d3eef85b7fc5291b76a569864b5e35b471d838b897a9c4f73915698b1826d4bd

Analysis

max time kernel
135s
max time network
152s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
10/01/2023, 18:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cf04ba4779867c0726c69e230e145fd8.exe
Size

1.1MB
MD5

cf04ba4779867c0726c69e230e145fd8
SHA1

ce8a5522d32cee3d9da5584d432f61b1e122cbc8
SHA256

d3eef85b7fc5291b76a569864b5e35b471d838b897a9c4f73915698b1826d4bd
SHA512

7b800b136a4356bcfe51d6709b623c8467b16fc0d5b4df07eeac8e045cedf39b2df55318c08d25b2e276559e8abce293f97c1862e4505cc6b4c8e1d24713f877
SSDEEP

24576:Wm9ficCrmX9mZgOLxfW6CAEerBf1K3Ey4IFy6kwHideoZCjBE:WmBPnX9pWyAEQBf1XRIFy6kwH+RC9E

Score

8^/10

discovery persistence

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	1212	rundll32.exe
5	1212	rundll32.exe
9	1212	rundll32.exe
13	1212	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\BIB\Parameters\ServiceDll = "C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\BIB.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\BIB\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 6 IoCs

pid	Process
1212	rundll32.exe
1960	svchost.exe
1580	rundll32.exe
1580	rundll32.exe
1580	rundll32.exe
1580	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1212 set thread context of 1356	1212	rundll32.exe	31

Drops file in Program Files directory 46 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Thawte Root Certificate.cer	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\APIFile_8.ico	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\VDK10.STP	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\CP1257.TXT	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\APIFile_8.ico	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\FDFFile_8.ico	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.CFG	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\CGMIMP32.FLT	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\CourierStd.otf	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\sqlite.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STP	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\Thawte Root Certificate.cer	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\stop_collection_data.gif	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\AdobeUpdater.cer	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\MSADDNDR.DLL	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeAUM_rootCert.cer	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdater.cer	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\usa03.ths	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\MSADDNDR.DLL	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\Flash.mpp	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\SYMBOL.TXT	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\server_issue.gif	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\ahclient.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\BIBUtils.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\FDFFile_8.ico	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Acrofx32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Flash.mpp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\sqlite.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIBUtils.dll	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\AdobeAUM_rootCert.cer	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\Acrofx32.dll	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\SY______.PFB	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\StandardBusiness.pdf	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\CGMIMP32.CFG	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.FLT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\BIB.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a0031000000000000000000102054656d700000360008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000540065006d007000000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000000000000010004c6f63616c00380008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\271D83D6ADB3869D706E97FFCB784311C6A50F94	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\271D83D6ADB3869D706E97FFCB784311C6A50F94\Blob = 030000000100000014000000271d83d6adb3869d706e97ffcb784311c6a50f9420000000010000009b0200003082029730820200a003020102020871d2c7af40a4cf01300d06092a864886f70d01010b050030703123302106035504030c1a475445204379626572547275737420476c6f62686c20526f6f7431223020060355040b0c1922475445204379626572547275737420536f6c7574696f6e7331183016060355040a0c0f47544520436f72706f726174696f6e310b3009060355040613025553301e170d3231303131303139353531395a170d3235303130393139353531395a30703123302106035504030c1a475445204379626572547275737420476c6f62686c20526f6f7431223020060355040b0c1922475445204379626572547275737420536f6c7574696f6e7331183016060355040a0c0f47544520436f72706f726174696f6e310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100bcd31fcd6cc1962dbb26e5fd9715893a1e45e0a360ba2ca7a6e96bd95d7f4135bbbf0a63749080b69744a9ea192732fd7507dbdc52d264d0a0a27a29c0356e11ba9afeeb4f61b6d790b92c3e7046d0c0c5269cb79269a2a7ee3a5fd1a17dab4d4e91832ab316980ea82fbb2d4ec8ddd99331f96cf35391c8aacd41836ed07bef0203010001a33a3038300f0603551d130101ff040530030101ff30250603551d11041e301c821a475445204379626572547275737420476c6f62686c20526f6f74300d06092a864886f70d01010b0500038181002c119fcfc9ce7c9507f8a190a94c398c1dd724233f0ba681dcc06c85b6bf2435d21419dd249615bc34fe661164dca68f866f8447916fc3634b22caaf2909a8ac7663c31edd32b657fd9c8ef0800ab6d3dbdd81b9f464af358f14ef2878e7ecf447b2818322fd81131be87b90b0b42a3fb7b6c5122d9c65cf38f9046ef71bf848	rundll32.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1960	svchost.exe
1212	rundll32.exe
1212	rundll32.exe
1212	rundll32.exe
1212	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1212	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1356	rundll32.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1212	2036	cf04ba4779867c0726c69e230e145fd8.exe	28
PID 2036 wrote to memory of 1212	2036	cf04ba4779867c0726c69e230e145fd8.exe	28
PID 2036 wrote to memory of 1212	2036	cf04ba4779867c0726c69e230e145fd8.exe	28
PID 2036 wrote to memory of 1212	2036	cf04ba4779867c0726c69e230e145fd8.exe	28
PID 2036 wrote to memory of 1212	2036	cf04ba4779867c0726c69e230e145fd8.exe	28
PID 2036 wrote to memory of 1212	2036	cf04ba4779867c0726c69e230e145fd8.exe	28
PID 2036 wrote to memory of 1212	2036	cf04ba4779867c0726c69e230e145fd8.exe	28
PID 1212 wrote to memory of 1356	1212	rundll32.exe	31
PID 1212 wrote to memory of 1356	1212	rundll32.exe	31
PID 1212 wrote to memory of 1356	1212	rundll32.exe	31
PID 1212 wrote to memory of 1356	1212	rundll32.exe	31
PID 1212 wrote to memory of 1356	1212	rundll32.exe	31
PID 1960 wrote to memory of 1580	1960	svchost.exe	33
PID 1960 wrote to memory of 1580	1960	svchost.exe	33
PID 1960 wrote to memory of 1580	1960	svchost.exe	33
PID 1960 wrote to memory of 1580	1960	svchost.exe	33
PID 1960 wrote to memory of 1580	1960	svchost.exe	33
PID 1960 wrote to memory of 1580	1960	svchost.exe	33
PID 1960 wrote to memory of 1580	1960	svchost.exe	33

C:\Users\Admin\AppData\Local\Temp\cf04ba4779867c0726c69e230e145fd8.exe
"C:\Users\Admin\AppData\Local\Temp\cf04ba4779867c0726c69e230e145fd8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ryfererfh.tmp",Fwpthq
  2⤵
  - Blocklisted process makes network request
  - Sets DLL path for service in the registry
  - Sets service image path in registry
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 22814
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:1356

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\microsoft analysis services\as oledb\bib.dll",l1w7UFo=
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  PID:1580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\AdobeESDGlobalApps.xml

Filesize
279B

MD5
08a872b713c4f7f847de6f9c1d7d3457

SHA1
d819edc8b277f736d4a8c71c4986955b66ebf820

SHA256
13f545fe6bb8251d84518c8261df0bae28f8dbab3ecd3ebd25a89c7da5a75e54

SHA512
1555355aa76bae5dada97e66483767dd8fa1e7047646bef3553c5720ee0390660c313a27559ec3571dcc3d3c4ffdde4c91346591abbca22257206277ff589c0a

Download Submit
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\CiAD0001.000

Filesize
240B

MD5
7ca2da6f1e7bca562d7d9376700a912f

SHA1
67feaa004013eee76282e3b3fc196279f2577dcb

SHA256
04fd7654331261ff9ec331c31b238ba7770f082abfb817d7881813ec02084a4e

SHA512
4f2f67dee86af03dae15145649f5eb65cd158686381d26005b91aab89f017b692289050f0b1def00f8c2e724aedba4025db0baa6b55f76d402ded8006c48b38d

Download Submit
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\Iipyptyehff.tmp

Filesize
3.5MB

MD5
dfa85219d72eb793929f5d2357a729b4

SHA1
606082bbae8c2b1a1ad2f3abfb8a825997cf601b

SHA256
b2f970db335235e1413b27d2d355114a30a7f0e69b03d440598ac2ff0007c713

SHA512
d25911d84458aa1eba85a44dd7ed71e8429c57e77471df4c2a303ecf584bedf0fb62def2e2b91e379b59d87c16053edd1cb598a816dca120092a5a9dccff6231

Download Submit
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\MOR6INT.REST.trx_dll

Filesize
48KB

MD5
b22a432ea8c671f119cf8285d1021671

SHA1
3346593a9adb233233509247b1df059742f6aa3e

SHA256
bfd9148c099dfd9477204806df55034d06c9aacf3a4241ab97c4e4acb0349b17

SHA512
361badcd731f078d1bd64e61709f183e73163a1a09e1ed543e56a9c57b2bd28c930111797692c6be4ce4bea17a5e8283fec6ac27db7bd078047552dc51e5dece

Download Submit
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\Mobility Center.lnk

Filesize
1KB

MD5
5504842b4637f94be24a026ddc40c2cb

SHA1
e9d78aef854aa2933c5773bb16ec048de1dfa22d

SHA256
c3bbcf5ef157ab4806afe59641114381c43447988e74e5eb3113fa8893d1ab55

SHA512
8e256d4000c097780167081c38ecf03180f6f812cc68910f210c570119a19d36442d2929786bea7b5a16d4c579d846d81dd7cf7a2a7c13832b477a71423b5430

Download Submit
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\OUTLLIBR.REST.trx_dll

Filesize
665KB

MD5
753df8b9141a1939d4454d07aed78e06

SHA1
514d203a4a8e8a26c8def2c4c21d34da7c5a8243

SHA256
91f6c4f198a868abbd3f7cf31373d8e65618092f680be3304b77d66fedabb7d0

SHA512
d280ed303c8e51dc5b60357a83839d1ad4ac5ced836422649c88616063e46b88c5c713707b448e192a5b429ac815c8d3eeff27fbb3dbf1b373414cee8e3ee880

Download Submit
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\PUB6INTL.REST.trx_dll

Filesize
568KB

MD5
30af748c7751fca8078e5c05bf36467b

SHA1
db9eacbd6438b07446d3a6c1206e813b8222a10e

SHA256
c1ff437693e66a412fa3452ca4038bc32d406153dac55dac7c28c62543640081

SHA512
acc75a6bb148ef7b9e9f90ecb53f13c983507c755b76405b6a4cfdb5758171e41484d7360e22d9e38968d5fb80bf4377b7b0cde7068e3fc5f7d0f6c9f50d3c34

Download Submit
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\Remote Desktop Connection.lnk

Filesize
1KB

MD5
087d72ec6ad575e565930332c599bccc

SHA1
ea98bc158e01a79d1d8a6f6ace0323400f54bbce

SHA256
55a99005d64d7b755da0ea49cf14a1c7c07348b9eabc7fae613264827840f501

SHA512
b2e06a37e7a9f58c3f514eb80dd36e6a293dae6de5afeb77be6c7122ee76d9dfe2cde93ea68e777030bda4af3dbebd299a44e76fb84e6013e653110f3bf2f141

Download Submit
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\folder.ico

Filesize
52KB

MD5
bbf9dbdc079c0cd95f78d728aa3912d4

SHA1
051f76cc8c6520768bac9559bb329abeebd70d7c

SHA256
bef53904908769ceeb60f8e0976c3194e73534f00f4afb65497c2091121b98b2

SHA512
af110c52c983f1cf55b3db7d375e03c8c9308e3cf9ee1c154c2b25cb3f8299f0c0ba87b47445f09f98659eb536184c245887a341733c11af713e9ecc15288b5d

Download Submit
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\print_property.ico

Filesize
58KB

MD5
30d7062e069bc0a9b34f4034090c1aae

SHA1
e5fcedd8e4cc0463c0bc6912b1791f2876e28a61

SHA256
24e77f244b0743e311b0fc97f06513a0cecf6560e92f9c6f164288a152d32000

SHA512
85dd6c916d48804a24dbbad0f4b4842453ac31a692905f8f2f34112eaa1bbf062a825d45ed5d800bbc4663a28b0b5003ebd5fa54991cf846f1028e929ea06de6

Download Submit
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\usertile29.bmp

Filesize
48KB

MD5
6a944c920d471248013a35096b1ce218

SHA1
00a1267a6e631710fc71eb2e2e590e0c693296de

SHA256
75de8e9eb7a045c484cdac6b3fd30fda99ee17cda8d0310897d0b73c2d1c4f87

SHA512
ec0a24dd41958b09e20e7366835ac0f938a45140ebd6915188c206fdbb8e9f728fbe50bb6e242d0804e7e693d4433b2fac586c7a3fb79de329416ad7731d9269

Download Submit
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\usertile43.bmp

Filesize
48KB

MD5
bf54b355d171471bece614e6583488b2

SHA1
3556f13234855d9c74d7100d8d3c229a496f7f72

SHA256
6403db3597d8f33188d0fe0cc1ff166c7cf91df5c6f19db36002eb6b5481c892

SHA512
50f4c61a86e1593f791c5bd9feab43ce63b162212815594de7057bb8038b65ed9efd41cd6e38e62bf644c6f23953b0c10ebf6d8afc08ef9b62c77806aff98fd6

Download Submit
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\{61109F13-CFED-4AFC-BAA0-C13E433CFBD6}.2.ver0x0000000000000002.db

Filesize
1KB

MD5
6c110640512eac388faae8fc7956454a

SHA1
b6233758a281a86bb5742667bf5723653c475c81

SHA256
2b8578afb4557e42e414b1e73f8acc6050da49a8c6f9ddb9fa71d906a58a9def

SHA512
7f54fa05208d5ac86aad2e63f4e87ec7258f6da88444eb6529a85a875d64f18c6176f4977b956dee54250f356e780beb1f719ba10de3c1fc6194f5ebf4e5cd74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ryfererfh.tmp

Filesize
817KB

MD5
0a6c58fc386c9a4d7d43b809447f3eac

SHA1
b07d0ae1180e21bf79b3b720d9e03e2b7982972d

SHA256
d71c0aaec63294fb11af30ff408e94b5fff656149da01e3f7a97e3026580d5c2

SHA512
e2d08ae110f30257daa9341d1e3c91d6c50f6b32107d1e1ca0badcce872d09ac3d3a3998f26b1f93c3b1937317ce5ea240652d1b784c5a4d2e30273c19a9b6ad

Download Submit
\??\c:\program files (x86)\microsoft analysis services\as oledb\bib.dll

Filesize
817KB

MD5
f76a028fdf663558384337edb665bb25

SHA1
fcf6f8d9090e4e86dd121b806344f91d2e505c15

SHA256
83b2961e849f956b9689f7424a8a6937f77fdb9519f4d49cf9ec7346a62e2624

SHA512
34ce2dcbbabfd9750c8cbc288947d9530f78b78aab5d82b378ccd567af3360607c6372edb2ca33e7ff770fa7c4ea310bcab3f19bef13e58b8a676684277215d7

Download Submit
\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\BIB.dll

Filesize
817KB

MD5
f76a028fdf663558384337edb665bb25

SHA1
fcf6f8d9090e4e86dd121b806344f91d2e505c15

SHA256
83b2961e849f956b9689f7424a8a6937f77fdb9519f4d49cf9ec7346a62e2624

SHA512
34ce2dcbbabfd9750c8cbc288947d9530f78b78aab5d82b378ccd567af3360607c6372edb2ca33e7ff770fa7c4ea310bcab3f19bef13e58b8a676684277215d7

Download Submit
\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\BIB.dll

Filesize
817KB

MD5
f76a028fdf663558384337edb665bb25

SHA1
fcf6f8d9090e4e86dd121b806344f91d2e505c15

SHA256
83b2961e849f956b9689f7424a8a6937f77fdb9519f4d49cf9ec7346a62e2624

SHA512
34ce2dcbbabfd9750c8cbc288947d9530f78b78aab5d82b378ccd567af3360607c6372edb2ca33e7ff770fa7c4ea310bcab3f19bef13e58b8a676684277215d7

Download Submit
\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\BIB.dll

Filesize
817KB

MD5
f76a028fdf663558384337edb665bb25

SHA1
fcf6f8d9090e4e86dd121b806344f91d2e505c15

SHA256
83b2961e849f956b9689f7424a8a6937f77fdb9519f4d49cf9ec7346a62e2624

SHA512
34ce2dcbbabfd9750c8cbc288947d9530f78b78aab5d82b378ccd567af3360607c6372edb2ca33e7ff770fa7c4ea310bcab3f19bef13e58b8a676684277215d7

Download Submit
\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\BIB.dll

Filesize
817KB

MD5
f76a028fdf663558384337edb665bb25

SHA1
fcf6f8d9090e4e86dd121b806344f91d2e505c15

SHA256
83b2961e849f956b9689f7424a8a6937f77fdb9519f4d49cf9ec7346a62e2624

SHA512
34ce2dcbbabfd9750c8cbc288947d9530f78b78aab5d82b378ccd567af3360607c6372edb2ca33e7ff770fa7c4ea310bcab3f19bef13e58b8a676684277215d7

Download Submit
\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\BIB.dll

Filesize
817KB

MD5
f76a028fdf663558384337edb665bb25

SHA1
fcf6f8d9090e4e86dd121b806344f91d2e505c15

SHA256
83b2961e849f956b9689f7424a8a6937f77fdb9519f4d49cf9ec7346a62e2624

SHA512
34ce2dcbbabfd9750c8cbc288947d9530f78b78aab5d82b378ccd567af3360607c6372edb2ca33e7ff770fa7c4ea310bcab3f19bef13e58b8a676684277215d7

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Users\Admin\AppData\Local\Temp\Ryfererfh.tmp

Filesize
817KB

MD5
0a6c58fc386c9a4d7d43b809447f3eac

SHA1
b07d0ae1180e21bf79b3b720d9e03e2b7982972d

SHA256
d71c0aaec63294fb11af30ff408e94b5fff656149da01e3f7a97e3026580d5c2

SHA512
e2d08ae110f30257daa9341d1e3c91d6c50f6b32107d1e1ca0badcce872d09ac3d3a3998f26b1f93c3b1937317ce5ea240652d1b784c5a4d2e30273c19a9b6ad

Download Submit
memory/1212-72-0x00000000043F0000-0x0000000004530000-memory.dmp

Filesize
1.2MB

Download
memory/1212-73-0x00000000042B0000-0x00000000043F0000-memory.dmp

Filesize
1.2MB

Download
memory/1212-81-0x00000000048F0000-0x000000000544A000-memory.dmp

Filesize
11.4MB

Download
memory/1212-63-0x00000000048F0000-0x000000000544A000-memory.dmp

Filesize
11.4MB

Download
memory/1212-65-0x00000000048F0000-0x000000000544A000-memory.dmp

Filesize
11.4MB

Download
memory/1212-66-0x00000000048F0000-0x000000000544A000-memory.dmp

Filesize
11.4MB

Download
memory/1212-67-0x00000000042B0000-0x00000000043F0000-memory.dmp

Filesize
1.2MB

Download
memory/1212-68-0x00000000042B0000-0x00000000043F0000-memory.dmp

Filesize
1.2MB

Download
memory/1212-69-0x00000000043F0000-0x0000000004530000-memory.dmp

Filesize
1.2MB

Download
memory/1212-74-0x00000000042B0000-0x00000000043F0000-memory.dmp

Filesize
1.2MB

Download
memory/1356-77-0x0000000002300000-0x0000000002440000-memory.dmp

Filesize
1.2MB

Download
memory/1356-78-0x000007FEFC451000-0x000007FEFC453000-memory.dmp

Filesize
8KB

Download
memory/1356-80-0x0000000002050000-0x00000000022FA000-memory.dmp

Filesize
2.7MB

Download
memory/1356-70-0x0000000000220000-0x00000000004B9000-memory.dmp

Filesize
2.6MB

Download
memory/1356-76-0x0000000002300000-0x0000000002440000-memory.dmp

Filesize
1.2MB

Download
memory/1356-79-0x0000000000220000-0x00000000004B9000-memory.dmp

Filesize
2.6MB

Download
memory/1580-108-0x00000000041A0000-0x0000000004CFA000-memory.dmp

Filesize
11.4MB

Download
memory/1580-110-0x00000000041A0000-0x0000000004CFA000-memory.dmp

Filesize
11.4MB

Download
memory/1580-111-0x00000000041A0000-0x0000000004CFA000-memory.dmp

Filesize
11.4MB

Download
memory/1960-86-0x0000000004240000-0x0000000004D9A000-memory.dmp

Filesize
11.4MB

Download
memory/1960-90-0x0000000004240000-0x0000000004D9A000-memory.dmp

Filesize
11.4MB

Download
memory/1960-88-0x0000000004240000-0x0000000004D9A000-memory.dmp

Filesize
11.4MB

Download
memory/1960-118-0x0000000004240000-0x0000000004D9A000-memory.dmp

Filesize
11.4MB

Download
memory/2036-54-0x0000000000300000-0x00000000003E9000-memory.dmp

Filesize
932KB

Download
memory/2036-62-0x0000000000400000-0x0000000002C86000-memory.dmp

Filesize
40.5MB

Download
memory/2036-58-0x00000000046A0000-0x00000000047CC000-memory.dmp

Filesize
1.2MB

Download
memory/2036-57-0x0000000000300000-0x00000000003E9000-memory.dmp

Filesize
932KB

Download
memory/2036-55-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download