695526335af4b4ff3d8650ee928576effb496b1d2316fb2258718c32b6e946e5

Analysis

max time kernel
162s
max time network
171s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03/09/2023, 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

695526335af4b4ff3d8650ee928576effb496b1d2316fb2258718c32b6e946e5.exe
Size

280KB
MD5

35fcf565ecb8e114c7df274ef211f95c
SHA1

4a1ca9576c41477f65045ba14d0882fe958b2362
SHA256

695526335af4b4ff3d8650ee928576effb496b1d2316fb2258718c32b6e946e5
SHA512

cc9ee7593cd0865f8abb53d120dbf9134bbaef8cee2087bb40b85787901721452d220d839694514da38d99985ab2938f5991a2625f115a0e9827be17d857572c
SSDEEP

6144:YXSQ8BCMis1TMrRQwy7eIeCDbFcEOkCybEaQRXr9HNdvOa:YXv8BCLocRZy7eIeyb1Okx2LIa

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\3RSgzcXMM.sys	mountvol.exe
File created	C:\Windows\System32\drivers\MuBRsOL.sys	Explorer.EXE

Deletes itself 1 IoCs

pid	Process
1700	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1936	38a9b784
2780	mountvol.exe

Loads dropped DLL 1 IoCs

pid	Process
1292	Explorer.EXE

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2472-0-0x0000000000E30000-0x0000000000EBE000-memory.dmp	upx
behavioral1/files/0x000d000000012262-2.dat	upx
behavioral1/memory/1936-3-0x0000000000040000-0x00000000000CE000-memory.dmp	upx
behavioral1/memory/2472-39-0x0000000000E30000-0x0000000000EBE000-memory.dmp	upx
behavioral1/memory/2472-45-0x0000000000E30000-0x0000000000EBE000-memory.dmp	upx
behavioral1/memory/1936-74-0x0000000000040000-0x00000000000CE000-memory.dmp	upx
behavioral1/files/0x000d000000012262-87.dat	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	38a9b784
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4	38a9b784
File created	C:\Windows\system32\ \Windows\System32\FAXJDshZ.sys	Explorer.EXE
File created	C:\Windows\Syswow64\38a9b784	695526335af4b4ff3d8650ee928576effb496b1d2316fb2258718c32b6e946e5.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	38a9b784
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	38a9b784
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	38a9b784
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	38a9b784
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	38a9b784
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	38a9b784
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	38a9b784
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	38a9b784
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4	38a9b784
File created	C:\Windows\system32\ \Windows\System32\XA7w1LuSG.sys	mountvol.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\g0bhBs2.sys	mountvol.exe
File created	C:\Windows\s4nbQSfM.sys	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2876	timeout.exe
2848	timeout.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\New Windows\Allow	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\New Windows\Allow\www.hao774.com	Explorer.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	38a9b784
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ED13CDD4-CA2E-43C5-B5AC-07BCE5073612}\WpadDecisionTime = f083ede78dded901	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	38a9b784
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	38a9b784
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	38a9b784
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ED13CDD4-CA2E-43C5-B5AC-07BCE5073612}\WpadNetworkName = "Network 2"	38a9b784
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	38a9b784
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	38a9b784
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	38a9b784
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ED13CDD4-CA2E-43C5-B5AC-07BCE5073612}\WpadDecisionReason = "1"	38a9b784
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-2d-d1-91-f6-c0\WpadDecisionReason = "1"	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	38a9b784
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	38a9b784
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ED13CDD4-CA2E-43C5-B5AC-07BCE5073612}	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-2d-d1-91-f6-c0	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	38a9b784
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-2d-d1-91-f6-c0\WpadDecisionTime = f083ede78dded901	38a9b784
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	38a9b784
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	38a9b784
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	38a9b784
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ED13CDD4-CA2E-43C5-B5AC-07BCE5073612}\WpadDecision = "0"	38a9b784
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ED13CDD4-CA2E-43C5-B5AC-07BCE5073612}\fa-2d-d1-91-f6-c0	38a9b784
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-2d-d1-91-f6-c0\WpadDecision = "0"	38a9b784

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	38a9b784
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	38a9b784
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	38a9b784
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	mountvol.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	mountvol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	38a9b784

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1936	38a9b784
1936	38a9b784
1936	38a9b784
1936	38a9b784
1936	38a9b784
1936	38a9b784
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1936	38a9b784
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1292	Explorer.EXE

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2472	695526335af4b4ff3d8650ee928576effb496b1d2316fb2258718c32b6e946e5.exe
Token: SeTcbPrivilege	2472	695526335af4b4ff3d8650ee928576effb496b1d2316fb2258718c32b6e946e5.exe
Token: SeDebugPrivilege	1936	38a9b784
Token: SeTcbPrivilege	1936	38a9b784
Token: SeDebugPrivilege	1936	38a9b784
Token: SeDebugPrivilege	1292	Explorer.EXE
Token: SeDebugPrivilege	1292	Explorer.EXE
Token: SeDebugPrivilege	1936	38a9b784
Token: SeIncBasePriorityPrivilege	2472	695526335af4b4ff3d8650ee928576effb496b1d2316fb2258718c32b6e946e5.exe
Token: SeDebugPrivilege	2780	mountvol.exe
Token: SeDebugPrivilege	2780	mountvol.exe
Token: SeDebugPrivilege	2780	mountvol.exe
Token: SeIncBasePriorityPrivilege	1936	38a9b784
Token: SeDebugPrivilege	1292	Explorer.EXE
Token: SeDebugPrivilege	1292	Explorer.EXE
Token: SeDebugPrivilege	1292	Explorer.EXE
Token: SeDebugPrivilege	1292	Explorer.EXE
Token: SeDebugPrivilege	1292	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1292	Explorer.EXE

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 1292	1936	38a9b784	20
PID 1936 wrote to memory of 1292	1936	38a9b784	20
PID 1936 wrote to memory of 1292	1936	38a9b784	20
PID 1936 wrote to memory of 1292	1936	38a9b784	20
PID 1936 wrote to memory of 1292	1936	38a9b784	20
PID 1292 wrote to memory of 2780	1292	Explorer.EXE	28
PID 1292 wrote to memory of 2780	1292	Explorer.EXE	28
PID 1292 wrote to memory of 2780	1292	Explorer.EXE	28
PID 1292 wrote to memory of 2780	1292	Explorer.EXE	28
PID 1292 wrote to memory of 2780	1292	Explorer.EXE	28
PID 1292 wrote to memory of 2780	1292	Explorer.EXE	28
PID 1292 wrote to memory of 2780	1292	Explorer.EXE	28
PID 1292 wrote to memory of 2780	1292	Explorer.EXE	28
PID 1936 wrote to memory of 424	1936	38a9b784	3
PID 1936 wrote to memory of 424	1936	38a9b784	3
PID 1936 wrote to memory of 424	1936	38a9b784	3
PID 1936 wrote to memory of 424	1936	38a9b784	3
PID 1936 wrote to memory of 424	1936	38a9b784	3
PID 2472 wrote to memory of 1700	2472	695526335af4b4ff3d8650ee928576effb496b1d2316fb2258718c32b6e946e5.exe	31
PID 2472 wrote to memory of 1700	2472	695526335af4b4ff3d8650ee928576effb496b1d2316fb2258718c32b6e946e5.exe	31
PID 2472 wrote to memory of 1700	2472	695526335af4b4ff3d8650ee928576effb496b1d2316fb2258718c32b6e946e5.exe	31
PID 2472 wrote to memory of 1700	2472	695526335af4b4ff3d8650ee928576effb496b1d2316fb2258718c32b6e946e5.exe	31
PID 1700 wrote to memory of 2876	1700	cmd.exe	33
PID 1700 wrote to memory of 2876	1700	cmd.exe	33
PID 1700 wrote to memory of 2876	1700	cmd.exe	33
PID 1700 wrote to memory of 2876	1700	cmd.exe	33
PID 1936 wrote to memory of 1404	1936	38a9b784	35
PID 1936 wrote to memory of 1404	1936	38a9b784	35
PID 1936 wrote to memory of 1404	1936	38a9b784	35
PID 1936 wrote to memory of 1404	1936	38a9b784	35
PID 1404 wrote to memory of 2848	1404	cmd.exe	37
PID 1404 wrote to memory of 2848	1404	cmd.exe	37
PID 1404 wrote to memory of 2848	1404	cmd.exe	37
PID 1404 wrote to memory of 2848	1404	cmd.exe	37

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\Temp\695526335af4b4ff3d8650ee928576effb496b1d2316fb2258718c32b6e946e5.exe
  "C:\Users\Admin\AppData\Local\Temp\695526335af4b4ff3d8650ee928576effb496b1d2316fb2258718c32b6e946e5.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\695526335af4b4ff3d8650ee928576effb496b1d2316fb2258718c32b6e946e5.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:2876
- C:\ProgramData\Microsoft\mountvol.exe
  "C:\ProgramData\Microsoft\mountvol.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:2780

C:\Windows\Syswow64\38a9b784
C:\Windows\Syswow64\38a9b784
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\38a9b784"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\mountvol.exe

Filesize
14KB

MD5
2113b455b62ecebe1246117381c0d005

SHA1
0bae79d8a7b7a866fe808e92c1c96c052d8600f1

SHA256
15b4453744806f7be8b9a56791fc064501bab411423ba5d723d7cdd01e7bd321

SHA512
42b8adb2c721f2e3d445bab716ccbcb14a89104eb71917379c7ac2a8818dd9c0b66a83edf288bdc532bc19e1f715b12043fb17c6a905b40f0d742530c3c36c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7FD.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Windows\SysWOW64\38a9b784

Filesize
280KB

MD5
10c7dc3b4ce0197fc0257a02678c3cfc

SHA1
e7381fa1c83beb3c597fd05777fe75d947180f9e

SHA256
457b086dd197623075138a5b910dbf968a1942bf1bfa120d00f690e293f1991d

SHA512
c42c4842e17feb5a92da4fe2488873f841fcffeb0607690b3e811b916f7ddf37841a74b04bce3710fd9c092920c779ebbcc69595bb1a7ac5c106a2dd5293af1e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Windows\Syswow64\38a9b784

Filesize
280KB

MD5
10c7dc3b4ce0197fc0257a02678c3cfc

SHA1
e7381fa1c83beb3c597fd05777fe75d947180f9e

SHA256
457b086dd197623075138a5b910dbf968a1942bf1bfa120d00f690e293f1991d

SHA512
c42c4842e17feb5a92da4fe2488873f841fcffeb0607690b3e811b916f7ddf37841a74b04bce3710fd9c092920c779ebbcc69595bb1a7ac5c106a2dd5293af1e

Download Submit
\ProgramData\Microsoft\mountvol.exe

Filesize
14KB

MD5
2113b455b62ecebe1246117381c0d005

SHA1
0bae79d8a7b7a866fe808e92c1c96c052d8600f1

SHA256
15b4453744806f7be8b9a56791fc064501bab411423ba5d723d7cdd01e7bd321

SHA512
42b8adb2c721f2e3d445bab716ccbcb14a89104eb71917379c7ac2a8818dd9c0b66a83edf288bdc532bc19e1f715b12043fb17c6a905b40f0d742530c3c36c4b

Download Submit
memory/1292-129-0x0000000003B30000-0x0000000003B31000-memory.dmp

Filesize
4KB

Download
memory/1292-131-0x0000000003B30000-0x0000000003B31000-memory.dmp

Filesize
4KB

Download
memory/1292-19-0x0000000006A70000-0x0000000006B67000-memory.dmp

Filesize
988KB

Download
memory/1292-149-0x0000000003B30000-0x0000000003B31000-memory.dmp

Filesize
4KB

Download
memory/1292-147-0x0000000003B30000-0x0000000003B31000-memory.dmp

Filesize
4KB

Download
memory/1292-145-0x0000000003B30000-0x0000000003B31000-memory.dmp

Filesize
4KB

Download
memory/1292-18-0x0000000002690000-0x0000000002693000-memory.dmp

Filesize
12KB

Download
memory/1292-143-0x0000000003B30000-0x0000000003B31000-memory.dmp

Filesize
4KB

Download
memory/1292-141-0x0000000003B30000-0x0000000003B31000-memory.dmp

Filesize
4KB

Download
memory/1292-139-0x0000000003B30000-0x0000000003B31000-memory.dmp

Filesize
4KB

Download
memory/1292-137-0x0000000003B30000-0x0000000003B31000-memory.dmp

Filesize
4KB

Download
memory/1292-135-0x0000000003B30000-0x0000000003B31000-memory.dmp

Filesize
4KB

Download
memory/1292-133-0x0000000003B30000-0x0000000003B31000-memory.dmp

Filesize
4KB

Download
memory/1292-20-0x0000000006A70000-0x0000000006B67000-memory.dmp

Filesize
988KB

Download
memory/1292-17-0x0000000002690000-0x0000000002693000-memory.dmp

Filesize
12KB

Download
memory/1292-127-0x0000000003B30000-0x0000000003B31000-memory.dmp

Filesize
4KB

Download
memory/1292-125-0x0000000003B30000-0x0000000003B31000-memory.dmp

Filesize
4KB

Download
memory/1292-16-0x0000000002690000-0x0000000002693000-memory.dmp

Filesize
12KB

Download
memory/1292-89-0x0000000006D40000-0x0000000006E0B000-memory.dmp

Filesize
812KB

Download
memory/1292-90-0x000007FEBEC10000-0x000007FEBEC20000-memory.dmp

Filesize
64KB

Download
memory/1292-121-0x0000000037120000-0x0000000037130000-memory.dmp

Filesize
64KB

Download
memory/1936-74-0x0000000000040000-0x00000000000CE000-memory.dmp

Filesize
568KB

Download
memory/1936-3-0x0000000000040000-0x00000000000CE000-memory.dmp

Filesize
568KB

Download
memory/2472-39-0x0000000000E30000-0x0000000000EBE000-memory.dmp

Filesize
568KB

Download
memory/2472-0-0x0000000000E30000-0x0000000000EBE000-memory.dmp

Filesize
568KB

Download
memory/2472-45-0x0000000000E30000-0x0000000000EBE000-memory.dmp

Filesize
568KB

Download
memory/2780-37-0x0000000001D20000-0x0000000001DEB000-memory.dmp

Filesize
812KB

Download
memory/2780-40-0x000007FEBEC10000-0x000007FEBEC20000-memory.dmp

Filesize
64KB

Download
memory/2780-42-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2780-41-0x0000000001D20000-0x0000000001DEB000-memory.dmp

Filesize
812KB

Download
memory/2780-75-0x0000000001D20000-0x0000000001DEB000-memory.dmp

Filesize
812KB

Download
memory/2780-36-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/2780-32-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/2780-26-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2780-24-0x0000000000120000-0x00000000001E3000-memory.dmp

Filesize
780KB

Download