d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

Analysis

max time kernel
208s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
Size

432KB
MD5

b4fc3739d4a1d4ed2729ff9c50b5ad16
SHA1

eca039c37693c947dd712ec73eca46e6ae8d5693
SHA256

d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4
SHA512

1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f
SSDEEP

3072:KylGSGtGSGOGOGlGln+Vk8m8ClX0kUb+16H6b5p8I0yH/JN8HOWShM+L7aL7b:KgbELf/MS8cWdi5pV/JNWOVhMr

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 11 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinAlert.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinAlert.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 11 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinAlert.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinAlert.exe

Executes dropped EXE 10 IoCs

pid	Process
2628	WinSysApp.exe
1804	WinAlert.exe
5016	WinAlert.exe
4456	Commgr.exe
5104	Commgr.exe
5064	WinSysApp.exe
220	WinSysApp.exe
3244	Commgr.exe
2504	WinSysApp.exe
3020	WinSysApp.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WinAlert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Commgr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe

Adds Run key to start application 2 TTPs 45 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinAlert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinAlert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinAlert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinAlert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WinAlert.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Commgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
Token: SeDebugPrivilege	1804	WinAlert.exe
Token: SeDebugPrivilege	5016	WinAlert.exe
Token: SeDebugPrivilege	4456	Commgr.exe
Token: SeDebugPrivilege	5104	Commgr.exe
Token: SeDebugPrivilege	5064	WinSysApp.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 1804	4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	82
PID 4328 wrote to memory of 1804	4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	82
PID 4328 wrote to memory of 1804	4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	82
PID 4328 wrote to memory of 2628	4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	83
PID 4328 wrote to memory of 2628	4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	83
PID 4328 wrote to memory of 2628	4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	83
PID 4328 wrote to memory of 5016	4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	81
PID 4328 wrote to memory of 5016	4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	81
PID 4328 wrote to memory of 5016	4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	81
PID 4328 wrote to memory of 4456	4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	84
PID 4328 wrote to memory of 4456	4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	84
PID 4328 wrote to memory of 4456	4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	84
PID 4328 wrote to memory of 5104	4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	85
PID 4328 wrote to memory of 5104	4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	85
PID 4328 wrote to memory of 5104	4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	85
PID 4328 wrote to memory of 5064	4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	87
PID 4328 wrote to memory of 5064	4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	87
PID 4328 wrote to memory of 5064	4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	87
PID 4328 wrote to memory of 220	4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	86
PID 4328 wrote to memory of 220	4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	86
PID 4328 wrote to memory of 220	4328	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	86
PID 1804 wrote to memory of 3244	1804	WinAlert.exe	89
PID 1804 wrote to memory of 3244	1804	WinAlert.exe	89
PID 1804 wrote to memory of 3244	1804	WinAlert.exe	89
PID 1804 wrote to memory of 2504	1804	WinAlert.exe	88
PID 1804 wrote to memory of 2504	1804	WinAlert.exe	88
PID 1804 wrote to memory of 2504	1804	WinAlert.exe	88
PID 4456 wrote to memory of 3020	4456	Commgr.exe	90
PID 4456 wrote to memory of 3020	4456	Commgr.exe	90
PID 4456 wrote to memory of 3020	4456	Commgr.exe	90

C:\Users\Admin\AppData\Local\Temp\d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
"C:\Users\Admin\AppData\Local\Temp\d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Program Files\Windows Alerter\WinAlert.exe
  "C:\Program Files\Windows Alerter\WinAlert.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- C:\Program Files\Windows Alerter\WinAlert.exe
  "C:\Program Files\Windows Alerter\WinAlert.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
    "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2504
- - C:\Program Files\Windows Common Files\Commgr.exe
    "C:\Program Files\Windows Common Files\Commgr.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3244
- C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
  "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2628
- C:\Program Files\Windows Common Files\Commgr.exe
  "C:\Program Files\Windows Common Files\Commgr.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
    "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3020
- C:\Program Files\Windows Common Files\Commgr.exe
  "C:\Program Files\Windows Common Files\Commgr.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:5104
- C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
  "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  PID:220
- C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
  "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:5064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Alerter\WinAlert.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\Program Files\Windows Alerter\WinAlert.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\Program Files\Windows Alerter\WinAlert.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\bnf0342

Filesize
8KB

MD5
fdc76278f888a6f5c97e16ba456bb75d

SHA1
0c3570be08534430c2055915a5e57e22793ce2ce

SHA256
6998c24ddccadd714e0cd8569fe7fb988328761c999d9de30dc4d8a2605b3665

SHA512
17403791c198de38788caf1a924f5717c2325e0dc900a4a34ed966cf60333830c3ee37a948bc88a3058ac110b1a5450539ad2b58b3f3a842612cafd7377f1b16

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\bnf0342

Filesize
8KB

MD5
a96fed2dde1e890d9806cb5500bad87f

SHA1
0add9af864bf1f505e0807f9dd57fa507023555e

SHA256
12c30f3daab5021ab55160330b1758b10111977542b5c95d7d448a7ff34a9bb9

SHA512
d6d3550f37b79b1cbede7d1f71144bdd348da63c7f4b988711c9d5a7f99dff2d326255a95c3354bdda8b8e128b88a165a696b4fda848a69bb38b7b81b9112ea6

Download Submit
memory/220-156-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1804-151-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2504-166-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2628-148-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3020-167-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3244-164-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4328-132-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4328-168-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4456-153-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4456-169-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5016-149-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5064-162-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5104-154-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download