cryptbot | 36c1ab5e18f20ba99b86a8f995b83a3909f9d3e8d8d7fd573ac1c4813fd2e31e

Analysis

max time kernel
134s
max time network
146s
platform
windows7_x64
resource
win7v20210410
submitted
08-06-2021 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

B00F279B575B3F07A06352A37A378323.exe
Size

8KB
MD5

b00f279b575b3f07a06352a37a378323
SHA1

e314c43e297237cad9173cf65c774f99b56acbfc
SHA256

36c1ab5e18f20ba99b86a8f995b83a3909f9d3e8d8d7fd573ac1c4813fd2e31e
SHA512

e00b39b0bdcb68583af082a41ec8ff351933519d8942644955327922669d73de52af92f660fd099be19fe9bf947fafa88647da900a95285bcd7eb82092f4e2bb

Score

10^/10

cryptbot glupteba metasploit raccoon redline 28198d4512d0cf31c204eddceb4471d79950b588 kolya mix 08.06 backdoor discovery dropper evasion infostealer loader spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

Kolya

195.201.17.219:25524

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

raccoon

Botnet

28198d4512d0cf31c204eddceb4471d79950b588

Attributes

url4cnc
https://tttttt.me/capibar

rc4.plain

Extracted

Family

cryptbot

olmjby22.top

mortyl02.top

Attributes

payload_url
http://vamzxy03.top/download.php?file=lv.exe

Extracted

Family

redline

Botnet

MIX 08.06

185.215.113.17:18597

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2132-108-0x00000000006A0000-0x0000000000781000-memory.dmp	family_cryptbot
behavioral1/memory/2132-109-0x0000000000400000-0x00000000004E5000-memory.dmp	family_cryptbot

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/720-84-0x0000000002BE0000-0x00000000034EC000-memory.dmp	family_glupteba
behavioral1/memory/720-86-0x0000000000400000-0x0000000000D26000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/960-81-0x0000000000520000-0x000000000053A000-memory.dmp	family_redline
behavioral1/memory/960-82-0x0000000001FF0000-0x0000000002009000-memory.dmp	family_redline
behavioral1/memory/2652-135-0x00000000004B0000-0x00000000004CA000-memory.dmp	family_redline
behavioral1/memory/2652-136-0x0000000001FF0000-0x0000000002009000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

Executes dropped EXE 9 IoCs

Processes:

http___212.192.241.136_files_file1.exe.exehttps___leselesp.info_app.exe.exehttp___212.192.241.136_files_file2.exe.exehttp___212.192.241.136_files_file3.exe.exehttps___leselesp.info_app.exe.exe15307934230.exe54508410406.exe70140846064.exeedspolishpp.exe

pid	process
748	http___212.192.241.136_files_file1.exe.exe
720	https___leselesp.info_app.exe.exe
1188	http___212.192.241.136_files_file2.exe.exe
960	http___212.192.241.136_files_file3.exe.exe
572	https___leselesp.info_app.exe.exe
1104	15307934230.exe
2132	54508410406.exe
2264	70140846064.exe
2652	edspolishpp.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

http___212.192.241.136_files_file2.exe.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	http___212.192.241.136_files_file2.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	http___212.192.241.136_files_file2.exe.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2452 cmd.exe

pid	process
2452	cmd.exe

Loads dropped DLL 13 IoCs

Processes:

cmd.execmd.execmd.exe15307934230.exe70140846064.exe

pid	process
756	cmd.exe
756	cmd.exe
2104	cmd.exe
2104	cmd.exe
2236	cmd.exe
1104	15307934230.exe
1104	15307934230.exe
1104	15307934230.exe
1104	15307934230.exe
1104	15307934230.exe
1104	15307934230.exe
1104	15307934230.exe
2264	70140846064.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Documents\http___212.192.241.136_files_file2.exe.exe	themida
C:\Users\Admin\Documents\http___212.192.241.136_files_file2.exe.exe	themida
behavioral1/memory/1188-75-0x0000000000A00000-0x0000000000A01000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

http___212.192.241.136_files_file2.exe.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	http___212.192.241.136_files_file2.exe.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

http___212.192.241.136_files_file2.exe.exe

pid process

1188 http___212.192.241.136_files_file2.exe.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1188	http___212.192.241.136_files_file2.exe.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

54508410406.exe70140846064.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	54508410406.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	54508410406.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	70140846064.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	70140846064.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2568 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2372 taskkill.exe
2492 taskkill.exe

pid	process
2568	timeout.exe

pid	process
2372	taskkill.exe
2492	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

https___leselesp.info_app.exe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	https___leselesp.info_app.exe.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	https___leselesp.info_app.exe.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	https___leselesp.info_app.exe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	https___leselesp.info_app.exe.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	https___leselesp.info_app.exe.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	https___leselesp.info_app.exe.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	https___leselesp.info_app.exe.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	https___leselesp.info_app.exe.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	https___leselesp.info_app.exe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	https___leselesp.info_app.exe.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	https___leselesp.info_app.exe.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	https___leselesp.info_app.exe.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	https___leselesp.info_app.exe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	https___leselesp.info_app.exe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	https___leselesp.info_app.exe.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	https___leselesp.info_app.exe.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

B00F279B575B3F07A06352A37A378323.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	B00F279B575B3F07A06352A37A378323.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	B00F279B575B3F07A06352A37A378323.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	B00F279B575B3F07A06352A37A378323.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	B00F279B575B3F07A06352A37A378323.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	B00F279B575B3F07A06352A37A378323.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	B00F279B575B3F07A06352A37A378323.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

https___leselesp.info_app.exe.exehttp___212.192.241.136_files_file2.exe.exeB00F279B575B3F07A06352A37A378323.exeedspolishpp.exe

pid	process
720	https___leselesp.info_app.exe.exe
1188	http___212.192.241.136_files_file2.exe.exe
1188	http___212.192.241.136_files_file2.exe.exe
1864	B00F279B575B3F07A06352A37A378323.exe
2652	edspolishpp.exe
2652	edspolishpp.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

B00F279B575B3F07A06352A37A378323.exehttps___leselesp.info_app.exe.exehttp___212.192.241.136_files_file3.exe.exehttp___212.192.241.136_files_file2.exe.exetaskkill.exetaskkill.exeedspolishpp.exe

description	pid	process
Token: SeDebugPrivilege	1864	B00F279B575B3F07A06352A37A378323.exe
Token: SeDebugPrivilege	720	https___leselesp.info_app.exe.exe
Token: SeImpersonatePrivilege	720	https___leselesp.info_app.exe.exe
Token: SeDebugPrivilege	960	http___212.192.241.136_files_file3.exe.exe
Token: SeDebugPrivilege	1188	http___212.192.241.136_files_file2.exe.exe
Token: SeDebugPrivilege	2372	taskkill.exe
Token: SeDebugPrivilege	2492	taskkill.exe
Token: SeDebugPrivilege	2652	edspolishpp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

B00F279B575B3F07A06352A37A378323.exehttp___212.192.241.136_files_file1.exe.execmd.execmd.execmd.execmd.execmd.exe15307934230.execmd.exe70140846064.exe

description	pid	process	target process
PID 1864 wrote to memory of 748	1864	B00F279B575B3F07A06352A37A378323.exe	http___212.192.241.136_files_file1.exe.exe
PID 1864 wrote to memory of 748	1864	B00F279B575B3F07A06352A37A378323.exe	http___212.192.241.136_files_file1.exe.exe
PID 1864 wrote to memory of 748	1864	B00F279B575B3F07A06352A37A378323.exe	http___212.192.241.136_files_file1.exe.exe
PID 1864 wrote to memory of 748	1864	B00F279B575B3F07A06352A37A378323.exe	http___212.192.241.136_files_file1.exe.exe
PID 1864 wrote to memory of 720	1864	B00F279B575B3F07A06352A37A378323.exe	https___leselesp.info_app.exe.exe
PID 1864 wrote to memory of 720	1864	B00F279B575B3F07A06352A37A378323.exe	https___leselesp.info_app.exe.exe
PID 1864 wrote to memory of 720	1864	B00F279B575B3F07A06352A37A378323.exe	https___leselesp.info_app.exe.exe
PID 1864 wrote to memory of 720	1864	B00F279B575B3F07A06352A37A378323.exe	https___leselesp.info_app.exe.exe
PID 1864 wrote to memory of 1188	1864	B00F279B575B3F07A06352A37A378323.exe	http___212.192.241.136_files_file2.exe.exe
PID 1864 wrote to memory of 1188	1864	B00F279B575B3F07A06352A37A378323.exe	http___212.192.241.136_files_file2.exe.exe
PID 1864 wrote to memory of 1188	1864	B00F279B575B3F07A06352A37A378323.exe	http___212.192.241.136_files_file2.exe.exe
PID 1864 wrote to memory of 1188	1864	B00F279B575B3F07A06352A37A378323.exe	http___212.192.241.136_files_file2.exe.exe
PID 1864 wrote to memory of 960	1864	B00F279B575B3F07A06352A37A378323.exe	http___212.192.241.136_files_file3.exe.exe
PID 1864 wrote to memory of 960	1864	B00F279B575B3F07A06352A37A378323.exe	http___212.192.241.136_files_file3.exe.exe
PID 1864 wrote to memory of 960	1864	B00F279B575B3F07A06352A37A378323.exe	http___212.192.241.136_files_file3.exe.exe
PID 1864 wrote to memory of 960	1864	B00F279B575B3F07A06352A37A378323.exe	http___212.192.241.136_files_file3.exe.exe
PID 748 wrote to memory of 756	748	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 748 wrote to memory of 756	748	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 748 wrote to memory of 756	748	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 748 wrote to memory of 756	748	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 756 wrote to memory of 1104	756	cmd.exe	15307934230.exe
PID 756 wrote to memory of 1104	756	cmd.exe	15307934230.exe
PID 756 wrote to memory of 1104	756	cmd.exe	15307934230.exe
PID 756 wrote to memory of 1104	756	cmd.exe	15307934230.exe
PID 748 wrote to memory of 2104	748	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 748 wrote to memory of 2104	748	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 748 wrote to memory of 2104	748	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 748 wrote to memory of 2104	748	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 2104 wrote to memory of 2132	2104	cmd.exe	54508410406.exe
PID 2104 wrote to memory of 2132	2104	cmd.exe	54508410406.exe
PID 2104 wrote to memory of 2132	2104	cmd.exe	54508410406.exe
PID 2104 wrote to memory of 2132	2104	cmd.exe	54508410406.exe
PID 748 wrote to memory of 2236	748	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 748 wrote to memory of 2236	748	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 748 wrote to memory of 2236	748	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 748 wrote to memory of 2236	748	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 2236 wrote to memory of 2264	2236	cmd.exe	70140846064.exe
PID 2236 wrote to memory of 2264	2236	cmd.exe	70140846064.exe
PID 2236 wrote to memory of 2264	2236	cmd.exe	70140846064.exe
PID 2236 wrote to memory of 2264	2236	cmd.exe	70140846064.exe
PID 748 wrote to memory of 2336	748	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 748 wrote to memory of 2336	748	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 748 wrote to memory of 2336	748	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 748 wrote to memory of 2336	748	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 2336 wrote to memory of 2372	2336	cmd.exe	taskkill.exe
PID 2336 wrote to memory of 2372	2336	cmd.exe	taskkill.exe
PID 2336 wrote to memory of 2372	2336	cmd.exe	taskkill.exe
PID 2336 wrote to memory of 2372	2336	cmd.exe	taskkill.exe
PID 1864 wrote to memory of 2452	1864	B00F279B575B3F07A06352A37A378323.exe	cmd.exe
PID 1864 wrote to memory of 2452	1864	B00F279B575B3F07A06352A37A378323.exe	cmd.exe
PID 1864 wrote to memory of 2452	1864	B00F279B575B3F07A06352A37A378323.exe	cmd.exe
PID 2452 wrote to memory of 2492	2452	cmd.exe	taskkill.exe
PID 2452 wrote to memory of 2492	2452	cmd.exe	taskkill.exe
PID 2452 wrote to memory of 2492	2452	cmd.exe	taskkill.exe
PID 1104 wrote to memory of 2536	1104	15307934230.exe	cmd.exe
PID 1104 wrote to memory of 2536	1104	15307934230.exe	cmd.exe
PID 1104 wrote to memory of 2536	1104	15307934230.exe	cmd.exe
PID 1104 wrote to memory of 2536	1104	15307934230.exe	cmd.exe
PID 2536 wrote to memory of 2568	2536	cmd.exe	timeout.exe
PID 2536 wrote to memory of 2568	2536	cmd.exe	timeout.exe
PID 2536 wrote to memory of 2568	2536	cmd.exe	timeout.exe
PID 2536 wrote to memory of 2568	2536	cmd.exe	timeout.exe
PID 2264 wrote to memory of 2652	2264	70140846064.exe	edspolishpp.exe
PID 2264 wrote to memory of 2652	2264	70140846064.exe	edspolishpp.exe

C:\Users\Admin\AppData\Local\Temp\B00F279B575B3F07A06352A37A378323.exe
"C:\Users\Admin\AppData\Local\Temp\B00F279B575B3F07A06352A37A378323.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\Documents\http___212.192.241.136_files_file1.exe.exe
"C:\Users\Admin\Documents\http___212.192.241.136_files_file1.exe.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{TumG-ElxC9-HnvS-jidlK}\15307934230.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Local\Temp\{TumG-ElxC9-HnvS-jidlK}\15307934230.exe
"C:\Users\Admin\AppData\Local\Temp\{TumG-ElxC9-HnvS-jidlK}\15307934230.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\{TumG-ElxC9-HnvS-jidlK}\15307934230.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:2568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{TumG-ElxC9-HnvS-jidlK}\54508410406.exe" /mix
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104

C:\Users\Admin\AppData\Local\Temp\{TumG-ElxC9-HnvS-jidlK}\54508410406.exe
"C:\Users\Admin\AppData\Local\Temp\{TumG-ElxC9-HnvS-jidlK}\54508410406.exe" /mix
4⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{TumG-ElxC9-HnvS-jidlK}\70140846064.exe" /mix
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236

C:\Users\Admin\AppData\Local\Temp\{TumG-ElxC9-HnvS-jidlK}\70140846064.exe
"C:\Users\Admin\AppData\Local\Temp\{TumG-ElxC9-HnvS-jidlK}\70140846064.exe" /mix
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2264

C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe
edspolishpp.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "http___212.192.241.136_files_file1.exe.exe" /f & erase "C:\Users\Admin\Documents\http___212.192.241.136_files_file1.exe.exe" & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "http___212.192.241.136_files_file1.exe.exe" /f
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Users\Admin\Documents\https___leselesp.info_app.exe.exe
"C:\Users\Admin\Documents\https___leselesp.info_app.exe.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:720

C:\Users\Admin\Documents\https___leselesp.info_app.exe.exe
"C:\Users\Admin\Documents\https___leselesp.info_app.exe.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:572

C:\Users\Admin\Documents\http___212.192.241.136_files_file2.exe.exe
"C:\Users\Admin\Documents\http___212.192.241.136_files_file2.exe.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Users\Admin\Documents\http___212.192.241.136_files_file3.exe.exe
"C:\Users\Admin\Documents\http___212.192.241.136_files_file3.exe.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "B00F279B575B3F07A06352A37A378323.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\B00F279B575B3F07A06352A37A378323.exe" & exit
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\system32\taskkill.exe
taskkill /im "B00F279B575B3F07A06352A37A378323.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{TumG-ElxC9-HnvS-jidlK}\15307934230.exe
MD5
e7ccfdce0d5c66e3f1d4d89eac63fafa

SHA1
23634375e7b10ca832f7da12569e1390171a41fd

SHA256
4cd381d6f335c3f329c9d0aeff1a0336d1aeddd13e5cccef40315bb7b0616cc1

SHA512
9ddb95a47cd45f4a81e411240c7964411195dcd6e641eae31159b4601ac06084bf9a967acb4e88dd762fa70fdf4856fec135bd8c4bdc91968e47c542033af60f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{TumG-ElxC9-HnvS-jidlK}\15307934230.exe
MD5
e7ccfdce0d5c66e3f1d4d89eac63fafa

SHA1
23634375e7b10ca832f7da12569e1390171a41fd

SHA256
4cd381d6f335c3f329c9d0aeff1a0336d1aeddd13e5cccef40315bb7b0616cc1

SHA512
9ddb95a47cd45f4a81e411240c7964411195dcd6e641eae31159b4601ac06084bf9a967acb4e88dd762fa70fdf4856fec135bd8c4bdc91968e47c542033af60f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{TumG-ElxC9-HnvS-jidlK}\54508410406.exe
MD5
c51c45bbb095023f3b002838d0260d93

SHA1
b89089aab28c604de07707b309e1a6cfd1d8bc45

SHA256
6051ad192d2c5bbf8505a23b280a880339665074ff7303527a3ec61e2c586476

SHA512
21f06c6da9a85d0e3173ca577d6be8d6bf2059761665844289797ee3d71c598d2a54686c7dc0b68c9c47f4413e7de07468fb6c21ee1cd04401f408ddc149de56

Download Submit
C:\Users\Admin\AppData\Local\Temp\{TumG-ElxC9-HnvS-jidlK}\54508410406.exe
MD5
c51c45bbb095023f3b002838d0260d93

SHA1
b89089aab28c604de07707b309e1a6cfd1d8bc45

SHA256
6051ad192d2c5bbf8505a23b280a880339665074ff7303527a3ec61e2c586476

SHA512
21f06c6da9a85d0e3173ca577d6be8d6bf2059761665844289797ee3d71c598d2a54686c7dc0b68c9c47f4413e7de07468fb6c21ee1cd04401f408ddc149de56

Download Submit
C:\Users\Admin\AppData\Local\Temp\{TumG-ElxC9-HnvS-jidlK}\70140846064.exe
MD5
37428f7016077d4689c4b5cf110803d1

SHA1
99858fc1d99be082351d07f7a5ca0035b3c5b078

SHA256
aa68eec8a7206098f2cf085f1fcf8bc462b0d9847b25a8de3933fc354a618834

SHA512
d21f43bbeff890bf82b49934f2b9cc0e28f8af8bf662314af6e3003763057b09251ab8b1bc31d2ab6de2aaf5503a0ae0bf6b1925c0d00fce7ccfa6e12d783d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\{TumG-ElxC9-HnvS-jidlK}\70140846064.exe
MD5
37428f7016077d4689c4b5cf110803d1

SHA1
99858fc1d99be082351d07f7a5ca0035b3c5b078

SHA256
aa68eec8a7206098f2cf085f1fcf8bc462b0d9847b25a8de3933fc354a618834

SHA512
d21f43bbeff890bf82b49934f2b9cc0e28f8af8bf662314af6e3003763057b09251ab8b1bc31d2ab6de2aaf5503a0ae0bf6b1925c0d00fce7ccfa6e12d783d86

Download Submit
C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe
MD5
b5e7e1fd00e34e49999f5b60286cd7aa

SHA1
3321f734fcf156bca17c7faadc7fe863a44fe849

SHA256
ec3c9e1878a43c6f5d7c0c5fd98ba61ca5e4d4ceae6ce3c7693e4c3a3c8283fe

SHA512
1e01e673aa1fa59a2ce5ddc9148ba15041dee4f00a83021bda32a9a60e27131098f57a69e27b306706e63e2ed0a96fe7d8c765942a3119d718c7afdc0f802e8c

Download Submit
C:\Users\Admin\Documents\http___212.192.241.136_files_file1.exe.exe
MD5
9c8697e583e0071d29bc362cdfba1a21

SHA1
4957e631d8c622ffd64ccb338b0ed2793928f935

SHA256
255a309aa4ac9d53e3de0f3247b3388d6376af9efb19f8256fd8d1db5bfb2448

SHA512
991633afe078ccdc2328df1a24fe6728592941993696a776b508567579bb8ef0c6f2fa007529ab0eebf0af82503e3d05cb5b5c4eb7aaa1a2bfdbcf12be0be3d4

Download Submit
C:\Users\Admin\Documents\http___212.192.241.136_files_file1.exe.exe
MD5
9c8697e583e0071d29bc362cdfba1a21

SHA1
4957e631d8c622ffd64ccb338b0ed2793928f935

SHA256
255a309aa4ac9d53e3de0f3247b3388d6376af9efb19f8256fd8d1db5bfb2448

SHA512
991633afe078ccdc2328df1a24fe6728592941993696a776b508567579bb8ef0c6f2fa007529ab0eebf0af82503e3d05cb5b5c4eb7aaa1a2bfdbcf12be0be3d4

Download Submit
C:\Users\Admin\Documents\http___212.192.241.136_files_file2.exe.exe
MD5
1f7b929d59d32602616ae4a25aee40a0

SHA1
4f8f66213ba8e8c9692f9154ea8162bd861d9260

SHA256
684c418e39d173630d23b16023322988f6e59efaadea29b36331f6dc4817df1c

SHA512
4b0af647030c7544b77f2ba86a9756fdf8c2b9ae26bdb388888afa2e9b18b011ca08de681be81b0b263545b7af6e3d01c60dfe0ff0215d8ed4dbbbb1166b83f4

Download Submit
C:\Users\Admin\Documents\http___212.192.241.136_files_file2.exe.exe
MD5
1f7b929d59d32602616ae4a25aee40a0

SHA1
4f8f66213ba8e8c9692f9154ea8162bd861d9260

SHA256
684c418e39d173630d23b16023322988f6e59efaadea29b36331f6dc4817df1c

SHA512
4b0af647030c7544b77f2ba86a9756fdf8c2b9ae26bdb388888afa2e9b18b011ca08de681be81b0b263545b7af6e3d01c60dfe0ff0215d8ed4dbbbb1166b83f4

Download Submit
C:\Users\Admin\Documents\http___212.192.241.136_files_file3.exe.exe
MD5
51cb4383518e4d2ca519ab6c8874fc4c

SHA1
e8875494406aa10c347edea47fa8e607194023e3

SHA256
3bec59f84c4d86172ce1bfdd8d2f43ab1e679155620852c13f44cfe5cd95a0fd

SHA512
11490c1e5ca5da171204709adf1cb6cd23b4c3cee8f437147b8ebf5d7f07e24bf3e7611359cce68b1270f36ebc8e2bf2f92de38648dcef2ea9d5acddb79f9927

Download Submit
C:\Users\Admin\Documents\https___leselesp.info_app.exe.exe
MD5
140376ea9ed326c65dd36e062411813c

SHA1
e867d62597776e8d26539a4ac03a25e1b901ae75

SHA256
0011ed51d2cc363d3fcd45bab9d12752e05eebf69ebc2a1063d7d11c7ff8cdd8

SHA512
5e4b746bbb74b3b852884f473a40607048294930faffab44eb7afca5b9f5310be1278b826d7c4efeaac210b3ae4568edfadc53c5509344b3a8323b800b9777ad

Download Submit
C:\Users\Admin\Documents\https___leselesp.info_app.exe.exe
MD5
140376ea9ed326c65dd36e062411813c

SHA1
e867d62597776e8d26539a4ac03a25e1b901ae75

SHA256
0011ed51d2cc363d3fcd45bab9d12752e05eebf69ebc2a1063d7d11c7ff8cdd8

SHA512
5e4b746bbb74b3b852884f473a40607048294930faffab44eb7afca5b9f5310be1278b826d7c4efeaac210b3ae4568edfadc53c5509344b3a8323b800b9777ad

Download Submit
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\mozglue.dll
MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\softokn3.dll
MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
\Users\Admin\AppData\Local\Temp\{TumG-ElxC9-HnvS-jidlK}\15307934230.exe
MD5
e7ccfdce0d5c66e3f1d4d89eac63fafa

SHA1
23634375e7b10ca832f7da12569e1390171a41fd

SHA256
4cd381d6f335c3f329c9d0aeff1a0336d1aeddd13e5cccef40315bb7b0616cc1

SHA512
9ddb95a47cd45f4a81e411240c7964411195dcd6e641eae31159b4601ac06084bf9a967acb4e88dd762fa70fdf4856fec135bd8c4bdc91968e47c542033af60f

Download Submit
\Users\Admin\AppData\Local\Temp\{TumG-ElxC9-HnvS-jidlK}\15307934230.exe
MD5
e7ccfdce0d5c66e3f1d4d89eac63fafa

SHA1
23634375e7b10ca832f7da12569e1390171a41fd

SHA256
4cd381d6f335c3f329c9d0aeff1a0336d1aeddd13e5cccef40315bb7b0616cc1

SHA512
9ddb95a47cd45f4a81e411240c7964411195dcd6e641eae31159b4601ac06084bf9a967acb4e88dd762fa70fdf4856fec135bd8c4bdc91968e47c542033af60f

Download Submit
\Users\Admin\AppData\Local\Temp\{TumG-ElxC9-HnvS-jidlK}\54508410406.exe
MD5
c51c45bbb095023f3b002838d0260d93

SHA1
b89089aab28c604de07707b309e1a6cfd1d8bc45

SHA256
6051ad192d2c5bbf8505a23b280a880339665074ff7303527a3ec61e2c586476

SHA512
21f06c6da9a85d0e3173ca577d6be8d6bf2059761665844289797ee3d71c598d2a54686c7dc0b68c9c47f4413e7de07468fb6c21ee1cd04401f408ddc149de56

Download Submit
\Users\Admin\AppData\Local\Temp\{TumG-ElxC9-HnvS-jidlK}\54508410406.exe
MD5
c51c45bbb095023f3b002838d0260d93

SHA1
b89089aab28c604de07707b309e1a6cfd1d8bc45

SHA256
6051ad192d2c5bbf8505a23b280a880339665074ff7303527a3ec61e2c586476

SHA512
21f06c6da9a85d0e3173ca577d6be8d6bf2059761665844289797ee3d71c598d2a54686c7dc0b68c9c47f4413e7de07468fb6c21ee1cd04401f408ddc149de56

Download Submit
\Users\Admin\AppData\Local\Temp\{TumG-ElxC9-HnvS-jidlK}\70140846064.exe
MD5
37428f7016077d4689c4b5cf110803d1

SHA1
99858fc1d99be082351d07f7a5ca0035b3c5b078

SHA256
aa68eec8a7206098f2cf085f1fcf8bc462b0d9847b25a8de3933fc354a618834

SHA512
d21f43bbeff890bf82b49934f2b9cc0e28f8af8bf662314af6e3003763057b09251ab8b1bc31d2ab6de2aaf5503a0ae0bf6b1925c0d00fce7ccfa6e12d783d86

Download Submit
\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe
MD5
b5e7e1fd00e34e49999f5b60286cd7aa

SHA1
3321f734fcf156bca17c7faadc7fe863a44fe849

SHA256
ec3c9e1878a43c6f5d7c0c5fd98ba61ca5e4d4ceae6ce3c7693e4c3a3c8283fe

SHA512
1e01e673aa1fa59a2ce5ddc9148ba15041dee4f00a83021bda32a9a60e27131098f57a69e27b306706e63e2ed0a96fe7d8c765942a3119d718c7afdc0f802e8c

Download Submit
memory/720-86-0x0000000000400000-0x0000000000D26000-memory.dmp

Filesize
9.1MB

Download
memory/720-84-0x0000000002BE0000-0x00000000034EC000-memory.dmp

Filesize
9.0MB

Download
memory/720-63-0x0000000000000000-mapping.dmp

Download
memory/748-62-0x0000000000000000-mapping.dmp

Download
memory/748-74-0x0000000000460000-0x000000000048F000-memory.dmp

Filesize
188KB

Download
memory/748-77-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/756-90-0x0000000000000000-mapping.dmp

Download
memory/960-82-0x0000000001FF0000-0x0000000002009000-memory.dmp

Filesize
100KB

Download
memory/960-85-0x0000000004AE2000-0x0000000004AE3000-memory.dmp

Filesize
4KB

Download
memory/960-81-0x0000000000520000-0x000000000053A000-memory.dmp

Filesize
104KB

Download
memory/960-88-0x0000000004AE4000-0x0000000004AE6000-memory.dmp

Filesize
8KB

Download
memory/960-68-0x0000000000000000-mapping.dmp

Download
memory/960-83-0x0000000004AE1000-0x0000000004AE2000-memory.dmp

Filesize
4KB

Download
memory/960-87-0x0000000004AE3000-0x0000000004AE4000-memory.dmp

Filesize
4KB

Download
memory/960-79-0x0000000000230000-0x000000000025F000-memory.dmp

Filesize
188KB

Download
memory/960-80-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1104-99-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/1104-100-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/1104-94-0x0000000000000000-mapping.dmp

Download
memory/1188-75-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/1188-66-0x0000000000000000-mapping.dmp

Download
memory/1188-69-0x0000000076A81000-0x0000000076A83000-memory.dmp

Filesize
8KB

Download
memory/1188-78-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/1864-61-0x00000000004D0000-0x00000000004D2000-memory.dmp

Filesize
8KB

Download
memory/1864-59-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/2104-101-0x0000000000000000-mapping.dmp

Download
memory/2132-105-0x0000000000000000-mapping.dmp

Download
memory/2132-108-0x00000000006A0000-0x0000000000781000-memory.dmp

Filesize
900KB

Download
memory/2132-109-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2236-110-0x0000000000000000-mapping.dmp

Download
memory/2264-113-0x0000000000000000-mapping.dmp

Download
memory/2264-127-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2264-126-0x0000000001C10000-0x0000000001CDE000-memory.dmp

Filesize
824KB

Download
memory/2336-116-0x0000000000000000-mapping.dmp

Download
memory/2372-117-0x0000000000000000-mapping.dmp

Download
memory/2452-128-0x0000000000000000-mapping.dmp

Download
memory/2492-129-0x0000000000000000-mapping.dmp

Download
memory/2536-130-0x0000000000000000-mapping.dmp

Download
memory/2568-131-0x0000000000000000-mapping.dmp

Download
memory/2652-133-0x0000000000000000-mapping.dmp

Download
memory/2652-135-0x00000000004B0000-0x00000000004CA000-memory.dmp

Filesize
104KB

Download
memory/2652-136-0x0000000001FF0000-0x0000000002009000-memory.dmp

Filesize
100KB

Download
memory/2652-138-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2652-140-0x00000000047F2000-0x00000000047F3000-memory.dmp

Filesize
4KB

Download
memory/2652-141-0x00000000047F3000-0x00000000047F4000-memory.dmp

Filesize
4KB

Download
memory/2652-139-0x00000000047F1000-0x00000000047F2000-memory.dmp

Filesize
4KB

Download
memory/2652-137-0x00000000002B0000-0x00000000002DF000-memory.dmp

Filesize
188KB

Download
memory/2652-142-0x00000000047F4000-0x00000000047F6000-memory.dmp

Filesize
8KB

Download