88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20230824-en
resource tags

arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system
submitted
28/08/2023, 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe
Size

536KB
MD5

b2f6347c24672f87d6f3225de77deb29
SHA1

e83cce179d31aee6228f6fd5ec3f4b35927e527d
SHA256

88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c
SHA512

8af8929576b21792983e45a38fb58a464533de1c5968208b0b05580b103a3d95544721b7b5215e464de95f4049833aa23e85201e600a7bfe8220aa314848b534
SSDEEP

12288:LQab4j0WxHHxvgZ5Debn9XdvVYf8tn5+qqheFgOkx2LIa:svj0oxv2Dezv/tx3yOkx2LF

Score

10^/10

upx vmprotect

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1212 created 424	1212	Explorer.EXE	3

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\bLMd9awhaa.sys	isoburn.exe
File opened for modification	C:\Windows\system32\drivers\9biRHbSIwhv.pwt	isoburn.exe
File opened for modification	C:\Windows\system32\drivers\VlJB1XmMoAWwpH.sys	isoburn.exe
File opened for modification	C:\Windows\system32\drivers\wY7NxusPcSRViQ.fel	isoburn.exe
File opened for modification	C:\Windows\system32\drivers\yYbHwPlsEgTtL.sys	isoburn.exe
File opened for modification	C:\Windows\system32\drivers\Rl1rbB0PZGceSI.jle	isoburn.exe
File opened for modification	C:\Windows\system32\drivers\HVMdYNGmmsyX.akk	isoburn.exe
File opened for modification	C:\Windows\system32\drivers\K3IJEcfafOKSg.sys	isoburn.exe
File created	C:\Windows\System32\drivers\ilD8N96.sys	isoburn.exe

Deletes itself 1 IoCs

pid	Process
2852	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2284	isoburn.exe

Loads dropped DLL 9 IoCs

pid	Process
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1164	Dwm.exe
1164	Dwm.exe
1164	Dwm.exe
1164	Dwm.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/792-0-0x0000000001030000-0x0000000001132000-memory.dmp	upx
behavioral1/memory/792-53-0x0000000001030000-0x0000000001132000-memory.dmp	upx
behavioral1/memory/792-69-0x0000000001030000-0x0000000001132000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000a000000018b86-170.dat	vmprotect
behavioral1/files/0x0018000000018b86-299.dat	vmprotect
behavioral1/files/0x0026000000018b86-412.dat	vmprotect
behavioral1/files/0x0033000000018b86-529.dat	vmprotect

Drops file in System32 directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	isoburn.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	isoburn.exe
File opened for modification	C:\Windows\system32\RjLtzBeZpFLjnT.sys	isoburn.exe
File opened for modification	C:\Windows\system32\SAaXvpTabFdf.xxv	isoburn.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	isoburn.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	isoburn.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	isoburn.exe
File opened for modification	C:\Windows\system32\U2cmqdaOQqs.sys	isoburn.exe
File opened for modification	C:\Windows\system32\kubAa8fCGWxJ.oge	isoburn.exe
File opened for modification	C:\Windows\system32\FagUTS3FccZlM6.ijm	isoburn.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	isoburn.exe
File created	C:\Windows\system32\ \Windows\System32\FTgvqtlD.sys	isoburn.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	isoburn.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	isoburn.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	isoburn.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	isoburn.exe
File opened for modification	C:\Windows\system32\x6qkXEaK0lLY.sys	isoburn.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	isoburn.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	isoburn.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	isoburn.exe
File opened for modification	C:\Windows\system32\UJFQrGtFIB3BjJ.iql	isoburn.exe
File opened for modification	C:\Windows\system32\Yko6sUopTe0R.sys	isoburn.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	isoburn.exe

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\ZBKCMUje3X.pur	isoburn.exe
File opened for modification	C:\Program Files\Google\5cd198cc.js	Explorer.EXE
File opened for modification	C:\Program Files\Google\lib\6c49dcee.js	Explorer.EXE
File opened for modification	C:\Program Files\mrhvjvIK4ZrM.oaa	isoburn.exe
File opened for modification	C:\Program Files\Windows Mail\4d595018.html	isoburn.exe
File opened for modification	C:\Program Files\7-Zip\5cd1a598.js	Dwm.exe
File opened for modification	C:\Program Files\Google\4d5954aa.html	Explorer.EXE
File opened for modification	C:\Program Files\cuyppv3QSS.dxd	isoburn.exe
File opened for modification	C:\Program Files\gKVyNd3f0U.sys	isoburn.exe
File opened for modification	C:\Program Files (x86)\WkwF0u4zny9e.gxd	isoburn.exe
File opened for modification	C:\Program Files (x86)\vN4Eiyldfs.sys	isoburn.exe
File opened for modification	C:\Program Files\Windows Mail\5cd19350.js	isoburn.exe
File opened for modification	C:\Program Files\s4fhGo4xT9.sys	isoburn.exe
File opened for modification	C:\Program Files\olateAFhsF.sys	isoburn.exe
File opened for modification	C:\Program Files (x86)\YqYxwexHrsQR6.mci	isoburn.exe
File opened for modification	C:\Program Files\Google\3de11088.js	Explorer.EXE
File opened for modification	C:\Program Files (x86)\GiS7hxKZAP.fui	isoburn.exe
File opened for modification	C:\Program Files (x86)\pzW4awoPWVhx.sys	isoburn.exe
File opened for modification	C:\Program Files (x86)\YB0Wpfp0lUveL.ovg	isoburn.exe
File opened for modification	C:\Program Files\7-Zip\3de11910.js	Dwm.exe
File opened for modification	C:\Program Files\7-Zip\4d595f54.html	Dwm.exe
File opened for modification	C:\Program Files (x86)\BXGkJ7lbXa.sys	isoburn.exe
File opened for modification	C:\Program Files\KqFFNLTL9I4Ms.sys	isoburn.exe
File opened for modification	C:\Program Files (x86)\ENeUJtlKzr6.sys	isoburn.exe
File opened for modification	C:\Program Files\Windows Mail\manifest.json	isoburn.exe
File opened for modification	C:\Program Files\7-Zip\manifest.json	Dwm.exe
File opened for modification	C:\Program Files\BilCtIv5YLEU4c.nbj	isoburn.exe
File opened for modification	C:\Program Files\Windows Mail\3de10ce0.js	isoburn.exe
File opened for modification	C:\Program Files\Windows Mail\lib\6c49d688.js	isoburn.exe
File opened for modification	C:\Program Files\Google\manifest.json	Explorer.EXE
File opened for modification	C:\Program Files\7-Zip\lib\6c49ebdc.js	Dwm.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Cxms3EqOI.sys	isoburn.exe
File opened for modification	C:\Windows\7OgeI8rq8HZ.sys	isoburn.exe
File opened for modification	C:\Windows\5gl3zmctdyISk8.qfy	isoburn.exe
File opened for modification	C:\Windows\paFVUflC6F33.ujx	isoburn.exe
File opened for modification	C:\Windows\G1C11kQYLYbmd.sys	isoburn.exe
File opened for modification	C:\Windows\k12zhWpUsA.qpm	isoburn.exe
File opened for modification	C:\Windows\2brD7C9qB0cgu.sys	isoburn.exe
File opened for modification	C:\Windows\BxiMeQe12Vmzj.sys	isoburn.exe
File opened for modification	C:\Windows\MxdqwM9OIF7C9.vqd	isoburn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2780	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	isoburn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53524788-7846-4EE7-AEC9-C7F4D115614B}\WpadDecision = "0"	isoburn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53524788-7846-4EE7-AEC9-C7F4D115614B}	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	isoburn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-46-d3-44-41-76\WpadDecision = "0"	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	dxdiag.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	isoburn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53524788-7846-4EE7-AEC9-C7F4D115614B}\WpadDecisionReason = "1"	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-46-d3-44-41-76	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	isoburn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	dxdiag.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	isoburn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53524788-7846-4EE7-AEC9-C7F4D115614B}\WpadDecisionTime = 70d9f2ab62d9d901	isoburn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	dxdiag.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53524788-7846-4EE7-AEC9-C7F4D115614B}\ce-46-d3-44-41-76	isoburn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	dxdiag.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	isoburn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-46-d3-44-41-76\WpadDecisionTime = 70d9f2ab62d9d901	isoburn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	isoburn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0083000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	isoburn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	dxdiag.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	dxdiag.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0083000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	dxdiag.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	isoburn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	isoburn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53524788-7846-4EE7-AEC9-C7F4D115614B}\WpadNetworkName = "Network 3"	isoburn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-46-d3-44-41-76\WpadDecisionReason = "1"	isoburn.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4B127D42C26139FBC81010A9B64B358DC316F7F7\Blob = 190000000100000010000000afa8703a6d639b4d9760c63cfe1347290f0000000100000020000000f568e99ddf92d991d9d5446d503c4af30bc44490163cdffe4b81753901bfd64b0300000001000000140000004b127d42c26139fbc81010a9b64b358dc316f7f714000000010000001400000022c847ea1c97fc9229226e49ea796526ebe7cc8e200000000100000026020000308202223082018ba003020102020100300d06092a864886f70d01010b05003035310b300906035504061302434e3126302406035504030c1d475445204379626572547275737420476c6f62616c20526f6f74205632301e170d3233303832383033343935305a170d3234303832373033343935305a3035310b300906035504061302434e3126302406035504030c1d475445204379626572547275737420476c6f62616c20526f6f7420563230819f300d06092a864886f70d010101050003818d0030818902818100deefb1ae80ffb97f53a5e5a094ba7dafd23821aadef13c5bc1754303514dbed2724b8e30ff2928d283ae761b46cb778570e0225b8bb17ceea919cae3ac739fadb512623dc536ca4b0178bb83f2a2085161553b3afa4d3363843c7d1913f39d36b4fcab775e8a1006a7890a9cb6c6e9d8e779419410b1365039462d6fa1cd41650203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e0416041422c847ea1c97fc9229226e49ea796526ebe7cc8e300d06092a864886f70d01010b050003818100b56f2795bb3af322d38b2e2bd06e2b687aee1242a58193c5bec1b4d8d8de19f93d4673177d40dab6028448bac9560cc3678778731cf62b6c6b064d45bc05d51765d7b3cb4bc5016329856435f2a9bce31ae7577aac1ac3c07eb00cb25bca2f6afce4920ab089ce7d1de749ebd29ebde0394d8b651c6a4ef5cac5996f4dff7aa4	isoburn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	isoburn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4B127D42C26139FBC81010A9B64B358DC316F7F7	isoburn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4B127D42C26139FBC81010A9B64B358DC316F7F7\Blob = 0f0000000100000020000000f568e99ddf92d991d9d5446d503c4af30bc44490163cdffe4b81753901bfd64b0300000001000000140000004b127d42c26139fbc81010a9b64b358dc316f7f7200000000100000026020000308202223082018ba003020102020100300d06092a864886f70d01010b05003035310b300906035504061302434e3126302406035504030c1d475445204379626572547275737420476c6f62616c20526f6f74205632301e170d3233303832383033343935305a170d3234303832373033343935305a3035310b300906035504061302434e3126302406035504030c1d475445204379626572547275737420476c6f62616c20526f6f7420563230819f300d06092a864886f70d010101050003818d0030818902818100deefb1ae80ffb97f53a5e5a094ba7dafd23821aadef13c5bc1754303514dbed2724b8e30ff2928d283ae761b46cb778570e0225b8bb17ceea919cae3ac739fadb512623dc536ca4b0178bb83f2a2085161553b3afa4d3363843c7d1913f39d36b4fcab775e8a1006a7890a9cb6c6e9d8e779419410b1365039462d6fa1cd41650203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e0416041422c847ea1c97fc9229226e49ea796526ebe7cc8e300d06092a864886f70d01010b050003818100b56f2795bb3af322d38b2e2bd06e2b687aee1242a58193c5bec1b4d8d8de19f93d4673177d40dab6028448bac9560cc3678778731cf62b6c6b064d45bc05d51765d7b3cb4bc5016329856435f2a9bce31ae7577aac1ac3c07eb00cb25bca2f6afce4920ab089ce7d1de749ebd29ebde0394d8b651c6a4ef5cac5996f4dff7aa4	isoburn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	isoburn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4B127D42C26139FBC81010A9B64B358DC316F7F7\Blob = 14000000010000001400000022c847ea1c97fc9229226e49ea796526ebe7cc8e0300000001000000140000004b127d42c26139fbc81010a9b64b358dc316f7f70f0000000100000020000000f568e99ddf92d991d9d5446d503c4af30bc44490163cdffe4b81753901bfd64b200000000100000026020000308202223082018ba003020102020100300d06092a864886f70d01010b05003035310b300906035504061302434e3126302406035504030c1d475445204379626572547275737420476c6f62616c20526f6f74205632301e170d3233303832383033343935305a170d3234303832373033343935305a3035310b300906035504061302434e3126302406035504030c1d475445204379626572547275737420476c6f62616c20526f6f7420563230819f300d06092a864886f70d010101050003818d0030818902818100deefb1ae80ffb97f53a5e5a094ba7dafd23821aadef13c5bc1754303514dbed2724b8e30ff2928d283ae761b46cb778570e0225b8bb17ceea919cae3ac739fadb512623dc536ca4b0178bb83f2a2085161553b3afa4d3363843c7d1913f39d36b4fcab775e8a1006a7890a9cb6c6e9d8e779419410b1365039462d6fa1cd41650203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e0416041422c847ea1c97fc9229226e49ea796526ebe7cc8e300d06092a864886f70d01010b050003818100b56f2795bb3af322d38b2e2bd06e2b687aee1242a58193c5bec1b4d8d8de19f93d4673177d40dab6028448bac9560cc3678778731cf62b6c6b064d45bc05d51765d7b3cb4bc5016329856435f2a9bce31ae7577aac1ac3c07eb00cb25bca2f6afce4920ab089ce7d1de749ebd29ebde0394d8b651c6a4ef5cac5996f4dff7aa4	isoburn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	isoburn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	isoburn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	isoburn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
792	88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe
792	88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
2284	isoburn.exe
1240	dxdiag.exe
1212	Explorer.EXE
2284	isoburn.exe
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
2284	isoburn.exe
1212	Explorer.EXE
1212	Explorer.EXE
2284	isoburn.exe
1212	Explorer.EXE
2284	isoburn.exe
2284	isoburn.exe
1212	Explorer.EXE
1212	Explorer.EXE
2284	isoburn.exe
1212	Explorer.EXE
1212	Explorer.EXE
2284	isoburn.exe
1212	Explorer.EXE
2284	isoburn.exe
1212	Explorer.EXE
2284	isoburn.exe
1212	Explorer.EXE
1212	Explorer.EXE
2284	isoburn.exe
1212	Explorer.EXE
1212	Explorer.EXE
2284	isoburn.exe
1212	Explorer.EXE
2284	isoburn.exe
1212	Explorer.EXE
2284	isoburn.exe
1212	Explorer.EXE
1212	Explorer.EXE
2284	isoburn.exe
1212	Explorer.EXE
2284	isoburn.exe
1212	Explorer.EXE
2284	isoburn.exe
1212	Explorer.EXE
1212	Explorer.EXE
2284	isoburn.exe
1212	Explorer.EXE
2284	isoburn.exe
1212	Explorer.EXE
2284	isoburn.exe
1212	Explorer.EXE
2284	isoburn.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1212	Explorer.EXE

Suspicious behavior: LoadsDriver 59 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	792	88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe
Token: SeTcbPrivilege	792	88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe
Token: SeDebugPrivilege	792	88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe
Token: SeDebugPrivilege	1212	Explorer.EXE
Token: SeTcbPrivilege	1212	Explorer.EXE
Token: SeDebugPrivilege	1212	Explorer.EXE
Token: SeDebugPrivilege	1212	Explorer.EXE
Token: SeDebugPrivilege	1212	Explorer.EXE
Token: SeIncBasePriorityPrivilege	792	88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe
Token: SeDebugPrivilege	1212	Explorer.EXE
Token: SeDebugPrivilege	2284	isoburn.exe
Token: SeDebugPrivilege	2284	isoburn.exe
Token: SeDebugPrivilege	2284	isoburn.exe
Token: SeDebugPrivilege	2284	isoburn.exe
Token: SeDebugPrivilege	2284	isoburn.exe
Token: SeBackupPrivilege	2284	isoburn.exe
Token: SeDebugPrivilege	2284	isoburn.exe
Token: SeDebugPrivilege	2284	isoburn.exe
Token: SeDebugPrivilege	2284	isoburn.exe
Token: SeDebugPrivilege	1212	Explorer.EXE
Token: SeBackupPrivilege	1212	Explorer.EXE
Token: SeDebugPrivilege	1164	Dwm.exe
Token: SeBackupPrivilege	1164	Dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 1212	792	88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe	17
PID 792 wrote to memory of 1212	792	88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe	17
PID 792 wrote to memory of 1212	792	88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe	17
PID 1212 wrote to memory of 2284	1212	Explorer.EXE	28
PID 1212 wrote to memory of 2284	1212	Explorer.EXE	28
PID 1212 wrote to memory of 2284	1212	Explorer.EXE	28
PID 1212 wrote to memory of 2284	1212	Explorer.EXE	28
PID 1212 wrote to memory of 2284	1212	Explorer.EXE	28
PID 1212 wrote to memory of 2284	1212	Explorer.EXE	28
PID 1212 wrote to memory of 2284	1212	Explorer.EXE	28
PID 1212 wrote to memory of 2284	1212	Explorer.EXE	28
PID 1212 wrote to memory of 424	1212	Explorer.EXE	3
PID 1212 wrote to memory of 424	1212	Explorer.EXE	3
PID 1212 wrote to memory of 424	1212	Explorer.EXE	3
PID 1212 wrote to memory of 424	1212	Explorer.EXE	3
PID 1212 wrote to memory of 424	1212	Explorer.EXE	3
PID 792 wrote to memory of 2852	792	88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe	32
PID 792 wrote to memory of 2852	792	88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe	32
PID 792 wrote to memory of 2852	792	88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe	32
PID 792 wrote to memory of 2852	792	88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe	32
PID 2852 wrote to memory of 2780	2852	cmd.exe	33
PID 2852 wrote to memory of 2780	2852	cmd.exe	33
PID 2852 wrote to memory of 2780	2852	cmd.exe	33
PID 2852 wrote to memory of 2780	2852	cmd.exe	33
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1240	2284	isoburn.exe	36
PID 2284 wrote to memory of 1240	2284	isoburn.exe	36
PID 2284 wrote to memory of 1240	2284	isoburn.exe	36
PID 2284 wrote to memory of 1240	2284	isoburn.exe	36
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1240	2284	isoburn.exe	36
PID 2284 wrote to memory of 1240	2284	isoburn.exe	36
PID 2284 wrote to memory of 1240	2284	isoburn.exe	36
PID 2284 wrote to memory of 1240	2284	isoburn.exe	36
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17
PID 2284 wrote to memory of 1212	2284	isoburn.exe	17

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424
- C:\ProgramData\isoburn.exe
  "C:\ProgramData\isoburn.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\system32\dxdiag.exe
    "C:\Windows\system32\dxdiag.exe"
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:1240

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe
  "C:\Users\Admin\AppData\Local\Temp\88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\isoburn.exe

Filesize
89KB

MD5
f8051f06e1c4aa3f2efe4402af5919b1

SHA1
bbcf3711501dfb22b04b1a6f356d95a6d5998790

SHA256
50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

SHA512
5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

Download Submit
C:\ProgramData\isoburn.exe

Filesize
89KB

MD5
f8051f06e1c4aa3f2efe4402af5919b1

SHA1
bbcf3711501dfb22b04b1a6f356d95a6d5998790

SHA256
50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

SHA512
5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

Download Submit
C:\ProgramData\isoburn.exe

Filesize
89KB

MD5
f8051f06e1c4aa3f2efe4402af5919b1

SHA1
bbcf3711501dfb22b04b1a6f356d95a6d5998790

SHA256
50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

SHA512
5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab207E.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar20A0.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar20F2.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Windows\2brD7C9qB0cgu.sys

Filesize
447KB

MD5
d8dd0e814a97097079183831e6f100f2

SHA1
733ddb410079c34890f5299d543e90200cab4d04

SHA256
382a5947aee70ee008308f8cff7558902ebc44bac552c3447c11a04a6439f226

SHA512
aecd1b7d643cf749cad43e84ac282c124ea755f6dd94ab9de125729a39fa9c89fcadd15cdd871e077578750b9efe2d08b22d72329792f422af904e09f3b8f039

Download Submit
C:\Windows\7OgeI8rq8HZ.sys

Filesize
447KB

MD5
d15f5f23df8036bd5089ce8d151b0e0d

SHA1
4066ff4d92ae189d92fcdfb8c11a82cc9db56bb2

SHA256
f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520

SHA512
feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9

Download Submit
C:\Windows\BxiMeQe12Vmzj.sys

Filesize
415KB

MD5
0f77c0de198a59ba2d9e5ba45dd531de

SHA1
df26f813b9a8bc09cbbb18622a089355d8d6c371

SHA256
3ebaef0a98695b30a3486bd79e1f71642ad62302bb7023fb03de0fe2dae47e91

SHA512
3e432ff1ee2c343f797b6e9481945ed5d3db69aa95e33c7ee3b3b9cc774b0eaf06e199811edcb825dbfd9badab805baa3367194527087c09860838df41e8f82d

Download Submit
C:\Windows\G1C11kQYLYbmd.sys

Filesize
415KB

MD5
64bc1983743c584a9ad09dacf12792e5

SHA1
0f14098f523d21f11129c4df09451413ddff6d61

SHA256
057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5

SHA512
9ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
7563f9b56bfa6d4fc5b303f576a26ade

SHA1
332291b2e610ca4c130a62a57d6084e0fe151a9d

SHA256
5700cb1374388390f635455b6fb0895a218c410bb5fb504e9671d78ba2459fde

SHA512
a2ea140554b22b44fff1133088c27dce7431fa0373f0f590472f7e2c1d8d76b350c8667d13a1d910412127e8a698b4d8ad41d9a003b6170aeea68d133e99c479

Download Submit
\ProgramData\isoburn.exe

Filesize
89KB

MD5
f8051f06e1c4aa3f2efe4402af5919b1

SHA1
bbcf3711501dfb22b04b1a6f356d95a6d5998790

SHA256
50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

SHA512
5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

Download Submit
\ProgramData\isoburn.exe

Filesize
89KB

MD5
f8051f06e1c4aa3f2efe4402af5919b1

SHA1
bbcf3711501dfb22b04b1a6f356d95a6d5998790

SHA256
50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

SHA512
5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

Download Submit
\ProgramData\isoburn.exe

Filesize
89KB

MD5
f8051f06e1c4aa3f2efe4402af5919b1

SHA1
bbcf3711501dfb22b04b1a6f356d95a6d5998790

SHA256
50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

SHA512
5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

Download Submit
\ProgramData\isoburn.exe

Filesize
89KB

MD5
f8051f06e1c4aa3f2efe4402af5919b1

SHA1
bbcf3711501dfb22b04b1a6f356d95a6d5998790

SHA256
50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

SHA512
5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

Download Submit
\ProgramData\isoburn.exe

Filesize
89KB

MD5
f8051f06e1c4aa3f2efe4402af5919b1

SHA1
bbcf3711501dfb22b04b1a6f356d95a6d5998790

SHA256
50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

SHA512
5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

Download Submit
\ProgramData\isoburn.exe

Filesize
89KB

MD5
f8051f06e1c4aa3f2efe4402af5919b1

SHA1
bbcf3711501dfb22b04b1a6f356d95a6d5998790

SHA256
50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

SHA512
5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

Download Submit
\ProgramData\isoburn.exe

Filesize
89KB

MD5
f8051f06e1c4aa3f2efe4402af5919b1

SHA1
bbcf3711501dfb22b04b1a6f356d95a6d5998790

SHA256
50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

SHA512
5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

Download Submit
\ProgramData\isoburn.exe

Filesize
89KB

MD5
f8051f06e1c4aa3f2efe4402af5919b1

SHA1
bbcf3711501dfb22b04b1a6f356d95a6d5998790

SHA256
50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

SHA512
5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

Download Submit
\ProgramData\isoburn.exe

Filesize
89KB

MD5
f8051f06e1c4aa3f2efe4402af5919b1

SHA1
bbcf3711501dfb22b04b1a6f356d95a6d5998790

SHA256
50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

SHA512
5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

Download Submit
memory/424-128-0x0000000000900000-0x0000000000928000-memory.dmp

Filesize
160KB

Download
memory/424-57-0x0000000000830000-0x0000000000851000-memory.dmp

Filesize
132KB

Download
memory/424-68-0x0000000000900000-0x0000000000928000-memory.dmp

Filesize
160KB

Download
memory/792-69-0x0000000001030000-0x0000000001132000-memory.dmp

Filesize
1.0MB

Download
memory/792-0-0x0000000001030000-0x0000000001132000-memory.dmp

Filesize
1.0MB

Download
memory/792-53-0x0000000001030000-0x0000000001132000-memory.dmp

Filesize
1.0MB

Download
memory/1164-3220-0x0000000002030000-0x00000000020DC000-memory.dmp

Filesize
688KB

Download
memory/1212-3193-0x00000000042C0000-0x00000000042C3000-memory.dmp

Filesize
12KB

Download
memory/1212-24-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/1212-33-0x0000000003C20000-0x0000000003C23000-memory.dmp

Filesize
12KB

Download
memory/1212-35-0x00000000063E0000-0x00000000064D7000-memory.dmp

Filesize
988KB

Download
memory/1212-107-0x00000000063E0000-0x00000000064D7000-memory.dmp

Filesize
988KB

Download
memory/1212-3195-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/1212-3197-0x00000000074E0000-0x00000000074E4000-memory.dmp

Filesize
16KB

Download
memory/1212-3194-0x0000000007430000-0x00000000074DC000-memory.dmp

Filesize
688KB

Download
memory/1212-95-0x00000000063E0000-0x00000000064D7000-memory.dmp

Filesize
988KB

Download
memory/1212-1-0x0000000002990000-0x0000000002993000-memory.dmp

Filesize
12KB

Download
memory/1212-36-0x00000000063E0000-0x00000000064D7000-memory.dmp

Filesize
988KB

Download
memory/1212-66-0x0000000004030000-0x00000000040A9000-memory.dmp

Filesize
484KB

Download
memory/1212-30-0x0000000003C20000-0x0000000003C23000-memory.dmp

Filesize
12KB

Download
memory/1212-22-0x0000000004EB0000-0x0000000004FA3000-memory.dmp

Filesize
972KB

Download
memory/1212-143-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

Filesize
4KB

Download
memory/1212-2-0x0000000002990000-0x0000000002993000-memory.dmp

Filesize
12KB

Download
memory/1212-614-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

Filesize
4KB

Download
memory/1212-530-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

Filesize
4KB

Download
memory/1212-205-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

Filesize
4KB

Download
memory/1212-4-0x0000000002990000-0x0000000002993000-memory.dmp

Filesize
12KB

Download
memory/1212-3-0x0000000004030000-0x00000000040A9000-memory.dmp

Filesize
484KB

Download
memory/1212-283-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

Filesize
4KB

Download
memory/1240-234-0x0000000001DE0000-0x0000000001F86000-memory.dmp

Filesize
1.6MB

Download
memory/1240-314-0x0000000001DE0000-0x0000000001F86000-memory.dmp

Filesize
1.6MB

Download
memory/2284-105-0x0000000037860000-0x0000000037870000-memory.dmp

Filesize
64KB

Download
memory/2284-280-0x0000000005710000-0x00000000058DA000-memory.dmp

Filesize
1.8MB

Download
memory/2284-208-0x0000000005710000-0x00000000058DA000-memory.dmp

Filesize
1.8MB

Download
memory/2284-202-0x0000000003C20000-0x0000000003CCC000-memory.dmp

Filesize
688KB

Download
memory/2284-185-0x0000000003B60000-0x0000000003C17000-memory.dmp

Filesize
732KB

Download
memory/2284-615-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

Filesize
4KB

Download
memory/2284-137-0x0000000003C20000-0x0000000003CCC000-memory.dmp

Filesize
688KB

Download
memory/2284-136-0x0000000003C20000-0x0000000003CCC000-memory.dmp

Filesize
688KB

Download
memory/2284-135-0x0000000000900000-0x0000000000928000-memory.dmp

Filesize
160KB

Download
memory/2284-134-0x0000000000900000-0x0000000000928000-memory.dmp

Filesize
160KB

Download
memory/2284-133-0x0000000001E40000-0x0000000001E6E000-memory.dmp

Filesize
184KB

Download
memory/2284-1284-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/2284-1490-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/2284-1729-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/2284-1850-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/2284-1925-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/2284-2070-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/2284-2407-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/2284-2600-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/2284-2745-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/2284-2816-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/2284-2939-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/2284-2988-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/2284-3085-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/2284-3134-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/2284-3135-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/2284-3136-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/2284-3137-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/2284-3138-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/2284-3141-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/2284-3157-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/2284-132-0x0000000001E00000-0x0000000001E0F000-memory.dmp

Filesize
60KB

Download
memory/2284-131-0x0000000003B60000-0x0000000003C17000-memory.dmp

Filesize
732KB

Download
memory/2284-129-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/2284-130-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/2284-127-0x0000000001D00000-0x0000000001DCB000-memory.dmp

Filesize
812KB

Download
memory/2284-125-0x0000000000900000-0x0000000000928000-memory.dmp

Filesize
160KB

Download
memory/2284-126-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/2284-123-0x0000000001D00000-0x0000000001DCB000-memory.dmp

Filesize
812KB

Download
memory/2284-124-0x0000000000900000-0x0000000000928000-memory.dmp

Filesize
160KB

Download
memory/2284-108-0x0000000000900000-0x0000000000928000-memory.dmp

Filesize
160KB

Download
memory/2284-54-0x000007FEBF350000-0x000007FEBF360000-memory.dmp

Filesize
64KB

Download
memory/2284-56-0x0000000001D00000-0x0000000001DCB000-memory.dmp

Filesize
812KB

Download
memory/2284-55-0x0000000001D00000-0x0000000001DCB000-memory.dmp

Filesize
812KB

Download
memory/2284-52-0x0000000001D00000-0x0000000001DCB000-memory.dmp

Filesize
812KB

Download
memory/2284-40-0x00000000000F0000-0x00000000001B3000-memory.dmp

Filesize
780KB

Download