71a83ef659aa734ae2dfcf7e106f3003e03fd29931e50ce9cf7f926cabd5ff06

Analysis

max time kernel
147s
max time network
213s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/12/2022, 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kaspersky-21.2.16.590.exe
Size

2.8MB
MD5

051a4c0c1f78a4acfd61af4a00c04d9a
SHA1

a7d5522903f48c89f24f8893c480b8eb0360198e
SHA256

71a83ef659aa734ae2dfcf7e106f3003e03fd29931e50ce9cf7f926cabd5ff06
SHA512

1b4f8dd6f7f48ec130587782936a10e016cb69234fef30b2b19ee2eb1948f7b1ff15a0085746d122018db65d89748681c2df51da011cb145093cbdb473e389d7
SSDEEP

49152:alINc3mvkxv9HnIyB8cKGdUDUe2QK0m0zJgHvQtuEG2EeyByoyjf02yt8o15D0:8INc3vbHnIyB8dGdU4e9Vzxtu/2ndogI

Score

8^/10

evasion trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1656	TEST_WPF.EXE

Loads dropped DLL 4 IoCs

pid	Process
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1656	TEST_WPF.EXE
1904	kaspersky-21.2.16.590.exe

Checks for any installed AV software in registry 1 TTPs 46 IoCs

Security Software Discovery

T1063

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main\Enable Browser Extensions = "no"	kaspersky-21.2.16.590.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main\Anchor Underline	kaspersky-21.2.16.590.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main\SmoothScroll	kaspersky-21.2.16.590.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\International	kaspersky-21.2.16.590.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Settings	kaspersky-21.2.16.590.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Styles	kaspersky-21.2.16.590.exe
Key queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main	kaspersky-21.2.16.590.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab	kaspersky-21.2.16.590.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main	kaspersky-21.2.16.590.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main\Print_Background	kaspersky-21.2.16.590.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main\Enable AutoImageResize	kaspersky-21.2.16.590.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main\UseHR	kaspersky-21.2.16.590.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main	kaspersky-21.2.16.590.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main\XDomainRequest	kaspersky-21.2.16.590.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main\JScriptProfileCacheEventDelay	kaspersky-21.2.16.590.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Viewport	kaspersky-21.2.16.590.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main\UseSWRender = "1"	kaspersky-21.2.16.590.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\AdvancedOptions\DISAMBIGUATION	kaspersky-21.2.16.590.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main\Use_DlgBox_Colors	kaspersky-21.2.16.590.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main\Display Inline Videos	kaspersky-21.2.16.590.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main\Disable Script Debugger	kaspersky-21.2.16.590.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main\Disable Diagnostics Mode	kaspersky-21.2.16.590.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	kaspersky-21.2.16.590.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride	kaspersky-21.2.16.590.exe
Key queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride	kaspersky-21.2.16.590.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main\CSS_Compat	kaspersky-21.2.16.590.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main\Expand Alt Text	kaspersky-21.2.16.590.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main\Display Inline Images	kaspersky-21.2.16.590.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main\Play_Background_Sounds	kaspersky-21.2.16.590.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main\Show image placeholders	kaspersky-21.2.16.590.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main\DisableScriptDebuggerIE	kaspersky-21.2.16.590.exe
Key queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab	kaspersky-21.2.16.590.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main\Q300829	kaspersky-21.2.16.590.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\International\Scripts\4	kaspersky-21.2.16.590.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main\Move System Caret	kaspersky-21.2.16.590.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\RtfConverterFlags	kaspersky-21.2.16.590.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main\XMLHTTP	kaspersky-21.2.16.590.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main\DOMStorage	kaspersky-21.2.16.590.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\International\Scripts	kaspersky-21.2.16.590.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride	kaspersky-21.2.16.590.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main\Cleanup HTCs	kaspersky-21.2.16.590.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Text Scaling	kaspersky-21.2.16.590.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Larger Hit Test	kaspersky-21.2.16.590.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\MenuExt	kaspersky-21.2.16.590.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\International\Scripts\3	kaspersky-21.2.16.590.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\KasperskyLab\IEOverride\Main\Play_Animations	kaspersky-21.2.16.590.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	kaspersky-21.2.16.590.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\installer	kaspersky-21.2.16.590.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	kaspersky-21.2.16.590.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	kaspersky-21.2.16.590.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	kaspersky-21.2.16.590.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	kaspersky-21.2.16.590.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	kaspersky-21.2.16.590.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	kaspersky-21.2.16.590.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	kaspersky-21.2.16.590.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	kaspersky-21.2.16.590.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	kaspersky-21.2.16.590.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	kaspersky-21.2.16.590.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	kaspersky-21.2.16.590.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	kaspersky-21.2.16.590.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	kaspersky-21.2.16.590.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1820	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1820	AUDIODG.EXE
Token: 33	1820	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1820	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1904	kaspersky-21.2.16.590.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe
1904	kaspersky-21.2.16.590.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 1656	1904	kaspersky-21.2.16.590.exe	31
PID 1904 wrote to memory of 1656	1904	kaspersky-21.2.16.590.exe	31
PID 1904 wrote to memory of 1656	1904	kaspersky-21.2.16.590.exe	31
PID 1904 wrote to memory of 1656	1904	kaspersky-21.2.16.590.exe	31

C:\Users\Admin\AppData\Local\Temp\kaspersky-21.2.16.590.exe
"C:\Users\Admin\AppData\Local\Temp\kaspersky-21.2.16.590.exe"
1⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\C43E2FF0-8798-11ED-8FA4-466E2F293893\TEST_WPF.EXE
  "C:\Users\Admin\AppData\Local\Temp\C43E2FF0-8798-11ED-8FA4-466E2F293893\TEST_WPF.EXE" "C:\Users\Admin\AppData\Local\Temp\09DC786A8978DE11F84A64E6F2928339\setup.dll"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1656

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x57c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\09DC786A8978DE11F84A64E6F2928339\setup.dll

Filesize
5.4MB

MD5
2f671ef0834015fb62e164c245975572

SHA1
92cee28181b78ec13dc7265a1ec21b92932e7d78

SHA256
6751cc59a8645fe24d01586d2930fd6abcaa5ec94393cccdaf096f05cb784ea8

SHA512
4b7982c806d68c2ed9019ce5694a1a7e0d7300ff36537b716e7b7a5e1521333359d3944a3b1c8c4d479aed112ddb8515ab5a6efb4d6a7082907d653ec08022e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\C43E2FF0-8798-11ED-8FA4-466E2F293893\TEST_WPF.EXE

Filesize
25KB

MD5
ae4e9414ab1c809d6ed98e8e60a0f2f9

SHA1
d82aeac85306ed3045803d05eaec0f800fc1fbd4

SHA256
ae5346661f9f0fd6dd550af1ff60e214f61326cb5ce0baddef1bbe58e0d48e42

SHA512
7fdb0bab8fe1b8395037aa9eee7b12a6e3f521fcf8f110a568051a283044d6846e2d9577800e2693336f47b5506a25207a955b52aed2e26336f06e10d6c3de5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C43E2FF0-8798-11ED-8FA4-466E2F293893\TEST_WPF.EXE

Filesize
25KB

MD5
ae4e9414ab1c809d6ed98e8e60a0f2f9

SHA1
d82aeac85306ed3045803d05eaec0f800fc1fbd4

SHA256
ae5346661f9f0fd6dd550af1ff60e214f61326cb5ce0baddef1bbe58e0d48e42

SHA512
7fdb0bab8fe1b8395037aa9eee7b12a6e3f521fcf8f110a568051a283044d6846e2d9577800e2693336f47b5506a25207a955b52aed2e26336f06e10d6c3de5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C43E2FF0-8798-11ED-8FA4-466E2F293893\TEST_WPF.EXE.config

Filesize
215B

MD5
291d5cf5b0752c78eaefa2c1d099cdd6

SHA1
39d2c6a4ac22c219de3bf7e44733e4d02e4a08d8

SHA256
8a09e9d24204a2e4dcbb2ace67e06e7a04934fa7b1741579aa2ccddc3eeb7a8d

SHA512
0b10053abfdbc49a35191ad7e8e73bee0550ef50fb1cd5fe368e3e21260e948d91521e74e6a7ad31547aa4ab3d157ce8a17ad60632e0e27c82436bcb0da15c34

Download Submit
\Users\Admin\AppData\Local\Temp\09DC786A8978DE11F84A64E6F2928339\setup.dll

Filesize
5.4MB

MD5
2f671ef0834015fb62e164c245975572

SHA1
92cee28181b78ec13dc7265a1ec21b92932e7d78

SHA256
6751cc59a8645fe24d01586d2930fd6abcaa5ec94393cccdaf096f05cb784ea8

SHA512
4b7982c806d68c2ed9019ce5694a1a7e0d7300ff36537b716e7b7a5e1521333359d3944a3b1c8c4d479aed112ddb8515ab5a6efb4d6a7082907d653ec08022e2

Download Submit
\Users\Admin\AppData\Local\Temp\09DC786A8978DE11F84A64E6F2928339\setup.dll

Filesize
5.4MB

MD5
2f671ef0834015fb62e164c245975572

SHA1
92cee28181b78ec13dc7265a1ec21b92932e7d78

SHA256
6751cc59a8645fe24d01586d2930fd6abcaa5ec94393cccdaf096f05cb784ea8

SHA512
4b7982c806d68c2ed9019ce5694a1a7e0d7300ff36537b716e7b7a5e1521333359d3944a3b1c8c4d479aed112ddb8515ab5a6efb4d6a7082907d653ec08022e2

Download Submit
\Users\Admin\AppData\Local\Temp\C43E2FF0-8798-11ED-8FA4-466E2F293893\TEST_WPF.EXE

Filesize
25KB

MD5
ae4e9414ab1c809d6ed98e8e60a0f2f9

SHA1
d82aeac85306ed3045803d05eaec0f800fc1fbd4

SHA256
ae5346661f9f0fd6dd550af1ff60e214f61326cb5ce0baddef1bbe58e0d48e42

SHA512
7fdb0bab8fe1b8395037aa9eee7b12a6e3f521fcf8f110a568051a283044d6846e2d9577800e2693336f47b5506a25207a955b52aed2e26336f06e10d6c3de5a

Download Submit
\Users\Admin\AppData\Local\Temp\CA353200-8798-11ED-8FA4-466E2F293893\Cleaner\cleanapi.dll

Filesize
5.2MB

MD5
8ffe3a1d89cf4dcb0284ed5c78c98a9a

SHA1
683308ae8e3e1786bea08d2019bccb800b9d0942

SHA256
fba0d077cf54eb3d17dbdb3eca754a116492bc004ee6c445abf6c24c244c26fa

SHA512
8b258e4b1922db509348319b3c51ec042b6e761acc32d5bf17d3a5a57ab4bf28e452fe6391712f2b83387d8f8ce66610dd81aa570b9f87aab7bd89cda861ca1e

Download Submit
memory/1656-122-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-117-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-73-0x0000000004510000-0x0000000004A72000-memory.dmp

Filesize
5.4MB

Download
memory/1656-78-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-80-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-79-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-82-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-81-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-83-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-84-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-85-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-86-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-87-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-92-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-94-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-95-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-120-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-91-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-96-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-101-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-105-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-115-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-124-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-125-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-118-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-136-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-135-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-134-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-132-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-133-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-130-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-129-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-128-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-127-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-126-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-123-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-121-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-93-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-75-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/1656-131-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-119-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-116-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-114-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-113-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-112-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-111-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-110-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-109-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-108-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-107-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-106-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-104-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-103-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-102-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-100-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-99-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-98-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-97-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-90-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-89-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-88-0x0000000077FA0000-0x0000000077FB0000-memory.dmp

Filesize
64KB

Download
memory/1656-185-0x0000000004D60000-0x00000000050D7000-memory.dmp

Filesize
3.5MB

Download
memory/1656-186-0x00000000050E0000-0x000000000521C000-memory.dmp

Filesize
1.2MB

Download
memory/1656-187-0x0000000005220000-0x0000000005814000-memory.dmp

Filesize
6.0MB

Download
memory/1656-188-0x0000000005820000-0x0000000005B84000-memory.dmp

Filesize
3.4MB

Download
memory/1656-189-0x0000000005BE0000-0x0000000005C7C000-memory.dmp

Filesize
624KB

Download
memory/1656-190-0x0000000006060000-0x00000000060C4000-memory.dmp

Filesize
400KB

Download
memory/1656-191-0x00000000060D0000-0x000000000635C000-memory.dmp

Filesize
2.5MB

Download
memory/1656-193-0x0000000006420000-0x0000000006458000-memory.dmp

Filesize
224KB

Download
memory/1656-194-0x0000000006630000-0x0000000006670000-memory.dmp

Filesize
256KB

Download
memory/1656-195-0x0000000006A00000-0x0000000006A08000-memory.dmp

Filesize
32KB

Download
memory/1656-196-0x0000000006B90000-0x0000000006B9E000-memory.dmp

Filesize
56KB

Download
memory/1656-197-0x0000000005CD5000-0x0000000005CE6000-memory.dmp

Filesize
68KB

Download
memory/1656-198-0x0000000006480000-0x000000000648A000-memory.dmp

Filesize
40KB

Download
memory/1904-54-0x0000000077F90000-0x0000000077FA0000-memory.dmp

Filesize
64KB

Download
memory/1904-55-0x0000000077F90000-0x0000000077FA0000-memory.dmp

Filesize
64KB

Download
memory/1904-56-0x0000000077F90000-0x0000000077FA0000-memory.dmp

Filesize
64KB

Download
memory/1904-58-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download
memory/1904-59-0x0000000071C81000-0x0000000071C83000-memory.dmp

Filesize
8KB

Download