cryptbot | b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3

Analysis

max time kernel
151s
max time network
102s
platform
windows7_x64
resource
win7v200722
submitted
02-08-2020 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe
Size

4.5MB
MD5

57afe7c6eae81f93e3e6a085b6bd7961
SHA1

6af9bb4cb10f0d765cf87b71f5dcfa3c5d7d61f6
SHA256

b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3
SHA512

ebd7a6029b72385d1667fa1013241dfeac19fedf2ccf1303b22105126e5de490f39af4e5a2f3dbaba462b919560fb8a421f3228c49bfb8bc569d9f8c16c40665

Score

10^/10

cryptbot danabot banker botnet discovery evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

danabot

192.236.161.25

93.115.21.108

173.234.155.181

2.56.212.137

45.153.240.84

rsa_pubkey.plain

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 19 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\OGGXOA~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\OGGXOA~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\OGGXOA~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\OGGXOA~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\OGGXOA~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\OGGXOA~1.DLL	family_danabot
C:\ProgramData\FBB86B40\DE2D7A89.dll	family_danabot
\ProgramData\FBB86B40\DE2D7A89.dll	family_danabot
\ProgramData\FBB86B40\DE2D7A89.dll	family_danabot
\ProgramData\FBB86B40\DE2D7A89.dll	family_danabot
\ProgramData\FBB86B40\DE2D7A89.dll	family_danabot
\ProgramData\FBB86B40\DE2D7A89.dll	family_danabot
\ProgramData\FBB86B40\DE2D7A89.dll	family_danabot
\ProgramData\FBB86B40\DE2D7A89.dll	family_danabot
\ProgramData\FBB86B40\DE2D7A89.dll	family_danabot
\ProgramData\FBB86B40\DE2D7A89.dll	family_danabot
\ProgramData\FBB86B40\DE2D7A89.dll	family_danabot
\ProgramData\FBB86B40\DE2D7A89.dll	family_danabot
\ProgramData\FBB86B40\DE2D7A89.dll	family_danabot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 4 IoCs

Processes:

WScript.exerundll32.exe

flow pid process

4 1812 WScript.exe
6 1812 WScript.exe
8 1812 WScript.exe
35 572 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

fguvvgce.exeoggxoadpwj.exefjihnvca.exewinlogon.exe

pid process

1772 fguvvgce.exe
1976 oggxoadpwj.exe
1424 fjihnvca.exe
416 winlogon.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

flow	pid	process
4	1812	WScript.exe
6	1812	WScript.exe
8	1812	WScript.exe
35	572	rundll32.exe

pid	process
1772	fguvvgce.exe
1976	oggxoadpwj.exe
1424	fjihnvca.exe
416	winlogon.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exefguvvgce.exefjihnvca.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fguvvgce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fguvvgce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fjihnvca.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fjihnvca.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exefjihnvca.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Wine	Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe
Key opened	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Wine	fjihnvca.exe

Loads dropped DLL 42 IoCs

Processes:

cmd.execmd.execmd.exeregsvr32.exerundll32.exerundll32.exerundll32.exerundll32.exeRUNDLL32.EXEsvchost.exerundll32.exeRUNDLL32.EXEservices.exerundll32.exeExplorer.EXE

pid	process
1832	cmd.exe
1832	cmd.exe
1612	cmd.exe
1612	cmd.exe
1636	cmd.exe
1636	cmd.exe
1820	regsvr32.exe
572	rundll32.exe
572	rundll32.exe
572	rundll32.exe
572	rundll32.exe
292	rundll32.exe
292	rundll32.exe
292	rundll32.exe
292	rundll32.exe
1040	rundll32.exe
1040	rundll32.exe
1040	rundll32.exe
1040	rundll32.exe
668	rundll32.exe
668	rundll32.exe
668	rundll32.exe
668	rundll32.exe
1636	RUNDLL32.EXE
1636	RUNDLL32.EXE
1636	RUNDLL32.EXE
1636	RUNDLL32.EXE
560	svchost.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
848	RUNDLL32.EXE
848	RUNDLL32.EXE
848	RUNDLL32.EXE
848	RUNDLL32.EXE
464	services.exe
1556	rundll32.exe
1556	rundll32.exe
1556	rundll32.exe
1556	rundll32.exe
1256	Explorer.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ip-api.com

flow	ioc
16	ip-api.com

Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exefjihnvca.exe

pid process

1504 Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe
1424 fjihnvca.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fguvvgce.exerundll32.exeKafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	fguvvgce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	fguvvgce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe

Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

832 timeout.exe
1968 timeout.exe
988 timeout.exe

pid	process
832	timeout.exe
1968	timeout.exe
988	timeout.exe

Modifies data under HKEY_USERS 19 IoCs

Processes:

RUNDLL32.EXErundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	RUNDLL32.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer = "127.0.0.1:8080"	RUNDLL32.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	RUNDLL32.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	RUNDLL32.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	RUNDLL32.EXE
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer = "127.0.0.1:8080"	RUNDLL32.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\root	RUNDLL32.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	RUNDLL32.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "1"	RUNDLL32.EXE
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings	RUNDLL32.EXE
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer = "127.0.0.1:8080"	RUNDLL32.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings	RUNDLL32.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\root	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "1"	RUNDLL32.EXE
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "1"	RUNDLL32.EXE

Modifies registry class 8 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings	RUNDLL32.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Software	RUNDLL32.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Software\Microsoft	RUNDLL32.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Software\Microsoft\Windows	RUNDLL32.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion	RUNDLL32.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Internet Settings	RUNDLL32.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "1"	RUNDLL32.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer = "127.0.0.1:8080"	RUNDLL32.EXE

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exeKafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exeRUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\31E448318133FC019BF9DEA89CF22372D363ABC5	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\31E448318133FC019BF9DEA89CF22372D363ABC5\Blob = 03000000010000001400000031e448318133fc019bf9dea89cf22372d363abc502000000010000003c0000001c00000000000000010000002000000000000000000000000100000074006800610077007400650020003800300020002d002000340035000000000020000000010000000703000030820303308201eba003020102021079fc447c188bada44e66cd34f0dbff17300d06092a864886f70d01010505003033311730150603550403130e746861777465203830202d203435310b3009060355040a13024e54310b3009060355040b1302454e301e170d3135303830323137333032385a170d3235303830323137333032385a3033311730150603550403130e746861777465203830202d203435310b3009060355040a13024e54310b3009060355040b1302454e30820122300d06092a864886f70d01010105000382010f003082010a0282010100c43777c455dbffe23286b23b6481babaa0e7d4c701541442d493d6ce348c38d09a0f88ecf0cf49777fe580c6e0d7234baeec44e853c7413952e36bc33f9de40a112624ab73c2b485dfc2123c45afd98764094bbfa22eb46a448a5d5bce58f8d6d6f6316a9f7a417807f71e5db26b724addd1abeb71f32e7c7b43689c3c985f4ccdfde6bee198a227ec1437e5bed31c5a6a7d530f1ba37063bce7ca85f32bf9ae839f96c3bb542593a6fa619207597ae10216b4cd83d7fcf5d2e08631813b310f970d76a26258b26e19e361a74d2a4fc9a71ebc6134e7afe3974710a7fb18e5d2d83f68d1633436c169a80d9d122529fba9b1cee578030672a02b16d3f01d1bcf0203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d010105050003820101005a0db8b992ef4e0ac7f54f50b109506b9c89aac2832f16f49b46303b41dac0f35c8461b5f978ff3c76193a6520b2e89ac54b692299f2dc57d3fb8cb3125e2c82cbbcf2c390f1d843e22f5486315d296b89e26efa154607336bbb41f67952bc8fc74eb529ca81bb23ec80b1226c753565d5897fe53d2382ec49268d30f54dea2ced8339297902d9114b256f9017dcb43ed231a6b2dd2f12a30ae5f8d33362308dca39646a94f3701039536d1f9cf391fa2eea1ddd55733afce82e64a4b785133fa40ea8611f3bfc8112cbc15b25be0b2dc3d2ff211bb7dfd8f45ea3a2c0004b62f6c09118b444f69651161ad8e31445c0ae16eea00ba27fe872fc3465036c5f0d	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exefjihnvca.exesvchost.exerundll32.exeRUNDLL32.EXE

pid	process
1504	Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe
1424	fjihnvca.exe
560	svchost.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
848	RUNDLL32.EXE
560	svchost.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RUNDLL32.EXErundll32.exe

description pid process

Token: SeDebugPrivilege 1636 RUNDLL32.EXE
Token: SeDebugPrivilege 668 rundll32.exe
Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

fguvvgce.exerundll32.exeExplorer.EXE

pid process

1772 fguvvgce.exe
1772 fguvvgce.exe
668 rundll32.exe
1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1636	RUNDLL32.EXE
Token: SeDebugPrivilege	668	rundll32.exe

pid	process
1772	fguvvgce.exe
1772	fguvvgce.exe
668	rundll32.exe
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE

pid	process
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.execmd.execmd.exefguvvgce.execmd.execmd.execmd.exeoggxoadpwj.exefjihnvca.execmd.exeregsvr32.exe

description	pid	process	target process
PID 1504 wrote to memory of 1520	1504	Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe	cmd.exe
PID 1504 wrote to memory of 1520	1504	Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe	cmd.exe
PID 1504 wrote to memory of 1520	1504	Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe	cmd.exe
PID 1504 wrote to memory of 1520	1504	Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe	cmd.exe
PID 1520 wrote to memory of 1812	1520	cmd.exe	WScript.exe
PID 1520 wrote to memory of 1812	1520	cmd.exe	WScript.exe
PID 1520 wrote to memory of 1812	1520	cmd.exe	WScript.exe
PID 1520 wrote to memory of 1812	1520	cmd.exe	WScript.exe
PID 1504 wrote to memory of 1832	1504	Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe	cmd.exe
PID 1504 wrote to memory of 1832	1504	Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe	cmd.exe
PID 1504 wrote to memory of 1832	1504	Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe	cmd.exe
PID 1504 wrote to memory of 1832	1504	Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe	cmd.exe
PID 1832 wrote to memory of 1772	1832	cmd.exe	fguvvgce.exe
PID 1832 wrote to memory of 1772	1832	cmd.exe	fguvvgce.exe
PID 1832 wrote to memory of 1772	1832	cmd.exe	fguvvgce.exe
PID 1832 wrote to memory of 1772	1832	cmd.exe	fguvvgce.exe
PID 1772 wrote to memory of 2000	1772	fguvvgce.exe	cmd.exe
PID 1772 wrote to memory of 2000	1772	fguvvgce.exe	cmd.exe
PID 1772 wrote to memory of 2000	1772	fguvvgce.exe	cmd.exe
PID 2000 wrote to memory of 832	2000	cmd.exe	timeout.exe
PID 2000 wrote to memory of 832	2000	cmd.exe	timeout.exe
PID 2000 wrote to memory of 832	2000	cmd.exe	timeout.exe
PID 1504 wrote to memory of 1612	1504	Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe	cmd.exe
PID 1504 wrote to memory of 1612	1504	Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe	cmd.exe
PID 1504 wrote to memory of 1612	1504	Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe	cmd.exe
PID 1504 wrote to memory of 1612	1504	Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe	cmd.exe
PID 1612 wrote to memory of 1976	1612	cmd.exe	oggxoadpwj.exe
PID 1612 wrote to memory of 1976	1612	cmd.exe	oggxoadpwj.exe
PID 1612 wrote to memory of 1976	1612	cmd.exe	oggxoadpwj.exe
PID 1612 wrote to memory of 1976	1612	cmd.exe	oggxoadpwj.exe
PID 1504 wrote to memory of 1636	1504	Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe	cmd.exe
PID 1504 wrote to memory of 1636	1504	Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe	cmd.exe
PID 1504 wrote to memory of 1636	1504	Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe	cmd.exe
PID 1504 wrote to memory of 1636	1504	Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe	cmd.exe
PID 1636 wrote to memory of 1424	1636	cmd.exe	fjihnvca.exe
PID 1636 wrote to memory of 1424	1636	cmd.exe	fjihnvca.exe
PID 1636 wrote to memory of 1424	1636	cmd.exe	fjihnvca.exe
PID 1636 wrote to memory of 1424	1636	cmd.exe	fjihnvca.exe
PID 1976 wrote to memory of 1820	1976	oggxoadpwj.exe	regsvr32.exe
PID 1976 wrote to memory of 1820	1976	oggxoadpwj.exe	regsvr32.exe
PID 1976 wrote to memory of 1820	1976	oggxoadpwj.exe	regsvr32.exe
PID 1976 wrote to memory of 1820	1976	oggxoadpwj.exe	regsvr32.exe
PID 1976 wrote to memory of 1820	1976	oggxoadpwj.exe	regsvr32.exe
PID 1976 wrote to memory of 1820	1976	oggxoadpwj.exe	regsvr32.exe
PID 1976 wrote to memory of 1820	1976	oggxoadpwj.exe	regsvr32.exe
PID 1424 wrote to memory of 1880	1424	fjihnvca.exe	cmd.exe
PID 1424 wrote to memory of 1880	1424	fjihnvca.exe	cmd.exe
PID 1424 wrote to memory of 1880	1424	fjihnvca.exe	cmd.exe
PID 1424 wrote to memory of 1880	1424	fjihnvca.exe	cmd.exe
PID 1880 wrote to memory of 1968	1880	cmd.exe	timeout.exe
PID 1880 wrote to memory of 1968	1880	cmd.exe	timeout.exe
PID 1880 wrote to memory of 1968	1880	cmd.exe	timeout.exe
PID 1880 wrote to memory of 1968	1880	cmd.exe	timeout.exe
PID 1820 wrote to memory of 572	1820	regsvr32.exe	rundll32.exe
PID 1820 wrote to memory of 572	1820	regsvr32.exe	rundll32.exe
PID 1820 wrote to memory of 572	1820	regsvr32.exe	rundll32.exe
PID 1820 wrote to memory of 572	1820	regsvr32.exe	rundll32.exe
PID 1820 wrote to memory of 572	1820	regsvr32.exe	rundll32.exe
PID 1820 wrote to memory of 572	1820	regsvr32.exe	rundll32.exe
PID 1820 wrote to memory of 572	1820	regsvr32.exe	rundll32.exe
PID 1424 wrote to memory of 1716	1424	fjihnvca.exe	cmd.exe
PID 1424 wrote to memory of 1716	1424	fjihnvca.exe	cmd.exe
PID 1424 wrote to memory of 1716	1424	fjihnvca.exe	cmd.exe
PID 1424 wrote to memory of 1716	1424	fjihnvca.exe	cmd.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Executes dropped EXE
PID:416

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Loads dropped DLL
PID:464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:560

C:\Windows\syswow64\rundll32.exe
C:\Windows\syswow64\rundll32.exe C:\ProgramData\FBB86B40\DE2D7A89.dll,f3
3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1992

C:\Windows\system32\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\ProgramData\FBB86B40\BBCA9D37.dll,f7
3⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:848

C:\Windows\syswow64\rundll32.exe
C:\Windows\syswow64\rundll32.exe C:\ProgramData\FBB86B40\DE2D7A89.dll,f2 E48E292D52AA1264BCBA6B30A9CB2113
3⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:1556

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1256

C:\Users\Admin\AppData\Local\Temp\Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe
"C:\Users\Admin\AppData\Local\Temp\Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe"
2⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\qbmdeiqfftpf.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\qbmdeiqfftpf.vbs"
4⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:1812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\fguvvgce.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Local\Temp\fguvvgce.exe
"C:\Users\Admin\AppData\Local\Temp\fguvvgce.exe"
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\OevYuCEg & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\fguvvgce.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\system32\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\oggxoadpwj.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612

C:\Users\Admin\AppData\Local\Temp\oggxoadpwj.exe
"C:\Users\Admin\AppData\Local\Temp\oggxoadpwj.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\OGGXOA~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\OGGXOA~1.EXE@1976
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\OGGXOA~1.DLL,f0
6⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:572

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\\rundll32.exe C:\PROGRA~3\FBB86B40\BBCA9D37.dll,f1 C:\Users\Admin\AppData\Local\Temp\OGGXOA~1.DLL@572
7⤵
- Loads dropped DLL
PID:292

C:\Windows\system32\rundll32.exe
C:\Windows\system32\\rundll32.exe C:\PROGRA~3\FBB86B40\BBCA9D37.dll,f1 C:\Users\Admin\AppData\Local\Temp\OGGXOA~1.DLL@572
8⤵
- Loads dropped DLL
PID:1040

C:\Windows\syswow64\rundll32.exe
C:\Windows\syswow64\rundll32.exe C:\ProgramData\FBB86B40\DE2D7A89.dll,f2 F709AA619059A3AAB3E71D0ADA462372
9⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:668

C:\Windows\system32\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\ProgramData\FBB86B40\BBCA9D37.dll,f2 1FCAAAC36182D72B5B244331A7421701
9⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\fjihnvca.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Local\Temp\fjihnvca.exe
"C:\Users\Admin\AppData\Local\Temp\fjihnvca.exe"
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\tpjgwsutbagar & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\fjihnvca.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:1968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\tpjgwsutbagar & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\fjihnvca.exe"
5⤵
PID:1716

C:\Windows\SysWOW64\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\FBB86B40\BBCA9D37.dll
MD5
63a93ec41cc87f43620a12ad261ad9a3

SHA1
53c321b547464354f091369e1e50622a210e536d

SHA256
0e954e50435383334cbc792223cb9cf932e905a63216e43a8be0fa2d151d31de

SHA512
f02e762cce96e66dc2aeea9445c7593443d83492cc1f25ce47b9bf65b759c0c69b409ce7fec51102bc85e2cda719ca8ef5d2434e6f447002717f7407a7d8b007

Download Submit
C:\ProgramData\FBB86B40\146C4C64\459A85CF958068F9C8F8A3FEB471F530
MD5
37eb7542d1e7c3b4881ea7f26f93d7f3

SHA1
08d8cae9761529f256f8fc0d46c4d3a680f2c639

SHA256
3edb81a5f8de4952757985b2609983ce9757db8cdb8e3bf9d0388e43db89203c

SHA512
48013154d6a87510e9e3fda06c72a60ce1cc4e06a0dc495c5cb2f16b2a1e438894318fe0892000af72b8d933f5a191107253462371901ce3118d9233ab146496

Download Submit
C:\ProgramData\FBB86B40\146C4C64\B2A49B56DAC6C4CD21FDA9F6B22A0650
MD5
aa397de2d8dac83acd30efafdac94c45

SHA1
2968c2c7b5c254f68bdc1ebdeb0fc3d1bca6f097

SHA256
1733192a24a853bd96c897f7346a64cec73b7f11d0cab334f75a40bcdfc3e9ae

SHA512
945258fee14d0be93e775837ee5b73ada45b7067241b381c995b291ab9e3f8ffdab8a351984fcbaa5beb903fe77282a8547014473cedf55958fb4fd00787a8fd

Download Submit
C:\ProgramData\FBB86B40\6376EEB6
MD5
5566454e16b0aded19a111de768049b8

SHA1
2f663f4c913de62f87aef0496912b266fb4a3024

SHA256
e8c92b70a3d602ec66d986b15f43ca3fc886590b2beca66194ae4d8978bcc336

SHA512
a00ddbfbc0770626cdb6698dea7b70dee45a2be2ad1a218c0ef7b98e055f838630bf2b05daa6549fef2866e4347fedc2b5c568cb0ea79610e5c0f535781bf803

Download Submit
C:\ProgramData\FBB86B40\750AEC6D
MD5
c19c5d1510456d0965e7e343f08bfbe3

SHA1
39b9070cb4deadbacc1730274a632bd38dcc3cdf

SHA256
27a65eee4a08d91d25444a5982b0c773fdc2e0d57f9ef55d43360ec5638d1f50

SHA512
938f3443066e6c1bf69953f44eb4a974b6c460157bad39a0d6773337aec5619ff187bab32f542244d5b267db8f96e76a8ad2e4d8ab56d2fe7b737a699676ccb9

Download Submit
C:\ProgramData\FBB86B40\DE2D7A89.dll
MD5
3a308ba239d9c42cb9ec86227bb36854

SHA1
1cc406fffff68c335f6941f82eff11811032ac77

SHA256
9822622dc4337441208ee426a62a9b6de2547d60e2ec3be11d341f2d8417bdf7

SHA512
25488c69989e292f03f2417e344ecf2da119accb94d4e1fee26ea69c31362256b67d3ab27681476b4054ff785ca01038273ed50698c48e320e949e904242816a

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f59c5b2588c27ca9bc6c4c7a269cfcda_750d7400-3b08-415e-a8b0-2695d81425f5
MD5
2352b375e1c3779ad9168ad1fe49fc4b

SHA1
324470cab9c1f7fc7d0a0da1b44a23de6e90a489

SHA256
679273e331fd30a237da2433ab519e7d0b5975449c30c8e7d8f44ba38307b1e3

SHA512
54088803ad855c162e00572456f797c83474a5ca51430de85b704b21f7d892280bce7a16a9586ba9e3efefd747432f382acf42ffe07d8d571a476b7696d04b3b

Download Submit
C:\ProgramData\tpjgwsutbagar\46173476.txt
MD5
6aea9873623c3b7b0ce802ad70b74e17

SHA1
07042fef0d1ac71b9e296a086ba5da59981145bc

SHA256
bd171ee3f8497bd70d4e0cb804c2b68e918b3e208d8899222c258a2b7c1e2704

SHA512
e94705687e429d143527379d940af52985c30ddffac13b766489c9bc4594f8d28cebc77aba84a5dcb6d03744ff3dd5684d988f3a48d02fa1118ad6d4e05bb6d8

Download Submit
C:\ProgramData\tpjgwsutbagar\8372422.txt
MD5
550cc6486c1ac1d65c8f1b14517a8294

SHA1
6f7b60b1f5b90ac815ab56c78cd7a5de05311fe1

SHA256
176bf49d4a7f854a30e1fb19acc33650ad5531a95bba23a9b7108b0129d15e9b

SHA512
eb29aefebe6d2ce5d06082c9ea8750de5cf5141e51ecc39457362bd4e8c1ec0313801f805b8b7ef6eaaf24d3e6b5d3ed2912216728ed5308165c00b17dc6f726

Download Submit
C:\ProgramData\tpjgwsutbagar\Files\_INFOR~1.TXT
MD5
27c1bbd911bdd6c2448710d9ddef5977

SHA1
7429b2e65685e685310a781386034a946b3f6d68

SHA256
47c57c249cc91d32ec29f88fe287207f477831fc815292b82a5ed486e13736fa

SHA512
d70ae28a3d76be0ddde3690eb67b7f91f6acb1ecff3080bb43469c82c4e68aec297e81db53cfdf0dab03f5ae01d39e2c2957b1be342f00b7006e99addbda3483

Download Submit
C:\ProgramData\tpjgwsutbagar\NL_202~1.ZIP
MD5
29b176424e417e365090d2f720a3c4a4

SHA1
d018fa55832ff162380a974e6476c3cc9226b725

SHA256
b98df766c695b69fcd6178e0a514881473ba37a6498df8f0c96ff4e2c67a826d

SHA512
00d6b869c3a06a630bba8fffb6cedc5d6275cfcdfe398eb6fb9f1d70b6f7c50adb662706ad85206d199e56cc8e1c0a3c879ffa8426a58a51f0aa086f7b9f2561

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C954CE05407CAD0B91F1461CBC854DCE
MD5
6d53f0078c1e36e7caeff65f6f0c167a

SHA1
a2bfc7490792580d2a861397d3c91e122db702b9

SHA256
b928c3b4d18b3f77f36620446cb8379942909bcc67e82615573b764a65945d21

SHA512
0faf6aa043fc7acd078dc9db69edb548945ddd2fc29529da46d0e7bb74a51c86ac8e085262f10131ed5519c44f3459aac80b53628d37da7e6bd8500434e9ff1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
MD5
ba91fa99bddc13778ce0dbd032cb20a2

SHA1
68816ebf91465f56605a17ebab694c936e472578

SHA256
b351719ae12633a2e3deef7b7078d9400e309a3bcd6c199424a5293dc2780e87

SHA512
842d75a8da42f8a552998dd0b47d61d9544d7eb3f3c8f4d39d34f015d0218de4920b1db8b49c7213676b2c6e2238b91247e6c59b73d46f0e2a23a941809f6a03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
268628228ed033eb6ac5e4653d6381dd

SHA1
c7c528d4cf964af096c8f474c52338777446f460

SHA256
917bdc479a3aa82de8d2da5733959c377184cda38f9e4ab5bfcb82a6aa60018a

SHA512
652afe608909f48e976ca9ad47210d944c7223b483ba2de1835c03a093e24976fdf637d92589722e6805cf8ba25309aafc292aaf0c9828b190eebab1eed80e02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C954CE05407CAD0B91F1461CBC854DCE
MD5
e639d23e0c7258d0fcb4671ed83de439

SHA1
ac50455610a2fd723352b6dde6d02b7d872794af

SHA256
65f52fd67a90a6514c4f8db534fd872f89ab094d78b74962d56df5350624d58e

SHA512
0aaaec16c4252a9731c1b77de61841178cc996952bae11ceb39e374460b43fd64e34a98d2455221dec665a08456ac1ee2a5d3dd5129b2fd0ee81df09c0d4dace

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
MD5
b8373fe39e6a1b47fa13f84fb7a5bd3f

SHA1
333d12cf0042f5943aac53e22b38e6de423301ab

SHA256
480a9a29f8638e030d9e2bcce9cbe212fb3f3cc586bafd220e08d46ceeb8a89c

SHA512
16740e90c87246578677d397a228be2a9e6fd46a07a537266164edec51df505e46424b8e8e9410071db12c96caa21765d601cfd77f395a99e39189f267461655

Download Submit
C:\Users\Admin\AppData\Local\Temp\OGGXOA~1.DLL
MD5
c5f6f2592a5ffd5a46a3d307e576fa19

SHA1
624832b47d9c08483b6b322a6232a496b42b65e2

SHA256
e550012563427d5d9e49661e06fb0fc857178963cf3b1b65073d20b327dd89e4

SHA512
cb4bb9bcd9945feef29b636ca70b7b652fdff68e22b0ed5aff7098693d9953e45f490ba3bd8c0544be8e3826ba8df5a6f37b688b7281dc4b0d5d0b4735fa1f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OevYuCEg\4aea3.tmp
MD5
81db1710bb13da3343fc0df9f00be49f

SHA1
9b1f17e936d28684ffdfa962340c8872512270bb

SHA256
9f37c9eaf023f2308af24f412cbd850330c4ef476a3f2e2078a95e38d0facabb

SHA512
cf92d6c3109dab31ef028724f21bab120cf2f08f7139e55100292b266a363e579d14507f1865d5901e4b485947be22574d1dba815de2886c118739c3370801f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OevYuCEg\CVHWAK~1.ZIP
MD5
1a8e57b37345bee2ed2ec32262484298

SHA1
5ceb89696bb62bb3208f84f1c7c22f2b2c19104d

SHA256
603dfd30e66911e9b74db50102ec158493053eb352868de325502ca294f1c693

SHA512
391677fb4d0c48459bb0503c777e45b39aff744891d0fc8b68ae9f351e897d740eaeef8833c7b5abdb49e3575daa203a626b9b73d90a3b04f6ae2ff56865a06e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OevYuCEg\MY22T4~1.ZIP
MD5
062950ccca2e8952d38a6981dae8a6b7

SHA1
ad0d95780cb7a9a1f669b8315d1102c7db2b38dc

SHA256
b3a09bd30fa08db4e2b4d8f54e21c0017f27467e864e321f371ade5930e1bd4c

SHA512
61885fa1dee51e18b94d9bb0e4e2bf5bedca647b2f6511d0c6b14764ec110fc0aea1ee1c3142dc8646e716470e15561409186bc95e51de82584719fa65c78135

Download Submit
C:\Users\Admin\AppData\Local\Temp\OevYuCEg\TKseHe.tmp
MD5
6ac6728efdfbcfcc575febe94135c779

SHA1
592b8fa7134ab0c3a3e9c24a2a084d14e24f61af

SHA256
194cf6c114d471d44761ac8cfe4e690f9bb7fd49e2fe3f2a83a1706700447dd5

SHA512
0bfa3657ef9493207d413e37944ef620c54077f531731bcdecd38d2298c478692b703a2261273b2a72dfe3b15281de3d351079b454fc7a6a1ca8887539a2ef60

Download Submit
C:\Users\Admin\AppData\Local\Temp\OevYuCEg\_Files\_INFOR~1.TXT
MD5
9c416d4fef4437a9e5944f6cfdea357b

SHA1
468e2d33cc3d64e1e48c7c1b1c8872fa3ce60a4e

SHA256
2ba33158f41c0eb33718036db8fdb21968d66e9b1f3611f36731c3a74037cba7

SHA512
0809490f24dd047f8b3e6a2ebd8e12b88cbc17a82bb2455f24a2e22251b579b2f08948fdb03ab72fe27529b6ca9222fe8a1a5aa9afdb1d1b1b3c56b8c27b1d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OevYuCEg\_Files\_SCREE~1.JPE
MD5
ce079e2e27700be1f88a809968ca2f5f

SHA1
6f51e118724bd32c535622c4dbee10782df46a10

SHA256
84188c8b2481402325eb67455e241f18f8232018d6a0877767c9d3544f54b83a

SHA512
321b57884a2b60deedbceb0a84ac24c975ab3ce126d74788da0ea7d7f4b1c78dfad05e513af06fa708f4b3df3d439f28c5eae87b574c08b1f3910c5cc2280d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OevYuCEg\e4Q1k.tmp
MD5
6ac6728efdfbcfcc575febe94135c779

SHA1
592b8fa7134ab0c3a3e9c24a2a084d14e24f61af

SHA256
194cf6c114d471d44761ac8cfe4e690f9bb7fd49e2fe3f2a83a1706700447dd5

SHA512
0bfa3657ef9493207d413e37944ef620c54077f531731bcdecd38d2298c478692b703a2261273b2a72dfe3b15281de3d351079b454fc7a6a1ca8887539a2ef60

Download Submit
C:\Users\Admin\AppData\Local\Temp\OevYuCEg\eb3Qq.tmp
MD5
3219ca933d97df8f5931ef68b7eedf04

SHA1
d79fee14cbde4e92447996c9fb37adcb673b6138

SHA256
21de8dd11459659421ba1dbc554c15a3756ff1a38cc797a139d407f1f94092b4

SHA512
a3cfcc17612975c5630b49736f4b535555d06b23e3523e46495020b8b55b2361c4b5ef39fe649273f2d323be0ec138707e67dc59eb719ba8ef676439491662ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\OevYuCEg\files_\SCREEN~1.JPG
MD5
ce079e2e27700be1f88a809968ca2f5f

SHA1
6f51e118724bd32c535622c4dbee10782df46a10

SHA256
84188c8b2481402325eb67455e241f18f8232018d6a0877767c9d3544f54b83a

SHA512
321b57884a2b60deedbceb0a84ac24c975ab3ce126d74788da0ea7d7f4b1c78dfad05e513af06fa708f4b3df3d439f28c5eae87b574c08b1f3910c5cc2280d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OevYuCEg\files_\SYSTEM~1.TXT
MD5
2dd6d7fdcfcfd032ec0c8fccab43983b

SHA1
480c09d118085bc72d95af53a5991d6d195768c3

SHA256
8e0006f20a8cfaa736298029697143ea5a80c2e3487729bc59b04b68e1638a76

SHA512
f4f1600b65582b5d9ad8866bd806c3ce5b3d64ddf486527f22a7075d90fff1e57f9e447346d27c4899d07840b40a98b7f1d5e3688a5f1ec7367e789cb62b656d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OevYuCEg\i1ebE.tmp
MD5
81db1710bb13da3343fc0df9f00be49f

SHA1
9b1f17e936d28684ffdfa962340c8872512270bb

SHA256
9f37c9eaf023f2308af24f412cbd850330c4ef476a3f2e2078a95e38d0facabb

SHA512
cf92d6c3109dab31ef028724f21bab120cf2f08f7139e55100292b266a363e579d14507f1865d5901e4b485947be22574d1dba815de2886c118739c3370801f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OevYuCEg\iJcW.tmp
MD5
3219ca933d97df8f5931ef68b7eedf04

SHA1
d79fee14cbde4e92447996c9fb37adcb673b6138

SHA256
21de8dd11459659421ba1dbc554c15a3756ff1a38cc797a139d407f1f94092b4

SHA512
a3cfcc17612975c5630b49736f4b535555d06b23e3523e46495020b8b55b2361c4b5ef39fe649273f2d323be0ec138707e67dc59eb719ba8ef676439491662ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\fguvvgce.exe
MD5
64d3edf1a6cd37e9e2193c0e1fc50220

SHA1
9e5863b0e717030db247fa3ff6dead07710d5ab5

SHA256
b56d450c7ccbccb915ca8006bfc0fc41037cd850dd799c77275eab397ef61772

SHA512
0ff5c9fef715ba203de9c239d53e99baff932e35a03b94f21369410d425f4deed0c4a7f17f6d483ffaee2acf706c031cca62b0f86f31d94c6bf704d996f68abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fguvvgce.exe
MD5
64d3edf1a6cd37e9e2193c0e1fc50220

SHA1
9e5863b0e717030db247fa3ff6dead07710d5ab5

SHA256
b56d450c7ccbccb915ca8006bfc0fc41037cd850dd799c77275eab397ef61772

SHA512
0ff5c9fef715ba203de9c239d53e99baff932e35a03b94f21369410d425f4deed0c4a7f17f6d483ffaee2acf706c031cca62b0f86f31d94c6bf704d996f68abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjihnvca.exe
MD5
4ae0c9b59c3c7538e9632c14a6d97727

SHA1
85b4c2cb7fe6b82e7b9a2637f7e0728174525fbe

SHA256
3cfc1b1dbb8c88e43226b5b66d65124bcb848e76f806a934b5f94cde3d17acdd

SHA512
a0e852e73255ff9dae670796a8d086aca08a82f2cc15592da2ee910186d8e19e5db1124aafcac1bdaf031e10e7021d99f3253106d656fa56d86f83f6f78f3c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjihnvca.exe
MD5
4ae0c9b59c3c7538e9632c14a6d97727

SHA1
85b4c2cb7fe6b82e7b9a2637f7e0728174525fbe

SHA256
3cfc1b1dbb8c88e43226b5b66d65124bcb848e76f806a934b5f94cde3d17acdd

SHA512
a0e852e73255ff9dae670796a8d086aca08a82f2cc15592da2ee910186d8e19e5db1124aafcac1bdaf031e10e7021d99f3253106d656fa56d86f83f6f78f3c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oggxoadpwj.exe
MD5
bd9e98d20218c704152085ea321b9d47

SHA1
b1d8032b68be325359a13a6087a96d583d1c1aa9

SHA256
ba121457671229b82142650afce9511c4e9badbb6eb13bdec61b6e40769e2339

SHA512
62c73315b441e5a9487d6289c71c32466b619b9acafd2f58a395968af5dcdcbdca13a5cbda011b11f5aecd33ee7a257757eb2638c5bf0680437fa7a499325d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\oggxoadpwj.exe
MD5
bd9e98d20218c704152085ea321b9d47

SHA1
b1d8032b68be325359a13a6087a96d583d1c1aa9

SHA256
ba121457671229b82142650afce9511c4e9badbb6eb13bdec61b6e40769e2339

SHA512
62c73315b441e5a9487d6289c71c32466b619b9acafd2f58a395968af5dcdcbdca13a5cbda011b11f5aecd33ee7a257757eb2638c5bf0680437fa7a499325d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbmdeiqfftpf.vbs
MD5
e83d8baa27699beb536f7cfa3eeefe82

SHA1
e52c440c7188528ac5b1879ceed4db4ea19bd0ac

SHA256
f500a1b6e1e79802bfc890049c6280d17dfb8fa42073d0581bd68f87cb9fafbc

SHA512
18b0a9d5d1734e91336d33b977971cfa8efa048c5c69c5f8ad2dd3f924d8b27e4c3bf7c068a08dcb194b853905c3d6c935011b329a85be1e5a36c15ffa51df62

Download Submit
\PROGRA~3\FBB86B40\BBCA9D37.dll
MD5
63a93ec41cc87f43620a12ad261ad9a3

SHA1
53c321b547464354f091369e1e50622a210e536d

SHA256
0e954e50435383334cbc792223cb9cf932e905a63216e43a8be0fa2d151d31de

SHA512
f02e762cce96e66dc2aeea9445c7593443d83492cc1f25ce47b9bf65b759c0c69b409ce7fec51102bc85e2cda719ca8ef5d2434e6f447002717f7407a7d8b007

Download Submit
\PROGRA~3\FBB86B40\BBCA9D37.dll
MD5
63a93ec41cc87f43620a12ad261ad9a3

SHA1
53c321b547464354f091369e1e50622a210e536d

SHA256
0e954e50435383334cbc792223cb9cf932e905a63216e43a8be0fa2d151d31de

SHA512
f02e762cce96e66dc2aeea9445c7593443d83492cc1f25ce47b9bf65b759c0c69b409ce7fec51102bc85e2cda719ca8ef5d2434e6f447002717f7407a7d8b007

Download Submit
\PROGRA~3\FBB86B40\BBCA9D37.dll
MD5
63a93ec41cc87f43620a12ad261ad9a3

SHA1
53c321b547464354f091369e1e50622a210e536d

SHA256
0e954e50435383334cbc792223cb9cf932e905a63216e43a8be0fa2d151d31de

SHA512
f02e762cce96e66dc2aeea9445c7593443d83492cc1f25ce47b9bf65b759c0c69b409ce7fec51102bc85e2cda719ca8ef5d2434e6f447002717f7407a7d8b007

Download Submit
\PROGRA~3\FBB86B40\BBCA9D37.dll
MD5
63a93ec41cc87f43620a12ad261ad9a3

SHA1
53c321b547464354f091369e1e50622a210e536d

SHA256
0e954e50435383334cbc792223cb9cf932e905a63216e43a8be0fa2d151d31de

SHA512
f02e762cce96e66dc2aeea9445c7593443d83492cc1f25ce47b9bf65b759c0c69b409ce7fec51102bc85e2cda719ca8ef5d2434e6f447002717f7407a7d8b007

Download Submit
\PROGRA~3\FBB86B40\BBCA9D37.dll
MD5
63a93ec41cc87f43620a12ad261ad9a3

SHA1
53c321b547464354f091369e1e50622a210e536d

SHA256
0e954e50435383334cbc792223cb9cf932e905a63216e43a8be0fa2d151d31de

SHA512
f02e762cce96e66dc2aeea9445c7593443d83492cc1f25ce47b9bf65b759c0c69b409ce7fec51102bc85e2cda719ca8ef5d2434e6f447002717f7407a7d8b007

Download Submit
\PROGRA~3\FBB86B40\BBCA9D37.dll
MD5
63a93ec41cc87f43620a12ad261ad9a3

SHA1
53c321b547464354f091369e1e50622a210e536d

SHA256
0e954e50435383334cbc792223cb9cf932e905a63216e43a8be0fa2d151d31de

SHA512
f02e762cce96e66dc2aeea9445c7593443d83492cc1f25ce47b9bf65b759c0c69b409ce7fec51102bc85e2cda719ca8ef5d2434e6f447002717f7407a7d8b007

Download Submit
\PROGRA~3\FBB86B40\BBCA9D37.dll
MD5
63a93ec41cc87f43620a12ad261ad9a3

SHA1
53c321b547464354f091369e1e50622a210e536d

SHA256
0e954e50435383334cbc792223cb9cf932e905a63216e43a8be0fa2d151d31de

SHA512
f02e762cce96e66dc2aeea9445c7593443d83492cc1f25ce47b9bf65b759c0c69b409ce7fec51102bc85e2cda719ca8ef5d2434e6f447002717f7407a7d8b007

Download Submit
\PROGRA~3\FBB86B40\BBCA9D37.dll
MD5
63a93ec41cc87f43620a12ad261ad9a3

SHA1
53c321b547464354f091369e1e50622a210e536d

SHA256
0e954e50435383334cbc792223cb9cf932e905a63216e43a8be0fa2d151d31de

SHA512
f02e762cce96e66dc2aeea9445c7593443d83492cc1f25ce47b9bf65b759c0c69b409ce7fec51102bc85e2cda719ca8ef5d2434e6f447002717f7407a7d8b007

Download Submit
\PROGRA~3\FBB86B40\BBCA9D37.dll
MD5
63a93ec41cc87f43620a12ad261ad9a3

SHA1
53c321b547464354f091369e1e50622a210e536d

SHA256
0e954e50435383334cbc792223cb9cf932e905a63216e43a8be0fa2d151d31de

SHA512
f02e762cce96e66dc2aeea9445c7593443d83492cc1f25ce47b9bf65b759c0c69b409ce7fec51102bc85e2cda719ca8ef5d2434e6f447002717f7407a7d8b007

Download Submit
\PROGRA~3\FBB86B40\BBCA9D37.dll
MD5
63a93ec41cc87f43620a12ad261ad9a3

SHA1
53c321b547464354f091369e1e50622a210e536d

SHA256
0e954e50435383334cbc792223cb9cf932e905a63216e43a8be0fa2d151d31de

SHA512
f02e762cce96e66dc2aeea9445c7593443d83492cc1f25ce47b9bf65b759c0c69b409ce7fec51102bc85e2cda719ca8ef5d2434e6f447002717f7407a7d8b007

Download Submit
\PROGRA~3\FBB86B40\BBCA9D37.dll
MD5
63a93ec41cc87f43620a12ad261ad9a3

SHA1
53c321b547464354f091369e1e50622a210e536d

SHA256
0e954e50435383334cbc792223cb9cf932e905a63216e43a8be0fa2d151d31de

SHA512
f02e762cce96e66dc2aeea9445c7593443d83492cc1f25ce47b9bf65b759c0c69b409ce7fec51102bc85e2cda719ca8ef5d2434e6f447002717f7407a7d8b007

Download Submit
\PROGRA~3\FBB86B40\BBCA9D37.dll
MD5
63a93ec41cc87f43620a12ad261ad9a3

SHA1
53c321b547464354f091369e1e50622a210e536d

SHA256
0e954e50435383334cbc792223cb9cf932e905a63216e43a8be0fa2d151d31de

SHA512
f02e762cce96e66dc2aeea9445c7593443d83492cc1f25ce47b9bf65b759c0c69b409ce7fec51102bc85e2cda719ca8ef5d2434e6f447002717f7407a7d8b007

Download Submit
\PROGRA~3\FBB86B40\BBCA9D37.dll
MD5
63a93ec41cc87f43620a12ad261ad9a3

SHA1
53c321b547464354f091369e1e50622a210e536d

SHA256
0e954e50435383334cbc792223cb9cf932e905a63216e43a8be0fa2d151d31de

SHA512
f02e762cce96e66dc2aeea9445c7593443d83492cc1f25ce47b9bf65b759c0c69b409ce7fec51102bc85e2cda719ca8ef5d2434e6f447002717f7407a7d8b007

Download Submit
\PROGRA~3\FBB86B40\BBCA9D37.dll
MD5
63a93ec41cc87f43620a12ad261ad9a3

SHA1
53c321b547464354f091369e1e50622a210e536d

SHA256
0e954e50435383334cbc792223cb9cf932e905a63216e43a8be0fa2d151d31de

SHA512
f02e762cce96e66dc2aeea9445c7593443d83492cc1f25ce47b9bf65b759c0c69b409ce7fec51102bc85e2cda719ca8ef5d2434e6f447002717f7407a7d8b007

Download Submit
\PROGRA~3\FBB86B40\BBCA9D37.dll
MD5
63a93ec41cc87f43620a12ad261ad9a3

SHA1
53c321b547464354f091369e1e50622a210e536d

SHA256
0e954e50435383334cbc792223cb9cf932e905a63216e43a8be0fa2d151d31de

SHA512
f02e762cce96e66dc2aeea9445c7593443d83492cc1f25ce47b9bf65b759c0c69b409ce7fec51102bc85e2cda719ca8ef5d2434e6f447002717f7407a7d8b007

Download Submit
\PROGRA~3\FBB86B40\BBCA9D37.dll
MD5
63a93ec41cc87f43620a12ad261ad9a3

SHA1
53c321b547464354f091369e1e50622a210e536d

SHA256
0e954e50435383334cbc792223cb9cf932e905a63216e43a8be0fa2d151d31de

SHA512
f02e762cce96e66dc2aeea9445c7593443d83492cc1f25ce47b9bf65b759c0c69b409ce7fec51102bc85e2cda719ca8ef5d2434e6f447002717f7407a7d8b007

Download Submit
\PROGRA~3\FBB86B40\BBCA9D37.dll
MD5
63a93ec41cc87f43620a12ad261ad9a3

SHA1
53c321b547464354f091369e1e50622a210e536d

SHA256
0e954e50435383334cbc792223cb9cf932e905a63216e43a8be0fa2d151d31de

SHA512
f02e762cce96e66dc2aeea9445c7593443d83492cc1f25ce47b9bf65b759c0c69b409ce7fec51102bc85e2cda719ca8ef5d2434e6f447002717f7407a7d8b007

Download Submit
\PROGRA~3\FBB86B40\BBCA9D37.dll
MD5
63a93ec41cc87f43620a12ad261ad9a3

SHA1
53c321b547464354f091369e1e50622a210e536d

SHA256
0e954e50435383334cbc792223cb9cf932e905a63216e43a8be0fa2d151d31de

SHA512
f02e762cce96e66dc2aeea9445c7593443d83492cc1f25ce47b9bf65b759c0c69b409ce7fec51102bc85e2cda719ca8ef5d2434e6f447002717f7407a7d8b007

Download Submit
\PROGRA~3\FBB86B40\BBCA9D37.dll
MD5
63a93ec41cc87f43620a12ad261ad9a3

SHA1
53c321b547464354f091369e1e50622a210e536d

SHA256
0e954e50435383334cbc792223cb9cf932e905a63216e43a8be0fa2d151d31de

SHA512
f02e762cce96e66dc2aeea9445c7593443d83492cc1f25ce47b9bf65b759c0c69b409ce7fec51102bc85e2cda719ca8ef5d2434e6f447002717f7407a7d8b007

Download Submit
\PROGRA~3\FBB86B40\BBCA9D37.dll
MD5
63a93ec41cc87f43620a12ad261ad9a3

SHA1
53c321b547464354f091369e1e50622a210e536d

SHA256
0e954e50435383334cbc792223cb9cf932e905a63216e43a8be0fa2d151d31de

SHA512
f02e762cce96e66dc2aeea9445c7593443d83492cc1f25ce47b9bf65b759c0c69b409ce7fec51102bc85e2cda719ca8ef5d2434e6f447002717f7407a7d8b007

Download Submit
\ProgramData\FBB86B40\DE2D7A89.dll
MD5
3a308ba239d9c42cb9ec86227bb36854

SHA1
1cc406fffff68c335f6941f82eff11811032ac77

SHA256
9822622dc4337441208ee426a62a9b6de2547d60e2ec3be11d341f2d8417bdf7

SHA512
25488c69989e292f03f2417e344ecf2da119accb94d4e1fee26ea69c31362256b67d3ab27681476b4054ff785ca01038273ed50698c48e320e949e904242816a

Download Submit
\ProgramData\FBB86B40\DE2D7A89.dll
MD5
3a308ba239d9c42cb9ec86227bb36854

SHA1
1cc406fffff68c335f6941f82eff11811032ac77

SHA256
9822622dc4337441208ee426a62a9b6de2547d60e2ec3be11d341f2d8417bdf7

SHA512
25488c69989e292f03f2417e344ecf2da119accb94d4e1fee26ea69c31362256b67d3ab27681476b4054ff785ca01038273ed50698c48e320e949e904242816a

Download Submit
\ProgramData\FBB86B40\DE2D7A89.dll
MD5
3a308ba239d9c42cb9ec86227bb36854

SHA1
1cc406fffff68c335f6941f82eff11811032ac77

SHA256
9822622dc4337441208ee426a62a9b6de2547d60e2ec3be11d341f2d8417bdf7

SHA512
25488c69989e292f03f2417e344ecf2da119accb94d4e1fee26ea69c31362256b67d3ab27681476b4054ff785ca01038273ed50698c48e320e949e904242816a

Download Submit
\ProgramData\FBB86B40\DE2D7A89.dll
MD5
3a308ba239d9c42cb9ec86227bb36854

SHA1
1cc406fffff68c335f6941f82eff11811032ac77

SHA256
9822622dc4337441208ee426a62a9b6de2547d60e2ec3be11d341f2d8417bdf7

SHA512
25488c69989e292f03f2417e344ecf2da119accb94d4e1fee26ea69c31362256b67d3ab27681476b4054ff785ca01038273ed50698c48e320e949e904242816a

Download Submit
\ProgramData\FBB86B40\DE2D7A89.dll
MD5
3a308ba239d9c42cb9ec86227bb36854

SHA1
1cc406fffff68c335f6941f82eff11811032ac77

SHA256
9822622dc4337441208ee426a62a9b6de2547d60e2ec3be11d341f2d8417bdf7

SHA512
25488c69989e292f03f2417e344ecf2da119accb94d4e1fee26ea69c31362256b67d3ab27681476b4054ff785ca01038273ed50698c48e320e949e904242816a

Download Submit
\ProgramData\FBB86B40\DE2D7A89.dll
MD5
3a308ba239d9c42cb9ec86227bb36854

SHA1
1cc406fffff68c335f6941f82eff11811032ac77

SHA256
9822622dc4337441208ee426a62a9b6de2547d60e2ec3be11d341f2d8417bdf7

SHA512
25488c69989e292f03f2417e344ecf2da119accb94d4e1fee26ea69c31362256b67d3ab27681476b4054ff785ca01038273ed50698c48e320e949e904242816a

Download Submit
\ProgramData\FBB86B40\DE2D7A89.dll
MD5
3a308ba239d9c42cb9ec86227bb36854

SHA1
1cc406fffff68c335f6941f82eff11811032ac77

SHA256
9822622dc4337441208ee426a62a9b6de2547d60e2ec3be11d341f2d8417bdf7

SHA512
25488c69989e292f03f2417e344ecf2da119accb94d4e1fee26ea69c31362256b67d3ab27681476b4054ff785ca01038273ed50698c48e320e949e904242816a

Download Submit
\ProgramData\FBB86B40\DE2D7A89.dll
MD5
3a308ba239d9c42cb9ec86227bb36854

SHA1
1cc406fffff68c335f6941f82eff11811032ac77

SHA256
9822622dc4337441208ee426a62a9b6de2547d60e2ec3be11d341f2d8417bdf7

SHA512
25488c69989e292f03f2417e344ecf2da119accb94d4e1fee26ea69c31362256b67d3ab27681476b4054ff785ca01038273ed50698c48e320e949e904242816a

Download Submit
\ProgramData\FBB86B40\DE2D7A89.dll
MD5
3a308ba239d9c42cb9ec86227bb36854

SHA1
1cc406fffff68c335f6941f82eff11811032ac77

SHA256
9822622dc4337441208ee426a62a9b6de2547d60e2ec3be11d341f2d8417bdf7

SHA512
25488c69989e292f03f2417e344ecf2da119accb94d4e1fee26ea69c31362256b67d3ab27681476b4054ff785ca01038273ed50698c48e320e949e904242816a

Download Submit
\ProgramData\FBB86B40\DE2D7A89.dll
MD5
3a308ba239d9c42cb9ec86227bb36854

SHA1
1cc406fffff68c335f6941f82eff11811032ac77

SHA256
9822622dc4337441208ee426a62a9b6de2547d60e2ec3be11d341f2d8417bdf7

SHA512
25488c69989e292f03f2417e344ecf2da119accb94d4e1fee26ea69c31362256b67d3ab27681476b4054ff785ca01038273ed50698c48e320e949e904242816a

Download Submit
\ProgramData\FBB86B40\DE2D7A89.dll
MD5
3a308ba239d9c42cb9ec86227bb36854

SHA1
1cc406fffff68c335f6941f82eff11811032ac77

SHA256
9822622dc4337441208ee426a62a9b6de2547d60e2ec3be11d341f2d8417bdf7

SHA512
25488c69989e292f03f2417e344ecf2da119accb94d4e1fee26ea69c31362256b67d3ab27681476b4054ff785ca01038273ed50698c48e320e949e904242816a

Download Submit
\ProgramData\FBB86B40\DE2D7A89.dll
MD5
3a308ba239d9c42cb9ec86227bb36854

SHA1
1cc406fffff68c335f6941f82eff11811032ac77

SHA256
9822622dc4337441208ee426a62a9b6de2547d60e2ec3be11d341f2d8417bdf7

SHA512
25488c69989e292f03f2417e344ecf2da119accb94d4e1fee26ea69c31362256b67d3ab27681476b4054ff785ca01038273ed50698c48e320e949e904242816a

Download Submit
\Users\Admin\AppData\Local\Temp\OGGXOA~1.DLL
MD5
c5f6f2592a5ffd5a46a3d307e576fa19

SHA1
624832b47d9c08483b6b322a6232a496b42b65e2

SHA256
e550012563427d5d9e49661e06fb0fc857178963cf3b1b65073d20b327dd89e4

SHA512
cb4bb9bcd9945feef29b636ca70b7b652fdff68e22b0ed5aff7098693d9953e45f490ba3bd8c0544be8e3826ba8df5a6f37b688b7281dc4b0d5d0b4735fa1f7b

Download Submit
\Users\Admin\AppData\Local\Temp\OGGXOA~1.DLL
MD5
c5f6f2592a5ffd5a46a3d307e576fa19

SHA1
624832b47d9c08483b6b322a6232a496b42b65e2

SHA256
e550012563427d5d9e49661e06fb0fc857178963cf3b1b65073d20b327dd89e4

SHA512
cb4bb9bcd9945feef29b636ca70b7b652fdff68e22b0ed5aff7098693d9953e45f490ba3bd8c0544be8e3826ba8df5a6f37b688b7281dc4b0d5d0b4735fa1f7b

Download Submit
\Users\Admin\AppData\Local\Temp\OGGXOA~1.DLL
MD5
c5f6f2592a5ffd5a46a3d307e576fa19

SHA1
624832b47d9c08483b6b322a6232a496b42b65e2

SHA256
e550012563427d5d9e49661e06fb0fc857178963cf3b1b65073d20b327dd89e4

SHA512
cb4bb9bcd9945feef29b636ca70b7b652fdff68e22b0ed5aff7098693d9953e45f490ba3bd8c0544be8e3826ba8df5a6f37b688b7281dc4b0d5d0b4735fa1f7b

Download Submit
\Users\Admin\AppData\Local\Temp\OGGXOA~1.DLL
MD5
c5f6f2592a5ffd5a46a3d307e576fa19

SHA1
624832b47d9c08483b6b322a6232a496b42b65e2

SHA256
e550012563427d5d9e49661e06fb0fc857178963cf3b1b65073d20b327dd89e4

SHA512
cb4bb9bcd9945feef29b636ca70b7b652fdff68e22b0ed5aff7098693d9953e45f490ba3bd8c0544be8e3826ba8df5a6f37b688b7281dc4b0d5d0b4735fa1f7b

Download Submit
\Users\Admin\AppData\Local\Temp\OGGXOA~1.DLL
MD5
c5f6f2592a5ffd5a46a3d307e576fa19

SHA1
624832b47d9c08483b6b322a6232a496b42b65e2

SHA256
e550012563427d5d9e49661e06fb0fc857178963cf3b1b65073d20b327dd89e4

SHA512
cb4bb9bcd9945feef29b636ca70b7b652fdff68e22b0ed5aff7098693d9953e45f490ba3bd8c0544be8e3826ba8df5a6f37b688b7281dc4b0d5d0b4735fa1f7b

Download Submit
\Users\Admin\AppData\Local\Temp\fguvvgce.exe
MD5
64d3edf1a6cd37e9e2193c0e1fc50220

SHA1
9e5863b0e717030db247fa3ff6dead07710d5ab5

SHA256
b56d450c7ccbccb915ca8006bfc0fc41037cd850dd799c77275eab397ef61772

SHA512
0ff5c9fef715ba203de9c239d53e99baff932e35a03b94f21369410d425f4deed0c4a7f17f6d483ffaee2acf706c031cca62b0f86f31d94c6bf704d996f68abb

Download Submit
\Users\Admin\AppData\Local\Temp\fguvvgce.exe
MD5
64d3edf1a6cd37e9e2193c0e1fc50220

SHA1
9e5863b0e717030db247fa3ff6dead07710d5ab5

SHA256
b56d450c7ccbccb915ca8006bfc0fc41037cd850dd799c77275eab397ef61772

SHA512
0ff5c9fef715ba203de9c239d53e99baff932e35a03b94f21369410d425f4deed0c4a7f17f6d483ffaee2acf706c031cca62b0f86f31d94c6bf704d996f68abb

Download Submit
\Users\Admin\AppData\Local\Temp\fjihnvca.exe
MD5
4ae0c9b59c3c7538e9632c14a6d97727

SHA1
85b4c2cb7fe6b82e7b9a2637f7e0728174525fbe

SHA256
3cfc1b1dbb8c88e43226b5b66d65124bcb848e76f806a934b5f94cde3d17acdd

SHA512
a0e852e73255ff9dae670796a8d086aca08a82f2cc15592da2ee910186d8e19e5db1124aafcac1bdaf031e10e7021d99f3253106d656fa56d86f83f6f78f3c9a

Download Submit
\Users\Admin\AppData\Local\Temp\fjihnvca.exe
MD5
4ae0c9b59c3c7538e9632c14a6d97727

SHA1
85b4c2cb7fe6b82e7b9a2637f7e0728174525fbe

SHA256
3cfc1b1dbb8c88e43226b5b66d65124bcb848e76f806a934b5f94cde3d17acdd

SHA512
a0e852e73255ff9dae670796a8d086aca08a82f2cc15592da2ee910186d8e19e5db1124aafcac1bdaf031e10e7021d99f3253106d656fa56d86f83f6f78f3c9a

Download Submit
\Users\Admin\AppData\Local\Temp\oggxoadpwj.exe
MD5
bd9e98d20218c704152085ea321b9d47

SHA1
b1d8032b68be325359a13a6087a96d583d1c1aa9

SHA256
ba121457671229b82142650afce9511c4e9badbb6eb13bdec61b6e40769e2339

SHA512
62c73315b441e5a9487d6289c71c32466b619b9acafd2f58a395968af5dcdcbdca13a5cbda011b11f5aecd33ee7a257757eb2638c5bf0680437fa7a499325d28

Download Submit
\Users\Admin\AppData\Local\Temp\oggxoadpwj.exe
MD5
bd9e98d20218c704152085ea321b9d47

SHA1
b1d8032b68be325359a13a6087a96d583d1c1aa9

SHA256
ba121457671229b82142650afce9511c4e9badbb6eb13bdec61b6e40769e2339

SHA512
62c73315b441e5a9487d6289c71c32466b619b9acafd2f58a395968af5dcdcbdca13a5cbda011b11f5aecd33ee7a257757eb2638c5bf0680437fa7a499325d28

Download Submit
memory/292-66-0x0000000000000000-mapping.dmp

Download
memory/416-119-0x00000000034E0000-0x0000000003620000-memory.dmp

Filesize
1.2MB

Download
memory/416-113-0x00000000034E0000-0x0000000003620000-memory.dmp

Filesize
1.2MB

Download
memory/416-107-0x0000000003260000-0x00000000034DD000-memory.dmp

Filesize
2.5MB

Download
memory/416-101-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/464-130-0x0000000002160000-0x00000000023DD000-memory.dmp

Filesize
2.5MB

Download
memory/464-136-0x00000000023E0000-0x0000000002520000-memory.dmp

Filesize
1.2MB

Download
memory/464-137-0x00000000023E0000-0x0000000002520000-memory.dmp

Filesize
1.2MB

Download
memory/560-122-0x0000000003810000-0x0000000003821000-memory.dmp

Filesize
68KB

Download
memory/560-446-0x0000000003810000-0x0000000003821000-memory.dmp

Filesize
68KB

Download
memory/560-153-0x0000000003400000-0x0000000003411000-memory.dmp

Filesize
68KB

Download
memory/560-151-0x0000000003810000-0x0000000003821000-memory.dmp

Filesize
68KB

Download
memory/560-502-0x0000000003810000-0x0000000003821000-memory.dmp

Filesize
68KB

Download
memory/560-501-0x0000000003400000-0x0000000003411000-memory.dmp

Filesize
68KB

Download
memory/560-149-0x0000000003400000-0x0000000003411000-memory.dmp

Filesize
68KB

Download
memory/560-95-0x0000000002820000-0x0000000002A9D000-memory.dmp

Filesize
2.5MB

Download
memory/560-209-0x0000000003810000-0x0000000003821000-memory.dmp

Filesize
68KB

Download
memory/560-437-0x0000000003400000-0x0000000003411000-memory.dmp

Filesize
68KB

Download
memory/560-98-0x0000000003000000-0x0000000003011000-memory.dmp

Filesize
68KB

Download
memory/560-99-0x0000000003410000-0x0000000003421000-memory.dmp

Filesize
68KB

Download
memory/560-100-0x0000000003000000-0x0000000003011000-memory.dmp

Filesize
68KB

Download
memory/560-475-0x0000000003400000-0x0000000003411000-memory.dmp

Filesize
68KB

Download
memory/560-474-0x0000000003810000-0x0000000003821000-memory.dmp

Filesize
68KB

Download
memory/560-103-0x0000000003000000-0x0000000003011000-memory.dmp

Filesize
68KB

Download
memory/560-473-0x0000000003400000-0x0000000003411000-memory.dmp

Filesize
68KB

Download
memory/560-438-0x0000000003810000-0x0000000003821000-memory.dmp

Filesize
68KB

Download
memory/560-439-0x0000000003400000-0x0000000003411000-memory.dmp

Filesize
68KB

Download
memory/560-440-0x0000000003810000-0x0000000003821000-memory.dmp

Filesize
68KB

Download
memory/560-470-0x0000000003950000-0x0000000003961000-memory.dmp

Filesize
68KB

Download
memory/560-469-0x0000000003540000-0x0000000003551000-memory.dmp

Filesize
68KB

Download
memory/560-441-0x0000000003400000-0x0000000003411000-memory.dmp

Filesize
68KB

Download
memory/560-449-0x0000000003400000-0x0000000003411000-memory.dmp

Filesize
68KB

Download
memory/560-448-0x0000000003810000-0x0000000003821000-memory.dmp

Filesize
68KB

Download
memory/560-442-0x0000000003810000-0x0000000003821000-memory.dmp

Filesize
68KB

Download
memory/560-447-0x0000000003400000-0x0000000003411000-memory.dmp

Filesize
68KB

Download
memory/560-124-0x00000000037F0000-0x0000000003801000-memory.dmp

Filesize
68KB

Download
memory/560-444-0x0000000003810000-0x0000000003821000-memory.dmp

Filesize
68KB

Download
memory/560-121-0x0000000003400000-0x0000000003411000-memory.dmp

Filesize
68KB

Download
memory/572-59-0x0000000000000000-mapping.dmp

Download
memory/668-173-0x0000000003C50000-0x0000000003C51000-memory.dmp

Filesize
4KB

Download
memory/668-96-0x0000000002C50000-0x000000000311E000-memory.dmp

Filesize
4.8MB

Download
memory/668-167-0x0000000003C50000-0x0000000003C51000-memory.dmp

Filesize
4KB

Download
memory/668-80-0x0000000000000000-mapping.dmp

Download
memory/668-166-0x0000000003C50000-0x0000000003C51000-memory.dmp

Filesize
4KB

Download
memory/668-164-0x0000000003C50000-0x0000000003C51000-memory.dmp

Filesize
4KB

Download
memory/668-91-0x00000000027A0000-0x0000000002931000-memory.dmp

Filesize
1.6MB

Download
memory/832-26-0x0000000000000000-mapping.dmp

Download
memory/848-112-0x0000000000000000-mapping.dmp

Download
memory/848-120-0x0000000002720000-0x000000000299D000-memory.dmp

Filesize
2.5MB

Download
memory/988-65-0x0000000000000000-mapping.dmp

Download
memory/1040-72-0x0000000000000000-mapping.dmp

Download
memory/1040-78-0x0000000002850000-0x0000000002ACD000-memory.dmp

Filesize
2.5MB

Download
memory/1256-170-0x0000000007530000-0x00000000077AD000-memory.dmp

Filesize
2.5MB

Download
memory/1256-184-0x0000000006B80000-0x0000000006CC0000-memory.dmp

Filesize
1.2MB

Download
memory/1256-183-0x0000000006B80000-0x0000000006CC0000-memory.dmp

Filesize
1.2MB

Download
memory/1424-47-0x0000000004860000-0x0000000004871000-memory.dmp

Filesize
68KB

Download
memory/1424-44-0x0000000000000000-mapping.dmp

Download
memory/1424-48-0x0000000004C70000-0x0000000004C81000-memory.dmp

Filesize
68KB

Download
memory/1424-45-0x0000000000000000-mapping.dmp

Download
memory/1504-0-0x00000000049E0000-0x00000000049F1000-memory.dmp

Filesize
68KB

Download
memory/1504-1-0x0000000004DF0000-0x0000000004E01000-memory.dmp

Filesize
68KB

Download
memory/1520-2-0x0000000000000000-mapping.dmp

Download
memory/1556-237-0x00000000039D0000-0x00000000039E1000-memory.dmp

Filesize
68KB

Download
memory/1556-129-0x0000000000000000-mapping.dmp

Download
memory/1556-141-0x00000000035C0000-0x00000000035D1000-memory.dmp

Filesize
68KB

Download
memory/1556-140-0x00000000039D0000-0x00000000039E1000-memory.dmp

Filesize
68KB

Download
memory/1556-139-0x00000000035C0000-0x00000000035D1000-memory.dmp

Filesize
68KB

Download
memory/1556-138-0x00000000028D0000-0x0000000003176000-memory.dmp

Filesize
8.6MB

Download
memory/1556-236-0x00000000035C0000-0x00000000035D1000-memory.dmp

Filesize
68KB

Download
memory/1556-135-0x00000000025F0000-0x0000000002781000-memory.dmp

Filesize
1.6MB

Download
memory/1556-238-0x00000000035C0000-0x00000000035D1000-memory.dmp

Filesize
68KB

Download
memory/1612-32-0x0000000000000000-mapping.dmp

Download
memory/1636-92-0x00000000027F0000-0x0000000002A6D000-memory.dmp

Filesize
2.5MB

Download
memory/1636-93-0x0000000002C90000-0x0000000003013000-memory.dmp

Filesize
3.5MB

Download
memory/1636-86-0x0000000000000000-mapping.dmp

Download
memory/1636-40-0x0000000000000000-mapping.dmp

Download
memory/1716-64-0x0000000000000000-mapping.dmp

Download
memory/1772-9-0x0000000000000000-mapping.dmp

Download
memory/1772-10-0x0000000000000000-mapping.dmp

Download
memory/1812-12-0x0000000002810000-0x0000000002814000-memory.dmp

Filesize
16KB

Download
memory/1812-4-0x0000000000000000-mapping.dmp

Download
memory/1820-50-0x0000000000000000-mapping.dmp

Download
memory/1832-5-0x0000000000000000-mapping.dmp

Download
memory/1880-53-0x0000000000000000-mapping.dmp

Download
memory/1968-58-0x0000000000000000-mapping.dmp

Download
memory/1976-49-0x0000000002780000-0x0000000002791000-memory.dmp

Filesize
68KB

Download
memory/1976-36-0x0000000000000000-mapping.dmp

Download
memory/1976-37-0x0000000000000000-mapping.dmp

Download
memory/1976-39-0x0000000002500000-0x0000000002777000-memory.dmp

Filesize
2.5MB

Download
memory/1992-114-0x0000000002740000-0x00000000028D1000-memory.dmp

Filesize
1.6MB

Download
memory/1992-106-0x0000000000000000-mapping.dmp

Download
memory/2000-13-0x0000000000000000-mapping.dmp

Download