78f3c6c29aee2c929396a110dff21af45fac3563ea9108f136221a0107cb6ad5

Resubmissions

22/12/2023, 10:03

231222-l3e7safdhj 8

22/12/2023, 08:56

231222-kv19lsgab9 7

14/08/2023, 12:27

230814-pmrsesca25 7

Analysis

max time kernel
412s
max time network
398s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Device/HarddiskVolume1/Users/RinuThomas/Documents/Rkays office/PAAET/transas 01-2013 mfc & tgs/david.exe
Size

5.8MB
MD5

8b15eb749457b601495c87f465c525f4
SHA1

13ddfa1862b74bdbbc06fc8766b36b9b73b25760
SHA256

3b61ce3d5d75fe4a90313741cdfa71c47ba6543fc568ab3293ed33983ff717d8
SHA512

370692e5d36d3fe4d4f42cd3d5d00987b54ca834582b6668f30d44beba1540ad1aa31f2429d0aac0350465b53e72f8ffc67ac459005b7f2a585e4219d4b2022f
SSDEEP

98304:JlN/A476UGGtP3G0FWPuJeXIWPafmioWzyN52lop0vBmL+1fKdqFT0CHVHkVE29L:JH/6UGGRGUeuoXI/mioWzm5u2gcL+tFe

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5108	ApnStub.exe
2296	ImgBurn.exe

Loads dropped DLL 10 IoCs

pid	Process
5108	ApnStub.exe
5108	ApnStub.exe
5104	david.exe
5104	david.exe
5104	david.exe
5104	david.exe
5104	david.exe
5104	david.exe
5104	david.exe
5104	david.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023247-145.dat	upx
behavioral1/files/0x0007000000023247-309.dat	upx
behavioral1/files/0x0007000000023247-312.dat	upx
behavioral1/memory/2296-314-0x0000000000400000-0x0000000001061000-memory.dmp	upx
behavioral1/memory/2296-355-0x0000000000400000-0x0000000001061000-memory.dmp	upx
behavioral1/memory/2296-358-0x0000000000400000-0x0000000001061000-memory.dmp	upx
behavioral1/memory/2296-359-0x0000000000400000-0x0000000001061000-memory.dmp	upx
behavioral1/memory/2296-372-0x0000000000400000-0x0000000001061000-memory.dmp	upx
behavioral1/memory/2296-385-0x0000000000400000-0x0000000001061000-memory.dmp	upx
behavioral1/memory/2296-394-0x0000000000400000-0x0000000001061000-memory.dmp	upx
behavioral1/memory/2296-427-0x0000000000400000-0x0000000001061000-memory.dmp	upx
behavioral1/memory/2296-429-0x0000000000400000-0x0000000001061000-memory.dmp	upx
behavioral1/memory/2296-430-0x0000000000400000-0x0000000001061000-memory.dmp	upx
behavioral1/memory/2296-431-0x0000000000400000-0x0000000001061000-memory.dmp	upx
behavioral1/memory/2296-432-0x0000000000400000-0x0000000001061000-memory.dmp	upx
behavioral1/memory/2296-433-0x0000000000400000-0x0000000001061000-memory.dmp	upx
behavioral1/memory/2296-434-0x0000000000400000-0x0000000001061000-memory.dmp	upx
behavioral1/memory/2296-435-0x0000000000400000-0x0000000001061000-memory.dmp	upx
behavioral1/memory/2296-436-0x0000000000400000-0x0000000001061000-memory.dmp	upx
behavioral1/memory/2296-441-0x0000000000400000-0x0000000001061000-memory.dmp	upx
behavioral1/memory/2296-573-0x0000000000400000-0x0000000001061000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	ImgBurn.exe
File opened (read-only)	\??\I:	ImgBurn.exe
File opened (read-only)	\??\J:	ImgBurn.exe
File opened (read-only)	\??\K:	ImgBurn.exe
File opened (read-only)	\??\L:	ImgBurn.exe
File opened (read-only)	\??\O:	ImgBurn.exe
File opened (read-only)	\??\S:	ImgBurn.exe
File opened (read-only)	\??\D:	ImgBurn.exe
File opened (read-only)	\??\B:	ImgBurn.exe
File opened (read-only)	\??\E:	ImgBurn.exe
File opened (read-only)	\??\G:	ImgBurn.exe
File opened (read-only)	\??\H:	ImgBurn.exe
File opened (read-only)	\??\N:	ImgBurn.exe
File opened (read-only)	\??\Z:	ImgBurn.exe
File opened (read-only)	\??\V:	ImgBurn.exe
File opened (read-only)	\??\W:	ImgBurn.exe
File opened (read-only)	\??\M:	ImgBurn.exe
File opened (read-only)	\??\P:	ImgBurn.exe
File opened (read-only)	\??\Q:	ImgBurn.exe
File opened (read-only)	\??\R:	ImgBurn.exe
File opened (read-only)	\??\T:	ImgBurn.exe
File opened (read-only)	\??\U:	ImgBurn.exe
File opened (read-only)	\??\X:	ImgBurn.exe
File opened (read-only)	\??\Y:	ImgBurn.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	ImgBurn.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ImgBurn\ReadMe.txt	david.exe
File created	C:\Program Files (x86)\ImgBurn\Sounds\Error.wav	david.exe
File created	C:\Program Files (x86)\ImgBurn\uninstall.exe	david.exe
File created	C:\Program Files (x86)\ImgBurn\Uniblue\DriverScanner.ico	david.exe
File created	C:\Program Files (x86)\ImgBurn\Uniblue\SpeedUpMyPC.ico	david.exe
File created	C:\Program Files (x86)\ImgBurn\ImgBurn.exe	david.exe
File created	C:\Program Files (x86)\ImgBurn\Sounds\Success.wav	david.exe
File created	C:\Program Files (x86)\ImgBurn\Uniblue\RegistryBooster.ico	david.exe
File created	C:\Program Files (x86)\ImgBurn\ImgBurnPreview.exe	david.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	ImgBurn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LocationInformation	ImgBurn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	ImgBurn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	ImgBurn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	ImgBurn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	ImgBurn.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.ape	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.ape\ = "Disc Image File"	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.cue\shell	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.dvd\ = "Disc Image File"	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.ccd\shell\open	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.ibb\shell	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.lst\FriendlyTypeName = "Disc Image File"	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.nrg\DefaultIcon	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.nrg\DefaultIcon\ = "C:\\Program Files (x86)\\ImgBurn\\ImgBurn.exe,1"	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.pdi\FriendlyTypeName = "Disc Image File"	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.pdi\shell\open\command\ = "\"C:\\Program Files (x86)\\ImgBurn\\ImgBurn.exe\" /MODE WRITE /SOURCE \"%1\""	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.dvd\shell	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.flac\DefaultIcon	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.ibq	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.iso	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.cdr\shell\open\ = "Burn using ImgBurn"	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.gcm\shell\open	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.gi\shell\open\command	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.ibb\DefaultIcon\ = "C:\\Program Files (x86)\\ImgBurn\\ImgBurn.exe,1"	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.img\ = "Disc Image File"	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.mds\shell\open\command	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.cdi\shell\open	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.di\shell\open\ = "Burn using ImgBurn"	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.gi\FriendlyTypeName = "Disc Image File"	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.wv\ = "Disc Image File"	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.cdr\ = "Disc Image File"	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.di\shell\open\command\ = "\"C:\\Program Files (x86)\\ImgBurn\\ImgBurn.exe\" /MODE WRITE /SOURCE \"%1\""	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.nrg\ = "Disc Image File"	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.ibb	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.ibq\FriendlyTypeName = "ImgBurn Queue File"	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.img\shell\open\command	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.bin\shell\open\ = "Burn using ImgBurn"	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.pdi\DefaultIcon\ = "C:\\Program Files (x86)\\ImgBurn\\ImgBurn.exe,1"	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.cdr\shell\open\command	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.img	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.nrg	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.ccd\shell\open\command\ = "\"C:\\Program Files (x86)\\ImgBurn\\ImgBurn.exe\" /MODE WRITE /SOURCE \"%1\""	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.img\shell	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.wv\shell\open\command	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.ibq\shell\open\command\ = "\"C:\\Program Files (x86)\\ImgBurn\\ImgBurn.exe\" /MODE WRITE /SOURCE \"%1\""	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.flac\shell\open\command	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.gi\DefaultIcon	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.ibq\shell\open\ = "Burn using ImgBurn"	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.dvd\shell\open\ = "Burn using ImgBurn"	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.flac\shell\open\command\ = "\"C:\\Program Files (x86)\\ImgBurn\\ImgBurn.exe\" /MODE WRITE /SOURCE \"%1\""	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.ibb\shell\open	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.ibb\shell\open\ = "Burn using ImgBurn"	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.ibq\DefaultIcon	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.iso\shell\open\command\ = "\"C:\\Program Files (x86)\\ImgBurn\\ImgBurn.exe\" /MODE WRITE /SOURCE \"%1\""	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.nrg\shell	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.gi\shell	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.lst\DefaultIcon	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.cue\shell\open	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.mds\ = "Disc Image File"	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.nrg\shell\open\command	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.di\shell\open\command	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.flac\DefaultIcon\ = "C:\\Program Files (x86)\\ImgBurn\\ImgBurn.exe,1"	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.ibb\ = "ImgBurn Project File"	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.bin\DefaultIcon\ = "C:\\Program Files (x86)\\ImgBurn\\ImgBurn.exe,1"	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.cdi\shell\open\command\ = "\"C:\\Program Files (x86)\\ImgBurn\\ImgBurn.exe\" /MODE WRITE /SOURCE \"%1\""	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.gcm	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.lst\ = "Disc Image File"	david.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.pdi\shell\open\command	david.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImgBurn.AssocFile.udi\DefaultIcon\ = "C:\\Program Files (x86)\\ImgBurn\\ImgBurn.exe,1"	david.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	ApnStub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	ApnStub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	ApnStub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	ApnStub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	ApnStub.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
5104	david.exe
5104	david.exe
1924	msedge.exe
1924	msedge.exe
2960	msedge.exe
2960	msedge.exe
400	identity_helper.exe
400	identity_helper.exe
2296	ImgBurn.exe
2296	ImgBurn.exe
2296	ImgBurn.exe
2296	ImgBurn.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
3040	msedge.exe
3040	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5104	david.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	ImgBurn.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
2296	ImgBurn.exe
2296	ImgBurn.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2296	ImgBurn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 5108	5104	david.exe	89
PID 5104 wrote to memory of 5108	5104	david.exe	89
PID 5104 wrote to memory of 5108	5104	david.exe	89
PID 5104 wrote to memory of 1924	5104	david.exe	99
PID 5104 wrote to memory of 1924	5104	david.exe	99
PID 1924 wrote to memory of 4112	1924	msedge.exe	100
PID 1924 wrote to memory of 4112	1924	msedge.exe	100
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2732	1924	msedge.exe	102
PID 1924 wrote to memory of 2960	1924	msedge.exe	101
PID 1924 wrote to memory of 2960	1924	msedge.exe	101
PID 1924 wrote to memory of 2500	1924	msedge.exe	103
PID 1924 wrote to memory of 2500	1924	msedge.exe	103
PID 1924 wrote to memory of 2500	1924	msedge.exe	103
PID 1924 wrote to memory of 2500	1924	msedge.exe	103
PID 1924 wrote to memory of 2500	1924	msedge.exe	103
PID 1924 wrote to memory of 2500	1924	msedge.exe	103
PID 1924 wrote to memory of 2500	1924	msedge.exe	103
PID 1924 wrote to memory of 2500	1924	msedge.exe	103
PID 1924 wrote to memory of 2500	1924	msedge.exe	103
PID 1924 wrote to memory of 2500	1924	msedge.exe	103
PID 1924 wrote to memory of 2500	1924	msedge.exe	103
PID 1924 wrote to memory of 2500	1924	msedge.exe	103
PID 1924 wrote to memory of 2500	1924	msedge.exe	103
PID 1924 wrote to memory of 2500	1924	msedge.exe	103
PID 1924 wrote to memory of 2500	1924	msedge.exe	103

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume1\Users\RinuThomas\Documents\Rkays office\PAAET\transas 01-2013 mfc & tgs\david.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume1\Users\RinuThomas\Documents\Rkays office\PAAET\transas 01-2013 mfc & tgs\david.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Local\Temp\ApnStub.exe
  "C:\Users\Admin\AppData\Local\Temp\ApnStub.exe" /tb=IMB
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.imgburn.com/index.php?act=installation_complete
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ff8bd6546f8,0x7ff8bd654708,0x7ff8bd654718
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=fallback-handler --database="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --exception-pointers=64613491130368 --process=176 /prefetch:7 --thread=1744
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,16765374365919632036,267722033586157197,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,16765374365919632036,267722033586157197,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
    3⤵
    PID:2732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,16765374365919632036,267722033586157197,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
    3⤵
    PID:2500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16765374365919632036,267722033586157197,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
    3⤵
    PID:2108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16765374365919632036,267722033586157197,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
    3⤵
    PID:2816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16765374365919632036,267722033586157197,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
    3⤵
    PID:2624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16765374365919632036,267722033586157197,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
    3⤵
    PID:3920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16765374365919632036,267722033586157197,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
    3⤵
    PID:1232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16765374365919632036,267722033586157197,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
    3⤵
    PID:4560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16765374365919632036,267722033586157197,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
    3⤵
    PID:772
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,16765374365919632036,267722033586157197,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3964 /prefetch:8
    3⤵
    PID:3116
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,16765374365919632036,267722033586157197,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3964 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16765374365919632036,267722033586157197,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
    3⤵
    PID:2116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16765374365919632036,267722033586157197,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
    3⤵
    PID:2492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16765374365919632036,267722033586157197,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4428 /prefetch:1
    3⤵
    PID:1052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,16765374365919632036,267722033586157197,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3704 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:748
- C:\Program Files (x86)\ImgBurn\ImgBurn.exe
  "C:\Program Files (x86)\ImgBurn\ImgBurn.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ImgBurn\ImgBurn.exe

Filesize
1.2MB

MD5
5499f7e1ccbb3746fa5ed8791013fa67

SHA1
982c3bf701fde36a500f5d080df15c54e3fc0c32

SHA256
e38052ead5f11638b38ed81a2d29410fc47275d17c592834c0b07efb318ce188

SHA512
0d2611a6d85ed24ffb88a3b5294a72acd72d8e1e36aa815154b42d86c869d985d58a5ae55ecc7195ac82ebb7319bc38d0494f6d37740c48a65e222dc0a9c6760

Download Submit
C:\Program Files (x86)\ImgBurn\ImgBurn.exe

Filesize
190KB

MD5
124928afac0a523c42d0c23d05484334

SHA1
fefc1f2a078c17b56dac045117bdaf02eae6d08a

SHA256
ff7933753edc236c18529bc7256a9773c2c033efbe4de5a9c5c04c63de5696c6

SHA512
81b503ba3d0dcedb83bdff2b8e19dd8989ebe092215d87bf0ae6e25e1ef13ede6c0f33dd13982aaaadf28e290ebc6126068ddb7b23a82282105807f174a3dffa

Download Submit
C:\Program Files (x86)\ImgBurn\ImgBurn.exe

Filesize
128KB

MD5
b2a812c716f1c62604a56cb6409edd18

SHA1
ef7fd63b89803796883b128dc90e232748cf1c96

SHA256
fe9d39e67776b774c98ef137dbdc0341a338b2af633316bccad2d3a8a2fa20bf

SHA512
4cf105940230c8478eec74c7bc042827f0be9e027497312bd918c6f641f10076f23a772f6a9d84dc83423496481e239afd68155ddbbcfc63a991bd77f3f52de4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d5564ccbd62bac229941d2812fc4bfba

SHA1
0483f8496225a0f2ca0d2151fab40e8f4f61ab6d

SHA256
d259ff04090cbde3b87a54554d6e2b8a33ba81e9483acbbe3e6bad15cbde4921

SHA512
300cda7933e8af577bdc1b20e6d4279d1e418cdb0571c928b1568bfea3c231ba632ccb67313ae73ddeae5586d85db95caffaedd23e973d437f8496a8c5a15025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
6d93b924dab03915d40ae46a2a051a56

SHA1
e04f02fed46f1353d262dfe006a91635aefcd9a2

SHA256
eba3f9a80122bd779b8dec8053fc1d462272f376442969ffa37cbbfa9be560ba

SHA512
74cd2250edcdacaa7a02276a3e04946c0a31a95e10aa0fa48fb11a0405e9d333e16f73dba52f3b439a39b4e68dc0426c444c41dc23c02a86505ff3826cfb374a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
297558d6080d4aef04a3d0f6a6b450f1

SHA1
82e82b5f98237f3503f8d273a396ff8d372ac108

SHA256
79ef7e00ca1f0220a9e581ec51948df9c92588835889cae81d1818e89a1d6e4c

SHA512
612ba7ff10538bb1fec6979425e433bdc173c95b20e872dc792afaa1a7e86bddfffd0c36e70ac5d80647eb37f4f6af2ad1b9ddef3a57242c234b85228484a280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
65a524f5e5b7a50e6b36a3e2e0545344

SHA1
a7e858c70e89d3cb349f8f047dce31026ad1a8ca

SHA256
2730eb4da4f722be4293623a4abdf8dc381113b61c00b814e44460f527fa1911

SHA512
3c142f00d6eebcaff635deef3511621f3b6ec89cebfbaa59b72230ce92d2b7141bfd94793a2291c5d1e83fc7127178e96970e444315155152c13d4a8bbc47bfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
030535ed19b679ab8f849e17fefbe16a

SHA1
68c0dcc7373152fdb152bda5e0878cf29862e519

SHA256
136e348d67dfa7716ce5e34dc99712bd36b52c489f87a56e284d723379b4feb9

SHA512
433e6d1f8ca86ba8c2834ff74fd84b28a265052af77e5d65d0eaa4017e161b1d750cf26c172c2787b865bcd8c65a1f7dda5eaa67ebee2e5ed53826b865793c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f265c9999d8215d2d7a91f2447ec7e01

SHA1
fc0a7de9dc18b41d71a94c4d22a87a750d11cb8a

SHA256
8707f89eb8e2146f1b6ef274c4062a52a824cc6a3e589519abbd514a1519ccd3

SHA512
13af1fda4ea4cc1751a088c9c6c91a7825e3282cdc8058fad5dbaf695a072d487a2f35063c5504676419b9b25627a836369b1f04a951af8c4eaa3768e2f2e8f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7d8a3281c559ced5254e5a675484eddc

SHA1
c34bbe5e23804be5ea815aef86ce9f9dad5f8f0f

SHA256
44836a779c0c7eeea628f847d8b29d3c64797defa5714bc31c1d5b04ed98a4d2

SHA512
85c6765a30546dea8697765ce68a81ba4b2e82e79fe929bf009298b81ef2260277516f0a4996f4598311a9c3921c011293cd259ae134170a3babf24ab051ef94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e29c90d929332adfd89072b1e9095abd

SHA1
6768d00e58810296a40161dc73c354cc30cffe84

SHA256
0d77c6c735af1329ef780a85aa4292c5e22b2ea33262715925e4a645ba669578

SHA512
ce6bc240072f6d73b2337cd7f344c10bc1f9b5a6cc29ff9347831c53c8be9fceddaeb1a793c6b4f66bd92951a5205f507b5b92108063716f3641db19d5941f96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1665f2e9f2e485721eda9a6b04fbcd86

SHA1
54c70a5459a771aade5ff3f66db6a341d1658084

SHA256
8d045a31a3579d83fcfb2e522304f1df6df29f61629dd87adc8eed378ed75b1b

SHA512
bc1eb57c7b892ce5c3d8165a738a4ccc8cd90dcb39b21460df5bca2db7b1a3734ef13642ae8883a83cbc0effc3ab99df98c0ecddd54ae80671fb7f8deb134f9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1d1c7c7f0b54eb8ba4177f9e91af9dce

SHA1
2b0f0ceb9a374fec8258679c2a039fbce4aff396

SHA256
555c13933eae4e0b0e992713ed8118e2980442f89fbdfb06d3914b607edbbb18

SHA512
4c8930fe2c805c54c0076408aba3fbfb08c24566fba9f6a409b5b1308d39c7b26c96717d43223632f1f71d2e9e68a01b43a60031be8f1ca7a541fe0f56f4d9f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
def8e3a012f3f8f1ad88fbccb4056452

SHA1
de3aa2e30f83b62d23f097b1d79a293852e38329

SHA256
285793cfe04711f3bfe12893447c2808681e1eadf153aebdd79e21511225a00e

SHA512
5653e190a75ef67927e8a4e574870f60bc24271fc18ca0048e6068bc674491d5a8b87e14c79cdd0cb02472e80b14c19edd3ec5c2d9c0cac8f4a7b8115a6795d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59b685.TMP

Filesize
538B

MD5
6582ea553cf24679e8518d002e8eb7b7

SHA1
52683795397a4bf5954e08a47e6262267230a825

SHA256
0d2999e384be365d6334c52bd79f11b5ce0f1aefff0adc151dd58fd95438fb6b

SHA512
51b50bae6369f898c4e9396fc3481db04a355034c51d3e3ff170c182d795256e1e3ea6cac982eb78a1e5f1cb26b6fdf0eeb10fc25dfc231de3435aa9c01c25dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e76cec884b8f629f484c973112256708

SHA1
db09bf057f55b9f8bfa501443b74cc3813cbd4f4

SHA256
67d78663561ef4ffa2af85b55850bccff5e1bfa430665b49aaf5301bfd2ee611

SHA512
87111eb62d481475783e972e1db2ba99f2e7304a0c0fbfabca43dade856443ae3561f987c1998925874dfc2ad0f70ad8fdb68fc54c776dd69347f338a1a0a948

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b0b72d56638a4baaaafd59a132760d6a

SHA1
50fc581e15c729862e04377b0d4531097ad54496

SHA256
2edbced08754e8a748422f6086602d1b18ba4b1d299a16c4b90841fd20640dde

SHA512
0e11fa31d99f03483e2b44fad4b9e0242188bb833c567a3e6d2bcfdd9f4ec4e194e917d8568630a785eb44d4749f6fcb192e79dc5560a7558cb70dd9d00c0cc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1761be319088e61692981c9d74121e15

SHA1
7d4456ab85dc15e5b05c39b5c6930299a2150baa

SHA256
e4d281194c7be973a11c149e10cde827ea08c9acb8f2a7ccf40246f2196f1fec

SHA512
3d836eea7e05da701ce7071327317ed246434f431aedf13b92425b8c26faa5e10b7be439b1d4c6675071efdcee5c21a9bd79e57ccc9c54e6016a6fac2fd426e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
1KB

MD5
aa77e77960a4cecc46324ff086debcb2

SHA1
c8bb4ed1b80984b0dc063d2d722c7c41cdd6f5d2

SHA256
02e8779e4aca4fdbf2939064cac8780dcdfc57a5c1fb591c6116cb7f5c853015

SHA512
fa085d5ea52db69ae4e3b574eed80621733a8f1b529c4e1e128a75fb6bba9cecc21432be3f786f24a6eaee297f48e515dbbc84bdda978d07e55b4819f5b5ea55

Download Submit
C:\Users\Admin\AppData\Local\Temp\APNIC.dll

Filesize
240KB

MD5
197215658b8015182192e1ebca3bbcc3

SHA1
40e49124ad0b55a25f947333ca88e9d0bc30a7e3

SHA256
08db125c09eb53cc28e7bc7c427b6c2217ff6134a122e6d65d1d24f70e875d9e

SHA512
5fe9d6c96c817bd64ea78ff511734e9e11e6ca13b4506b589156a801fa4fed568c37d958cfafb96ad86ee1229ceeb35165965cb776f3a74cafaedb1a946bbf79

Download Submit
C:\Users\Admin\AppData\Local\Temp\ApnStub.exe

Filesize
139KB

MD5
c36923084822c017f69396418a999d39

SHA1
fdc2005ced8acf86c68fe1b86b0698d0539e8ce0

SHA256
7a158fdeea8f7107be5ce40242546a503193aa1c278f74a4730871b8edd0ba76

SHA512
fb1106d4f4a138cad28a4282cb00c72688e03610be1d31a7cdd7b42b23e00e4f7ca9e731a7ab016d5920411707e165e3ee48164ef520112d8ac36fad85749c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6F56.tmp\FindProcDLL.dll

Filesize
3KB

MD5
8614c450637267afacad1645e23ba24a

SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6F56.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6F56.tmp\StartMenu.dll

Filesize
7KB

MD5
a4173b381625f9f12aadb4e1cdaefdb8

SHA1
cf1680c2bc970d5675adbf5e89292a97e6724713

SHA256
7755ff2707ca19344d489a5acec02d9e310425fa6e100d2f13025761676b875b

SHA512
fcac79d42862da6bdd3ecad9d887a975cdff2301a8322f321be58f754a26b27077b452faa4751bbd09cd3371b4afce65255fbbb443e2c93dd2cba0ba652f4a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6F56.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6F56.tmp\ioSpecial.ini

Filesize
827B

MD5
0040c006f316a7e5f9675e16bf3a9e14

SHA1
183c25fa0a15c837fecbdc9d64c6cf206268a815

SHA256
8a7896f45ca4bb69d8849dea970b353cc6ed6dd548f68d411abf3955d3cd0913

SHA512
21901d1b79a42e8b0f3e70c425f2a2058f543ddae913c0ffdcc6e2fe9e2c5faeb119b286ec2ea4e8b233c4298f5981bf8877b62af1ec60b2a17d5f22ee584020

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6F56.tmp\ioSpecial.ini

Filesize
827B

MD5
12d3c861669dc17bf14c59136a273287

SHA1
151a94547be6db89ccf7d1b8bfdb20dfa79fc42c

SHA256
4cfa0bbc0957cbd4e92b7984afd663cc6d1a0a1968715612d4599bc08cbc88be

SHA512
ebf06fe1960b2ebb460ad8ca6dc8da7ac0ff2fddafa67f3f1f9b1b490571241a41797af25fa4f4d3bb54512fd3b9fc4716a78cd26f4679c2922801297436659a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6F56.tmp\ioSpecial.ini

Filesize
497B

MD5
c7c87b12541a29a7ab908117e69aaceb

SHA1
d7ed6ab14675ac2545699510d85507bf20cce40b

SHA256
3c0ce4f5536a3306a28dfbcec2abccd7ddf9e7fe5785aa9eb581ffc219ddaf07

SHA512
cbd9bd2c8cb30f2a8418f60a3f8f3b1cad8436a4b6afcee32413f5ca5b06c65f1b4796813ae5ebc45987ea1b761d900a7777560ac21669358569eaa4dbb41549

Download Submit
memory/2296-385-0x0000000000400000-0x0000000001061000-memory.dmp

Filesize
12.4MB

Download
memory/2296-435-0x0000000000400000-0x0000000001061000-memory.dmp

Filesize
12.4MB

Download
memory/2296-387-0x00000000015E0000-0x00000000015E1000-memory.dmp

Filesize
4KB

Download
memory/2296-372-0x0000000000400000-0x0000000001061000-memory.dmp

Filesize
12.4MB

Download
memory/2296-359-0x0000000000400000-0x0000000001061000-memory.dmp

Filesize
12.4MB

Download
memory/2296-427-0x0000000000400000-0x0000000001061000-memory.dmp

Filesize
12.4MB

Download
memory/2296-428-0x0000000008750000-0x0000000008751000-memory.dmp

Filesize
4KB

Download
memory/2296-429-0x0000000000400000-0x0000000001061000-memory.dmp

Filesize
12.4MB

Download
memory/2296-430-0x0000000000400000-0x0000000001061000-memory.dmp

Filesize
12.4MB

Download
memory/2296-431-0x0000000000400000-0x0000000001061000-memory.dmp

Filesize
12.4MB

Download
memory/2296-432-0x0000000000400000-0x0000000001061000-memory.dmp

Filesize
12.4MB

Download
memory/2296-433-0x0000000000400000-0x0000000001061000-memory.dmp

Filesize
12.4MB

Download
memory/2296-434-0x0000000000400000-0x0000000001061000-memory.dmp

Filesize
12.4MB

Download
memory/2296-394-0x0000000000400000-0x0000000001061000-memory.dmp

Filesize
12.4MB

Download
memory/2296-436-0x0000000000400000-0x0000000001061000-memory.dmp

Filesize
12.4MB

Download
memory/2296-441-0x0000000000400000-0x0000000001061000-memory.dmp

Filesize
12.4MB

Download
memory/2296-452-0x0000000006CA0000-0x0000000006CA1000-memory.dmp

Filesize
4KB

Download
memory/2296-358-0x0000000000400000-0x0000000001061000-memory.dmp

Filesize
12.4MB

Download
memory/2296-524-0x00000000015E0000-0x00000000015E1000-memory.dmp

Filesize
4KB

Download
memory/2296-355-0x0000000000400000-0x0000000001061000-memory.dmp

Filesize
12.4MB

Download
memory/2296-314-0x0000000000400000-0x0000000001061000-memory.dmp

Filesize
12.4MB

Download
memory/2296-538-0x0000000008750000-0x0000000008751000-memory.dmp

Filesize
4KB

Download
memory/2296-573-0x0000000000400000-0x0000000001061000-memory.dmp

Filesize
12.4MB

Download
memory/5104-167-0x0000000002490000-0x0000000002493000-memory.dmp

Filesize
12KB

Download
memory/5104-137-0x0000000002490000-0x0000000002493000-memory.dmp

Filesize
12KB

Download
memory/5104-134-0x0000000002490000-0x0000000002493000-memory.dmp

Filesize
12KB

Download
memory/5104-129-0x0000000002490000-0x0000000002493000-memory.dmp

Filesize
12KB

Download