 wrote to memory of 1308	1600	Dameon.exe	cmd.exe
PID 1600 wrote to memory of 1308	1600	Dameon.exe	cmd.exe
PID 1600 wrote to memory of 1308	1600	Dameon.exe	cmd.exe
PID 1308 wrote to memory of 1624	1308	cmd.exe	WMIC.exe
PID 1308 wrote to memory of 1624	1308	cmd.exe	WMIC.exe
PID 1308 wrote to memory of 1624	1308	cmd.exe	WMIC.exe
PID 1308 wrote to memory of 1624	1308	cmd.exe	WMIC.exe
PID 1600 wrote to memory of 1376	1600	Dameon.exe	cmd.exe
PID 1600 wrote to memory of 1376	1600	Dameon.exe	cmd.exe
PID 1600 wrote to memory of 1376	1600	Dameon.exe	cmd.exe
PID 1600 wrote to memory of 1376	1600	Dameon.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Admin\AppData\Local\Temp\hioirkxfyzyjyjky.exe
"hioirkxfyzyjyjky.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:460

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:292

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
3⤵
PID:1252

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Set-ItemProperty -Path C:\Users\Admin\AppData\Roaming\Mozilla\tools\Dameon.exe -Name CreationTime -Value \"06/13/2019 3:16 PM\""
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Set-ItemProperty -Path C:\Users\Admin\AppData\Roaming\Mozilla\tools\Dameon.exe -Name LastWriteTime -Value \"06/13/2019 3:16 PM\""
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Set-ItemProperty -Path C:\Users\Admin\AppData\Roaming\Mozilla\tools\Dameon.exe -Name LastAccessTime -Value \"06/13/2019 3:16 PM\""
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN Dameon /TR C:\Users\Admin\AppData\Roaming\Mozilla\tools\Dameon.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN Dameon /TR C:\Users\Admin\AppData\Roaming\Mozilla\tools\Dameon.exe
4⤵
- Creates scheduled task(s)
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 1408
2⤵
- Program crash
PID:1588

C:\Windows\system32\taskeng.exe
taskeng.exe {BEAA956F-6D40-4731-9CEB-9418DB7300F3} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Roaming\Mozilla\tools\Dameon.exe
C:\Users\Admin\AppData\Roaming\Mozilla\tools\Dameon.exe
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
4⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
3⤵
PID:1376

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
PID:1964

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
3⤵
PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
febc13aae29a296f2799e0be8db15844

SHA1
56a4554fa8eceaf039ce0470ddfca84f0c016764

SHA256
52de39a069a01976db53163ba174672d654ada60dcb03013f46c10cce3e39b30

SHA512
ee5c0af1254db2ac37f392f5537060bf8cc9edf448f02217eb1f68c76b859e0a8a9328ee10e28e2a914dd2d4d5b6e540aad3ea0d7a33fdb4934e69868bf7b7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\hioirkxfyzyjyjky.exe

Filesize
4.4MB

MD5
5edbd58e96f8d635ad11061887f4e4d2

SHA1
762698ae098ea05df49ab32134895d58a71dfcae

SHA256
0892220029b9506b7089f1c8bd668a4286251a7bbd25998ccdf703e6e172646a

SHA512
8bf3acd9afaac5beaba42e348e9e6ec6815c6256780f2f6f8f61fbbb9cfcab01f085dfb63515f25284860f2693b065685e7d47ae7e8e07014d128169e47e6db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hioirkxfyzyjyjky.exe

Filesize
4.4MB

MD5
5edbd58e96f8d635ad11061887f4e4d2

SHA1
762698ae098ea05df49ab32134895d58a71dfcae

SHA256
0892220029b9506b7089f1c8bd668a4286251a7bbd25998ccdf703e6e172646a

SHA512
8bf3acd9afaac5beaba42e348e9e6ec6815c6256780f2f6f8f61fbbb9cfcab01f085dfb63515f25284860f2693b065685e7d47ae7e8e07014d128169e47e6db0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
04da8ab6551f617531c4dac341f1b92b

SHA1
c118fdc23ecd7e1fe63b00e1317888f7fa28b10e

SHA256
b1ee2391df22d4cf228889ccbc42360fff4399fad43bd3c518307aa7c560ff5e

SHA512
8052f6b79347042d3cc6336dc66d1f9b34afdfb004875353c7acb34c380dc0555927388dfc66f9979550ec3d18e1d0114fd85e84834ca01082db156b50bbfb71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
04da8ab6551f617531c4dac341f1b92b

SHA1
c118fdc23ecd7e1fe63b00e1317888f7fa28b10e

SHA256
b1ee2391df22d4cf228889ccbc42360fff4399fad43bd3c518307aa7c560ff5e

SHA512
8052f6b79347042d3cc6336dc66d1f9b34afdfb004875353c7acb34c380dc0555927388dfc66f9979550ec3d18e1d0114fd85e84834ca01082db156b50bbfb71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
04da8ab6551f617531c4dac341f1b92b

SHA1
c118fdc23ecd7e1fe63b00e1317888f7fa28b10e

SHA256
b1ee2391df22d4cf228889ccbc42360fff4399fad43bd3c518307aa7c560ff5e

SHA512
8052f6b79347042d3cc6336dc66d1f9b34afdfb004875353c7acb34c380dc0555927388dfc66f9979550ec3d18e1d0114fd85e84834ca01082db156b50bbfb71

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\tools\Dameon.exe

Filesize
530.4MB

MD5
4e61ce18b1bbe0dec82f85e225c5351f

SHA1
fc3e0a1514f29d604609137938a7e681e85c68ce

SHA256
4a6f8fc9c4d7b2704cfb172b9deab8ff82865b6bab26aa23f158d96fb851baea

SHA512
4138f60bcac785e13809d5f4fab2af46bed099b02b65889a40422fe239953c8139ab047717d6075d3f3a5d1fef1c2712ad8af00806d41436a63235715cbd6a54

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\tools\Dameon.exe

Filesize
530.4MB

MD5
4e61ce18b1bbe0dec82f85e225c5351f

SHA1
fc3e0a1514f29d604609137938a7e681e85c68ce

SHA256
4a6f8fc9c4d7b2704cfb172b9deab8ff82865b6bab26aa23f158d96fb851baea

SHA512
4138f60bcac785e13809d5f4fab2af46bed099b02b65889a40422fe239953c8139ab047717d6075d3f3a5d1fef1c2712ad8af00806d41436a63235715cbd6a54

Download Submit
\Users\Admin\AppData\Local\Temp\freebl3.dll

Filesize
669KB

MD5
ed6249f72ba742802b2fa3ef20900d18

SHA1
6e50eec3f0b13ff71f86ffc46cf7a1d079381bf3

SHA256
a5396eba9d0564f4bcbafd5a8c4a4019b4b50a5c70a42aef5491a230d21f2922

SHA512
6da4cd5642becef120dbde2d070332d08bf5779bc0ffe66bf3cc51ca13db5619ee0b4f8fe3bc897c1876614a2512b2598f5d1c372764dd18b474081004d87c98

Download Submit
\Users\Admin\AppData\Local\Temp\hioirkxfyzyjyjky.exe

Filesize
4.4MB

MD5
5edbd58e96f8d635ad11061887f4e4d2

SHA1
762698ae098ea05df49ab32134895d58a71dfcae

SHA256
0892220029b9506b7089f1c8bd668a4286251a7bbd25998ccdf703e6e172646a

SHA512
8bf3acd9afaac5beaba42e348e9e6ec6815c6256780f2f6f8f61fbbb9cfcab01f085dfb63515f25284860f2693b065685e7d47ae7e8e07014d128169e47e6db0

Download Submit
\Users\Admin\AppData\Local\Temp\hioirkxfyzyjyjky.exe

Filesize
4.4MB

MD5
5edbd58e96f8d635ad11061887f4e4d2

SHA1
762698ae098ea05df49ab32134895d58a71dfcae

SHA256
0892220029b9506b7089f1c8bd668a4286251a7bbd25998ccdf703e6e172646a

SHA512
8bf3acd9afaac5beaba42e348e9e6ec6815c6256780f2f6f8f61fbbb9cfcab01f085dfb63515f25284860f2693b065685e7d47ae7e8e07014d128169e47e6db0

Download Submit
\Users\Admin\AppData\Local\Temp\mozglue.dll

Filesize
627KB

MD5
5d59e053d45049ffb8c6c08d8944e30c

SHA1
292f748d5e326143c3233e9d290087337700d606

SHA256
bcbf8c8ba4386b7716d5481ef9d089b9448990736d3eebdcfa611a09045c3ec3

SHA512
0f8b1c9c30d7b71fb7560377e5895c7bd15d71928c34465b1dde31ae770b6d38d5bac4d34ef4add9e08b72f2b9ea53958f167b0690fa0731af205528512a987b

Download Submit
\Users\Admin\AppData\Local\Temp\nss3.dll

Filesize
2.0MB

MD5
05ed4ffbf6b785750d2cdacca9287f10

SHA1
579c656536ce9cd076fc790cf443caf3a8db5b8f

SHA256
0bce97e8f6cc435250fb6aea0441e4146c7c8f8d90a9b1e76dfabd8701bfd882

SHA512
dddabf3ab629ec5b15e879f90d5f9bb69d6a8b47222989d3e683cbc8a6d4072740a5c5db05952d236529dfdde645990d21a4a9b32c4419ace9e2fe409fce4f01

Download Submit
\Users\Admin\AppData\Local\Temp\softokn3.dll

Filesize
251KB

MD5
3a59b504f6c41324b0d6cb6edbe3ad61

SHA1
2b3aff110badd913d221605d2f01638473dc5756

SHA256
c10801dba6c50237dba700fe2be920f091792e45c32e00db7c63c2c19a35f3a5

SHA512
56c9b7d4afcf8666aedaf55f819b799f2d84bc0736e0c431973114ae760da57209041785b7894f8b6d8d3e70bf040db68f7a95fcbb419fb6c44b70266eecc02d

Download Submit
memory/292-63-0x0000000000000000-mapping.dmp

Download
memory/460-57-0x0000000000000000-mapping.dmp

Download
memory/768-90-0x00000000731B0000-0x000000007375B000-memory.dmp

Filesize
5.7MB

Download
memory/768-87-0x0000000000000000-mapping.dmp

Download
memory/1044-61-0x0000000000000000-mapping.dmp

Download
memory/1088-91-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1088-64-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1088-76-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1088-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1128-108-0x0000000000000000-mapping.dmp

Download
memory/1128-60-0x0000000000000000-mapping.dmp

Download
memory/1252-75-0x0000000000000000-mapping.dmp

Download
memory/1308-104-0x0000000000000000-mapping.dmp

Download
memory/1368-62-0x0000000000000000-mapping.dmp

Download
memory/1368-100-0x0000000000000000-mapping.dmp

Download
memory/1376-106-0x0000000000000000-mapping.dmp

Download
memory/1380-96-0x0000000000000000-mapping.dmp

Download
memory/1380-99-0x00000000731B0000-0x000000007375B000-memory.dmp

Filesize
5.7MB

Download
memory/1380-101-0x00000000731B0000-0x000000007375B000-memory.dmp

Filesize
5.7MB

Download
memory/1580-86-0x00000000733E0000-0x000000007398B000-memory.dmp

Filesize
5.7MB

Download
memory/1580-84-0x00000000733E0000-0x000000007398B000-memory.dmp

Filesize
5.7MB

Download
memory/1580-82-0x0000000000000000-mapping.dmp

Download
memory/1588-80-0x0000000000000000-mapping.dmp

Download
memory/1600-102-0x0000000000000000-mapping.dmp

Download
memory/1624-105-0x0000000000000000-mapping.dmp

Download
memory/1964-107-0x0000000000000000-mapping.dmp

Download
memory/1972-95-0x0000000073180000-0x000000007372B000-memory.dmp

Filesize
5.7MB

Download
memory/1972-92-0x0000000000000000-mapping.dmp

Download