36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe
Size

1.4MB
MD5

c3a778773d111438753b04f1fdd1c015
SHA1

178ed102913cb579e567aa3e80ed1638e37b93d0
SHA256

36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9
SHA512

a8b081ef60acb557e9973b26f7e7e999421283c3008770c67128400cec0fb819999e9e0aad9a494eea8bda8121fa9d8b5a24a1372ffa6d06f1c22d11f1edc6bd
SSDEEP

12288:DSvO2x9mONvKRhLSFROkx2LIaCy+Bg0tmyyyI:2vO2xJKRh2bOkx2LFV+Bg6M

Score

10^/10

upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1268 created 424	1268	Explorer.EXE	3

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\93I6n6FxT.sys	finger.exe

Deletes itself 1 IoCs

pid	Process
2976	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3060	20423910
2832	finger.exe

Loads dropped DLL 1 IoCs

pid	Process
1268	Explorer.EXE

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2472-0-0x00000000011A0000-0x000000000122C000-memory.dmp	upx
behavioral1/files/0x0008000000012020-2.dat	upx
behavioral1/memory/3060-3-0x00000000002E0000-0x000000000036C000-memory.dmp	upx
behavioral1/memory/2472-19-0x00000000011A0000-0x000000000122C000-memory.dmp	upx
behavioral1/memory/3060-20-0x00000000002E0000-0x000000000036C000-memory.dmp	upx
behavioral1/memory/2472-51-0x00000000011A0000-0x000000000122C000-memory.dmp	upx
behavioral1/memory/3060-80-0x00000000002E0000-0x000000000036C000-memory.dmp	upx
behavioral1/files/0x0008000000012020-84.dat	upx
behavioral1/memory/2832-106-0x0000000000880000-0x00000000008A8000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Drops file in System32 directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	20423910
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	20423910
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	20423910
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	finger.exe
File created	C:\Windows\Syswow64\20423910	36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	20423910
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	finger.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	finger.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	20423910
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	20423910
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	20423910
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4	20423910
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	finger.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	finger.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	finger.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	finger.exe
File created	C:\Windows\system32\ \Windows\System32\uxTp522.sys	finger.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	20423910
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	20423910
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4	20423910
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	finger.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	finger.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	finger.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\finger.exe	Explorer.EXE
File opened for modification	C:\Program Files\finger.exe	Explorer.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\346368	20423910
File created	C:\Windows\cS755bTy.sys	finger.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1220	timeout.exe
2844	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	20423910
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	20423910
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	finger.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	finger.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	finger.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	20423910
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	20423910
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	finger.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	20423910
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f001a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	finger.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	finger.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	finger.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	finger.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	finger.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	finger.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	finger.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	finger.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B8251E4-1CD2-466B-9FA9-F54AB1A05226}\WpadDecisionTime = d0caa70f67fcd901	20423910
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-e4-c6-1d-63-2c\WpadDecisionTime = d0caa70f67fcd901	finger.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	finger.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	finger.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f001a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	20423910
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B8251E4-1CD2-466B-9FA9-F54AB1A05226}\WpadNetworkName = "Network 2"	20423910
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	finger.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-e4-c6-1d-63-2c\WpadDecisionTime = b024f11367fcd901	finger.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	20423910
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	20423910
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	finger.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B8251E4-1CD2-466B-9FA9-F54AB1A05226}	20423910
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-e4-c6-1d-63-2c	20423910
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	finger.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	20423910
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	20423910
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	20423910
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	finger.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	20423910
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	20423910
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	20423910
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-e4-c6-1d-63-2c\WpadDetectedUrl	finger.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	finger.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B8251E4-1CD2-466B-9FA9-F54AB1A05226}\WpadDecision = "0"	finger.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	20423910
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	20423910
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	finger.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	20423910
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-e4-c6-1d-63-2c	finger.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B8251E4-1CD2-466B-9FA9-F54AB1A05226}\WpadDecisionReason = "1"	20423910
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	finger.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	finger.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	finger.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B8251E4-1CD2-466B-9FA9-F54AB1A05226}\WpadDecisionReason = "1"	finger.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B8251E4-1CD2-466B-9FA9-F54AB1A05226}\WpadDecisionTime = b024f11367fcd901	finger.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	finger.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	20423910
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	20423910
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	finger.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	finger.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	finger.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	finger.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	20423910
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	20423910
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	finger.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	finger.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	finger.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	20423910
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	20423910
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	20423910
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	20423910
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	finger.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	finger.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3060	20423910
3060	20423910
3060	20423910
3060	20423910
3060	20423910
3060	20423910
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
3060	20423910
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe
2832	finger.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1268	Explorer.EXE

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2472	36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe
Token: SeTcbPrivilege	2472	36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe
Token: SeDebugPrivilege	3060	20423910
Token: SeTcbPrivilege	3060	20423910
Token: SeDebugPrivilege	3060	20423910
Token: SeDebugPrivilege	1268	Explorer.EXE
Token: SeDebugPrivilege	1268	Explorer.EXE
Token: SeIncBasePriorityPrivilege	2472	36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe
Token: SeDebugPrivilege	3060	20423910
Token: SeDebugPrivilege	2832	finger.exe
Token: SeDebugPrivilege	2832	finger.exe
Token: SeDebugPrivilege	2832	finger.exe
Token: SeIncBasePriorityPrivilege	3060	20423910

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 1268	3060	20423910	18
PID 3060 wrote to memory of 1268	3060	20423910	18
PID 3060 wrote to memory of 1268	3060	20423910	18
PID 3060 wrote to memory of 1268	3060	20423910	18
PID 3060 wrote to memory of 1268	3060	20423910	18
PID 1268 wrote to memory of 2832	1268	Explorer.EXE	29
PID 1268 wrote to memory of 2832	1268	Explorer.EXE	29
PID 1268 wrote to memory of 2832	1268	Explorer.EXE	29
PID 1268 wrote to memory of 2832	1268	Explorer.EXE	29
PID 1268 wrote to memory of 2832	1268	Explorer.EXE	29
PID 1268 wrote to memory of 2832	1268	Explorer.EXE	29
PID 1268 wrote to memory of 2832	1268	Explorer.EXE	29
PID 1268 wrote to memory of 2832	1268	Explorer.EXE	29
PID 3060 wrote to memory of 424	3060	20423910	3
PID 3060 wrote to memory of 424	3060	20423910	3
PID 3060 wrote to memory of 424	3060	20423910	3
PID 3060 wrote to memory of 424	3060	20423910	3
PID 3060 wrote to memory of 424	3060	20423910	3
PID 2472 wrote to memory of 2976	2472	36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe	31
PID 2472 wrote to memory of 2976	2472	36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe	31
PID 2472 wrote to memory of 2976	2472	36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe	31
PID 2472 wrote to memory of 2976	2472	36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe	31
PID 2976 wrote to memory of 2844	2976	cmd.exe	33
PID 2976 wrote to memory of 2844	2976	cmd.exe	33
PID 2976 wrote to memory of 2844	2976	cmd.exe	33
PID 2976 wrote to memory of 2844	2976	cmd.exe	33
PID 3060 wrote to memory of 2168	3060	20423910	34
PID 3060 wrote to memory of 2168	3060	20423910	34
PID 3060 wrote to memory of 2168	3060	20423910	34
PID 3060 wrote to memory of 2168	3060	20423910	34
PID 2168 wrote to memory of 1220	2168	cmd.exe	36
PID 2168 wrote to memory of 1220	2168	cmd.exe	36
PID 2168 wrote to memory of 1220	2168	cmd.exe	36
PID 2168 wrote to memory of 1220	2168	cmd.exe	36

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424
- C:\Program Files\finger.exe
  "C:\Program Files\finger.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe
  "C:\Users\Admin\AppData\Local\Temp\36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:2844

C:\Windows\Syswow64\20423910
C:\Windows\Syswow64\20423910
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\20423910"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\finger.exe

Filesize
11KB

MD5
c19ad632b95e9d78384166ba76f47ebb

SHA1
73be604b616e2bf9afa032b80ad480b16401be7a

SHA256
9e1be0cef21da54f815e49e97ff378c7b894cb4ccbf9407e2f629c1879aad6a1

SHA512
9f896182654d6fcab429255f358ff4f9ee914ea53dace01fee873988f20baeca5f832329f76a3ab29000664218a82552343d8dccffc646b46bd26a14fc183758

Download Submit
C:\Users\Admin\AppData\Local\Temp\a190ce1c.tmp

Filesize
11.6MB

MD5
5244c87dbafa1f764b258766005dea73

SHA1
84cb8b4fb3e0910cfecfb31b6fa54c16d940e703

SHA256
077035f93ddc3ac5a8b5631d43826baf7722256eb1c4716b3c2567f07379bc40

SHA512
54d64d32e73e2752cdf9a110db17ad64574eb072df0ed0dc34a7e4bc469c03aa79ef7d45465e279ef85d5fc6b33a1b750b181476cdea7ea98898ddba9aa60438

Download Submit
C:\Windows\SysWOW64\20423910

Filesize
1.4MB

MD5
573b42b75826cdc22e426796550f1611

SHA1
4154e5d8567d65340e0bb13cc203343a7d15740e

SHA256
0a7d7c6f1b540ec5492298d96674360cc12b720ce879fdd13ce50f34b47e77c2

SHA512
ecb05a941b223a3cb13b78746436b3c60ab5ed9fa390b4afad68488984adc47e487d629b266be9db1866badaa51db7732baf87e98a56eb791bc54e74baff687c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Windows\Syswow64\20423910

Filesize
1.4MB

MD5
573b42b75826cdc22e426796550f1611

SHA1
4154e5d8567d65340e0bb13cc203343a7d15740e

SHA256
0a7d7c6f1b540ec5492298d96674360cc12b720ce879fdd13ce50f34b47e77c2

SHA512
ecb05a941b223a3cb13b78746436b3c60ab5ed9fa390b4afad68488984adc47e487d629b266be9db1866badaa51db7732baf87e98a56eb791bc54e74baff687c

Download Submit
\Program Files\finger.exe

Filesize
11KB

MD5
c19ad632b95e9d78384166ba76f47ebb

SHA1
73be604b616e2bf9afa032b80ad480b16401be7a

SHA256
9e1be0cef21da54f815e49e97ff378c7b894cb4ccbf9407e2f629c1879aad6a1

SHA512
9f896182654d6fcab429255f358ff4f9ee914ea53dace01fee873988f20baeca5f832329f76a3ab29000664218a82552343d8dccffc646b46bd26a14fc183758

Download Submit
memory/424-47-0x0000000000880000-0x00000000008A8000-memory.dmp

Filesize
160KB

Download
memory/1268-26-0x0000000006A30000-0x0000000006B29000-memory.dmp

Filesize
996KB

Download
memory/1268-27-0x0000000006A30000-0x0000000006B29000-memory.dmp

Filesize
996KB

Download
memory/1268-25-0x0000000002150000-0x0000000002153000-memory.dmp

Filesize
12KB

Download
memory/1268-50-0x0000000006A30000-0x0000000006B29000-memory.dmp

Filesize
996KB

Download
memory/1268-23-0x0000000002150000-0x0000000002153000-memory.dmp

Filesize
12KB

Download
memory/2472-0-0x00000000011A0000-0x000000000122C000-memory.dmp

Filesize
560KB

Download
memory/2472-51-0x00000000011A0000-0x000000000122C000-memory.dmp

Filesize
560KB

Download
memory/2472-19-0x00000000011A0000-0x000000000122C000-memory.dmp

Filesize
560KB

Download
memory/2832-44-0x000007FEBE010000-0x000007FEBE020000-memory.dmp

Filesize
64KB

Download
memory/2832-104-0x0000000037930000-0x0000000037940000-memory.dmp

Filesize
64KB

Download
memory/2832-43-0x00000000003C0000-0x000000000048B000-memory.dmp

Filesize
812KB

Download
memory/2832-41-0x00000000003C0000-0x000000000048B000-memory.dmp

Filesize
812KB

Download
memory/2832-39-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/2832-36-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/2832-33-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2832-58-0x00000000003C0000-0x000000000048B000-memory.dmp

Filesize
812KB

Download
memory/2832-31-0x0000000000140000-0x0000000000203000-memory.dmp

Filesize
780KB

Download
memory/2832-116-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2832-115-0x00000000043F0000-0x00000000045B5000-memory.dmp

Filesize
1.8MB

Download
memory/2832-40-0x00000000003C0000-0x000000000048B000-memory.dmp

Filesize
812KB

Download
memory/2832-106-0x0000000000880000-0x00000000008A8000-memory.dmp

Filesize
160KB

Download
memory/2832-107-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/2832-108-0x0000000000880000-0x00000000008A8000-memory.dmp

Filesize
160KB

Download
memory/2832-109-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2832-110-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/2832-111-0x00000000043F0000-0x00000000045B5000-memory.dmp

Filesize
1.8MB

Download
memory/2832-112-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2832-113-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/2832-114-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/3060-20-0x00000000002E0000-0x000000000036C000-memory.dmp

Filesize
560KB

Download
memory/3060-80-0x00000000002E0000-0x000000000036C000-memory.dmp

Filesize
560KB

Download
memory/3060-3-0x00000000002E0000-0x000000000036C000-memory.dmp

Filesize
560KB

Download