cryptbot | 32ecbb31b795b66ace206da2ca93e22f05a002d070ba5a5965bf89c0c91beb82

Analysis

max time kernel
64s
max time network
111s
platform
windows7_x64
resource
win7v20210410
submitted
09-06-2021 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe
Size

11KB
MD5

be891367a9a7f020097506d3e964bd08
SHA1

4ae27f5a2ec7c7aa26ca725d79397e4645c807c6
SHA256

32ecbb31b795b66ace206da2ca93e22f05a002d070ba5a5965bf89c0c91beb82
SHA512

38e450ea61e2756279fb03e5b72f31fffdfdfc26ad8f3cd920ddab91c2f22ef438b0fa431a2bb424d3182dc231a42ddbcfd5d4d60a81d1333c705e8b16d6cb4f

Score

10^/10

cryptbot fickerstealer glupteba metasploit redline mix 09.06 backdoor discovery dropper infostealer loader spyware stealer trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

fickerstealer

bukkva.site:80

Extracted

Family

cryptbot

olmqmc32.top

morovz03.top

Attributes

payload_url
http://vamzcd04.top/download.php?file=lv.exe

Extracted

Family

redline

Botnet

MIX 09.06

185.215.113.17:18597

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1420-149-0x0000000001D30000-0x0000000001E11000-memory.dmp	family_cryptbot
behavioral1/memory/1420-150-0x0000000000400000-0x00000000004E5000-memory.dmp	family_cryptbot

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2040-120-0x0000000002A10000-0x000000000331C000-memory.dmp	family_glupteba
behavioral1/memory/2040-121-0x0000000000400000-0x0000000000D26000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1044-166-0x00000000003E0000-0x00000000003FA000-memory.dmp	family_redline
behavioral1/memory/1044-167-0x00000000007D0000-0x00000000007E9000-memory.dmp	family_redline

fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer
Downloads MZ/PE file

Executes dropped EXE 9 IoCs

Processes:

NR2E8ZKPOHKK1S8FX32KV12K.exe48KP6FN2CJM161HAD30LMM7P.exeNR2E8ZKPOHKK1S8FX32KV12K.exe42604669408.exe42604669408.exe1623245156461.exe71513421402.exe16320501626.exeedspolishpp.exe

pid	process
2040	NR2E8ZKPOHKK1S8FX32KV12K.exe
1020	48KP6FN2CJM161HAD30LMM7P.exe
1816	NR2E8ZKPOHKK1S8FX32KV12K.exe
940	42604669408.exe
1260	42604669408.exe
516	1623245156461.exe
1420	71513421402.exe
1176	16320501626.exe
1044	edspolishpp.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1976 cmd.exe

pid	process
1976	cmd.exe

Loads dropped DLL 12 IoCs

Processes:

cmd.execmd.execmd.exe42604669408.exe42604669408.execmd.execmd.exe16320501626.exe

pid	process
1648	cmd.exe
1340	cmd.exe
1648	cmd.exe
1340	cmd.exe
920	cmd.exe
920	cmd.exe
940	42604669408.exe
1260	42604669408.exe
1608	cmd.exe
1608	cmd.exe
1508	cmd.exe
1176	16320501626.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

42604669408.exe

description pid process target process

PID 940 set thread context of 1260 940 42604669408.exe 42604669408.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
26	api.ipify.org

description	pid	process	target process
PID 940 set thread context of 1260	940	42604669408.exe	42604669408.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

42604669408.exe71513421402.exe16320501626.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	42604669408.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	42604669408.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	71513421402.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	71513421402.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	16320501626.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	16320501626.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

944 taskkill.exe
1524 taskkill.exe

pid	process
944	taskkill.exe
1524	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

NR2E8ZKPOHKK1S8FX32KV12K.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	NR2E8ZKPOHKK1S8FX32KV12K.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	NR2E8ZKPOHKK1S8FX32KV12K.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	NR2E8ZKPOHKK1S8FX32KV12K.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	NR2E8ZKPOHKK1S8FX32KV12K.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exeNR2E8ZKPOHKK1S8FX32KV12K.exe42604669408.exeedspolishpp.exe

pid process

1808 powershell.exe
1808 powershell.exe
2040 NR2E8ZKPOHKK1S8FX32KV12K.exe
1260 42604669408.exe
1044 edspolishpp.exe
1044 edspolishpp.exe

pid	process
1808	powershell.exe
1808	powershell.exe
2040	NR2E8ZKPOHKK1S8FX32KV12K.exe
1260	42604669408.exe
1044	edspolishpp.exe
1044	edspolishpp.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exe4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exeNR2E8ZKPOHKK1S8FX32KV12K.exetaskkill.exetaskkill.exeedspolishpp.exe

description	pid	process
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	1208	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe
Token: SeDebugPrivilege	2040	NR2E8ZKPOHKK1S8FX32KV12K.exe
Token: SeImpersonatePrivilege	2040	NR2E8ZKPOHKK1S8FX32KV12K.exe
Token: SeDebugPrivilege	944	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	1044	edspolishpp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.execmd.execmd.execmd.exe48KP6FN2CJM161HAD30LMM7P.execmd.exe42604669408.exe42604669408.execmd.execmd.exe

description	pid	process	target process
PID 1208 wrote to memory of 1104	1208	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe	cmd.exe
PID 1208 wrote to memory of 1104	1208	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe	cmd.exe
PID 1208 wrote to memory of 1104	1208	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe	cmd.exe
PID 1208 wrote to memory of 1104	1208	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe	cmd.exe
PID 1104 wrote to memory of 1808	1104	cmd.exe	powershell.exe
PID 1104 wrote to memory of 1808	1104	cmd.exe	powershell.exe
PID 1104 wrote to memory of 1808	1104	cmd.exe	powershell.exe
PID 1104 wrote to memory of 1808	1104	cmd.exe	powershell.exe
PID 1208 wrote to memory of 1648	1208	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe	cmd.exe
PID 1208 wrote to memory of 1648	1208	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe	cmd.exe
PID 1208 wrote to memory of 1648	1208	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe	cmd.exe
PID 1208 wrote to memory of 1648	1208	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe	cmd.exe
PID 1208 wrote to memory of 1340	1208	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe	cmd.exe
PID 1208 wrote to memory of 1340	1208	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe	cmd.exe
PID 1208 wrote to memory of 1340	1208	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe	cmd.exe
PID 1208 wrote to memory of 1340	1208	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe	cmd.exe
PID 1648 wrote to memory of 1020	1648	cmd.exe	48KP6FN2CJM161HAD30LMM7P.exe
PID 1648 wrote to memory of 1020	1648	cmd.exe	48KP6FN2CJM161HAD30LMM7P.exe
PID 1648 wrote to memory of 1020	1648	cmd.exe	48KP6FN2CJM161HAD30LMM7P.exe
PID 1648 wrote to memory of 1020	1648	cmd.exe	48KP6FN2CJM161HAD30LMM7P.exe
PID 1340 wrote to memory of 2040	1340	cmd.exe	NR2E8ZKPOHKK1S8FX32KV12K.exe
PID 1340 wrote to memory of 2040	1340	cmd.exe	NR2E8ZKPOHKK1S8FX32KV12K.exe
PID 1340 wrote to memory of 2040	1340	cmd.exe	NR2E8ZKPOHKK1S8FX32KV12K.exe
PID 1340 wrote to memory of 2040	1340	cmd.exe	NR2E8ZKPOHKK1S8FX32KV12K.exe
PID 1020 wrote to memory of 920	1020	48KP6FN2CJM161HAD30LMM7P.exe	cmd.exe
PID 1020 wrote to memory of 920	1020	48KP6FN2CJM161HAD30LMM7P.exe	cmd.exe
PID 1020 wrote to memory of 920	1020	48KP6FN2CJM161HAD30LMM7P.exe	cmd.exe
PID 1020 wrote to memory of 920	1020	48KP6FN2CJM161HAD30LMM7P.exe	cmd.exe
PID 920 wrote to memory of 940	920	cmd.exe	42604669408.exe
PID 920 wrote to memory of 940	920	cmd.exe	42604669408.exe
PID 920 wrote to memory of 940	920	cmd.exe	42604669408.exe
PID 920 wrote to memory of 940	920	cmd.exe	42604669408.exe
PID 940 wrote to memory of 1260	940	42604669408.exe	42604669408.exe
PID 940 wrote to memory of 1260	940	42604669408.exe	42604669408.exe
PID 940 wrote to memory of 1260	940	42604669408.exe	42604669408.exe
PID 940 wrote to memory of 1260	940	42604669408.exe	42604669408.exe
PID 940 wrote to memory of 1260	940	42604669408.exe	42604669408.exe
PID 940 wrote to memory of 1260	940	42604669408.exe	42604669408.exe
PID 940 wrote to memory of 1260	940	42604669408.exe	42604669408.exe
PID 940 wrote to memory of 1260	940	42604669408.exe	42604669408.exe
PID 940 wrote to memory of 1260	940	42604669408.exe	42604669408.exe
PID 940 wrote to memory of 1260	940	42604669408.exe	42604669408.exe
PID 940 wrote to memory of 1260	940	42604669408.exe	42604669408.exe
PID 940 wrote to memory of 1260	940	42604669408.exe	42604669408.exe
PID 940 wrote to memory of 1260	940	42604669408.exe	42604669408.exe
PID 940 wrote to memory of 1260	940	42604669408.exe	42604669408.exe
PID 1260 wrote to memory of 516	1260	42604669408.exe	1623245156461.exe
PID 1260 wrote to memory of 516	1260	42604669408.exe	1623245156461.exe
PID 1260 wrote to memory of 516	1260	42604669408.exe	1623245156461.exe
PID 1260 wrote to memory of 516	1260	42604669408.exe	1623245156461.exe
PID 1020 wrote to memory of 1608	1020	48KP6FN2CJM161HAD30LMM7P.exe	cmd.exe
PID 1020 wrote to memory of 1608	1020	48KP6FN2CJM161HAD30LMM7P.exe	cmd.exe
PID 1020 wrote to memory of 1608	1020	48KP6FN2CJM161HAD30LMM7P.exe	cmd.exe
PID 1020 wrote to memory of 1608	1020	48KP6FN2CJM161HAD30LMM7P.exe	cmd.exe
PID 1608 wrote to memory of 1420	1608	cmd.exe	71513421402.exe
PID 1608 wrote to memory of 1420	1608	cmd.exe	71513421402.exe
PID 1608 wrote to memory of 1420	1608	cmd.exe	71513421402.exe
PID 1608 wrote to memory of 1420	1608	cmd.exe	71513421402.exe
PID 1020 wrote to memory of 1508	1020	48KP6FN2CJM161HAD30LMM7P.exe	cmd.exe
PID 1020 wrote to memory of 1508	1020	48KP6FN2CJM161HAD30LMM7P.exe	cmd.exe
PID 1020 wrote to memory of 1508	1020	48KP6FN2CJM161HAD30LMM7P.exe	cmd.exe
PID 1020 wrote to memory of 1508	1020	48KP6FN2CJM161HAD30LMM7P.exe	cmd.exe
PID 1508 wrote to memory of 1176	1508	cmd.exe	16320501626.exe
PID 1508 wrote to memory of 1176	1508	cmd.exe	16320501626.exe

C:\Users\Admin\AppData\Local\Temp\4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe
"C:\Users\Admin\AppData\Local\Temp\4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C powershell Add-MpPreference -ExclusionExtension .exe -Force
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionExtension .exe -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Roaming\48KP6FN2CJM161HAD30LMM7P.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Users\Admin\AppData\Roaming\48KP6FN2CJM161HAD30LMM7P.exe
    "C:\Users\Admin\AppData\Roaming\48KP6FN2CJM161HAD30LMM7P.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{9F5t-rqzA7-uCdw-aaCMW}\42604669408.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:920
    - - C:\Users\Admin\AppData\Local\Temp\{9F5t-rqzA7-uCdw-aaCMW}\42604669408.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{9F5t-rqzA7-uCdw-aaCMW}\42604669408.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:940
      - C:\Users\Admin\AppData\Local\Temp\{9F5t-rqzA7-uCdw-aaCMW}\42604669408.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{9F5t-rqzA7-uCdw-aaCMW}\42604669408.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\1623245156461.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1623245156461.exe"
        7⤵
        Executes dropped EXE
        
        PID:516
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{9F5t-rqzA7-uCdw-aaCMW}\71513421402.exe" /mix
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1608
    - - C:\Users\Admin\AppData\Local\Temp\{9F5t-rqzA7-uCdw-aaCMW}\71513421402.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{9F5t-rqzA7-uCdw-aaCMW}\71513421402.exe" /mix
        5⤵
        Executes dropped EXE
        Checks processor information in registry
        
        PID:1420
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{9F5t-rqzA7-uCdw-aaCMW}\16320501626.exe" /mix
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1508
    - - C:\Users\Admin\AppData\Local\Temp\{9F5t-rqzA7-uCdw-aaCMW}\16320501626.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{9F5t-rqzA7-uCdw-aaCMW}\16320501626.exe" /mix
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:1176
      - C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe
        
        edspolishpp.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "48KP6FN2CJM161HAD30LMM7P.exe" /f & erase "C:\Users\Admin\AppData\Roaming\48KP6FN2CJM161HAD30LMM7P.exe" & exit
      4⤵
      PID:1260
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "48KP6FN2CJM161HAD30LMM7P.exe" /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Roaming\NR2E8ZKPOHKK1S8FX32KV12K.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Users\Admin\AppData\Roaming\NR2E8ZKPOHKK1S8FX32KV12K.exe
    "C:\Users\Admin\AppData\Roaming\NR2E8ZKPOHKK1S8FX32KV12K.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
  - - C:\Users\Admin\AppData\Roaming\NR2E8ZKPOHKK1S8FX32KV12K.exe
      "C:\Users\Admin\AppData\Roaming\NR2E8ZKPOHKK1S8FX32KV12K.exe"
      4⤵
      Executes dropped EXE
      Modifies data under HKEY_USERS
      PID:1816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe" & exit
  2⤵
  - Deletes itself
  PID:1976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1623245156461.exe

MD5
f7c9a13397d677f20e17ff8cd4a35dc9

SHA1
7013289b0d2f199d42f13e6e1ab906e374cbbcb3

SHA256
bc6d816a5d52d3eb92ad229c882b4554d11e359e53b6fd371ab32777f1f3a0e2

SHA512
cbd11fc4ff2f4522d763054d9a239574bc1db0753290ccdefcd42b3958ed7c9362cb0ed7d730a2ae65d65c0a9382864eeeebd8d7ebb72f9d0c2a3d9befcc0ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9F5t-rqzA7-uCdw-aaCMW}\16320501626.exe

MD5
37428f7016077d4689c4b5cf110803d1

SHA1
99858fc1d99be082351d07f7a5ca0035b3c5b078

SHA256
aa68eec8a7206098f2cf085f1fcf8bc462b0d9847b25a8de3933fc354a618834

SHA512
d21f43bbeff890bf82b49934f2b9cc0e28f8af8bf662314af6e3003763057b09251ab8b1bc31d2ab6de2aaf5503a0ae0bf6b1925c0d00fce7ccfa6e12d783d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9F5t-rqzA7-uCdw-aaCMW}\16320501626.exe

MD5
37428f7016077d4689c4b5cf110803d1

SHA1
99858fc1d99be082351d07f7a5ca0035b3c5b078

SHA256
aa68eec8a7206098f2cf085f1fcf8bc462b0d9847b25a8de3933fc354a618834

SHA512
d21f43bbeff890bf82b49934f2b9cc0e28f8af8bf662314af6e3003763057b09251ab8b1bc31d2ab6de2aaf5503a0ae0bf6b1925c0d00fce7ccfa6e12d783d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9F5t-rqzA7-uCdw-aaCMW}\42604669408.exe

MD5
90ae0e1aaabae3c8e40584611ed7fcab

SHA1
88a7ebdfef08c2d7728ec98e73478016570dc3bd

SHA256
d4264162a3de133ae8202bf1bd3eba3fd6e514c56aa4d286da200f52433dff4e

SHA512
5dd5043fdf145d53b143a3a2be374768f232897477b066bafd0af9a15d17329a88cd92734e07039defd7bfbd38b19366bea1c27886668b2a4469c618e0a54f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9F5t-rqzA7-uCdw-aaCMW}\42604669408.exe

MD5
90ae0e1aaabae3c8e40584611ed7fcab

SHA1
88a7ebdfef08c2d7728ec98e73478016570dc3bd

SHA256
d4264162a3de133ae8202bf1bd3eba3fd6e514c56aa4d286da200f52433dff4e

SHA512
5dd5043fdf145d53b143a3a2be374768f232897477b066bafd0af9a15d17329a88cd92734e07039defd7bfbd38b19366bea1c27886668b2a4469c618e0a54f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9F5t-rqzA7-uCdw-aaCMW}\42604669408.exe

MD5
90ae0e1aaabae3c8e40584611ed7fcab

SHA1
88a7ebdfef08c2d7728ec98e73478016570dc3bd

SHA256
d4264162a3de133ae8202bf1bd3eba3fd6e514c56aa4d286da200f52433dff4e

SHA512
5dd5043fdf145d53b143a3a2be374768f232897477b066bafd0af9a15d17329a88cd92734e07039defd7bfbd38b19366bea1c27886668b2a4469c618e0a54f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9F5t-rqzA7-uCdw-aaCMW}\71513421402.exe

MD5
9f70f3c99573438e3a904a056f09798f

SHA1
47bcdc19b767d13515af816b08d95fdac24e8521

SHA256
88483e5e82b2362be92c707450c3205427359e6c18bf7ae4d723282451af18d5

SHA512
5ea56ee3e682b801a488a0cfd2dfd883e7480dffef75dfe2629a0e2c8aa53cb23bf525d909a76ace292ba7d36f407ee261656de29bc090f74c36f7018c69aeb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9F5t-rqzA7-uCdw-aaCMW}\71513421402.exe

MD5
9f70f3c99573438e3a904a056f09798f

SHA1
47bcdc19b767d13515af816b08d95fdac24e8521

SHA256
88483e5e82b2362be92c707450c3205427359e6c18bf7ae4d723282451af18d5

SHA512
5ea56ee3e682b801a488a0cfd2dfd883e7480dffef75dfe2629a0e2c8aa53cb23bf525d909a76ace292ba7d36f407ee261656de29bc090f74c36f7018c69aeb0

Download Submit
C:\Users\Admin\AppData\Roaming\48KP6FN2CJM161HAD30LMM7P.exe

MD5
9c8697e583e0071d29bc362cdfba1a21

SHA1
4957e631d8c622ffd64ccb338b0ed2793928f935

SHA256
255a309aa4ac9d53e3de0f3247b3388d6376af9efb19f8256fd8d1db5bfb2448

SHA512
991633afe078ccdc2328df1a24fe6728592941993696a776b508567579bb8ef0c6f2fa007529ab0eebf0af82503e3d05cb5b5c4eb7aaa1a2bfdbcf12be0be3d4

Download Submit
C:\Users\Admin\AppData\Roaming\48KP6FN2CJM161HAD30LMM7P.exe

MD5
9c8697e583e0071d29bc362cdfba1a21

SHA1
4957e631d8c622ffd64ccb338b0ed2793928f935

SHA256
255a309aa4ac9d53e3de0f3247b3388d6376af9efb19f8256fd8d1db5bfb2448

SHA512
991633afe078ccdc2328df1a24fe6728592941993696a776b508567579bb8ef0c6f2fa007529ab0eebf0af82503e3d05cb5b5c4eb7aaa1a2bfdbcf12be0be3d4

Download Submit
C:\Users\Admin\AppData\Roaming\NR2E8ZKPOHKK1S8FX32KV12K.exe

MD5
a26406d7beb522db60ac21ec0a158dd2

SHA1
575b8d300bf7b3df2e6962e73597fc3d82c2aa65

SHA256
56d24713cac1089743fd25e9862a05f9388bcd0379bde63345d8447df2e8f93c

SHA512
72bfe8eb26a441c31cc672b6e0df3c9fe4a61ef6ce7b44e57bbe86726dc6c39f984a40d1698f761c6f1e438c3c48ac90cf3a77b289d5e9d255134b2738333d11

Download Submit
C:\Users\Admin\AppData\Roaming\NR2E8ZKPOHKK1S8FX32KV12K.exe

MD5
a26406d7beb522db60ac21ec0a158dd2

SHA1
575b8d300bf7b3df2e6962e73597fc3d82c2aa65

SHA256
56d24713cac1089743fd25e9862a05f9388bcd0379bde63345d8447df2e8f93c

SHA512
72bfe8eb26a441c31cc672b6e0df3c9fe4a61ef6ce7b44e57bbe86726dc6c39f984a40d1698f761c6f1e438c3c48ac90cf3a77b289d5e9d255134b2738333d11

Download Submit
C:\Users\Admin\AppData\Roaming\NR2E8ZKPOHKK1S8FX32KV12K.exe

MD5
a26406d7beb522db60ac21ec0a158dd2

SHA1
575b8d300bf7b3df2e6962e73597fc3d82c2aa65

SHA256
56d24713cac1089743fd25e9862a05f9388bcd0379bde63345d8447df2e8f93c

SHA512
72bfe8eb26a441c31cc672b6e0df3c9fe4a61ef6ce7b44e57bbe86726dc6c39f984a40d1698f761c6f1e438c3c48ac90cf3a77b289d5e9d255134b2738333d11

Download Submit
C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe

MD5
84482ccc25d8732c2a33b2e731f53368

SHA1
24668ee2537bc9a1130a39a57a6905a3b2ef4542

SHA256
c8cbc34e33ac2d253932ce0767a96d461b40e70c0dc1dd0e1ac386d262328fa9

SHA512
4defe42ac2ee0c9914f955abb47cc34119a1b87d585cada7e31e1d167f9a8cb6b4d873e99d4ff80bf6026d216998c1fdccdc19e7a7791d0478492f1f4528c4af

Download Submit
\Users\Admin\AppData\Local\Temp\1623245156461.exe

MD5
f7c9a13397d677f20e17ff8cd4a35dc9

SHA1
7013289b0d2f199d42f13e6e1ab906e374cbbcb3

SHA256
bc6d816a5d52d3eb92ad229c882b4554d11e359e53b6fd371ab32777f1f3a0e2

SHA512
cbd11fc4ff2f4522d763054d9a239574bc1db0753290ccdefcd42b3958ed7c9362cb0ed7d730a2ae65d65c0a9382864eeeebd8d7ebb72f9d0c2a3d9befcc0ce3

Download Submit
\Users\Admin\AppData\Local\Temp\{9F5t-rqzA7-uCdw-aaCMW}\16320501626.exe

MD5
37428f7016077d4689c4b5cf110803d1

SHA1
99858fc1d99be082351d07f7a5ca0035b3c5b078

SHA256
aa68eec8a7206098f2cf085f1fcf8bc462b0d9847b25a8de3933fc354a618834

SHA512
d21f43bbeff890bf82b49934f2b9cc0e28f8af8bf662314af6e3003763057b09251ab8b1bc31d2ab6de2aaf5503a0ae0bf6b1925c0d00fce7ccfa6e12d783d86

Download Submit
\Users\Admin\AppData\Local\Temp\{9F5t-rqzA7-uCdw-aaCMW}\42604669408.exe

MD5
90ae0e1aaabae3c8e40584611ed7fcab

SHA1
88a7ebdfef08c2d7728ec98e73478016570dc3bd

SHA256
d4264162a3de133ae8202bf1bd3eba3fd6e514c56aa4d286da200f52433dff4e

SHA512
5dd5043fdf145d53b143a3a2be374768f232897477b066bafd0af9a15d17329a88cd92734e07039defd7bfbd38b19366bea1c27886668b2a4469c618e0a54f29

Download Submit
\Users\Admin\AppData\Local\Temp\{9F5t-rqzA7-uCdw-aaCMW}\42604669408.exe

MD5
90ae0e1aaabae3c8e40584611ed7fcab

SHA1
88a7ebdfef08c2d7728ec98e73478016570dc3bd

SHA256
d4264162a3de133ae8202bf1bd3eba3fd6e514c56aa4d286da200f52433dff4e

SHA512
5dd5043fdf145d53b143a3a2be374768f232897477b066bafd0af9a15d17329a88cd92734e07039defd7bfbd38b19366bea1c27886668b2a4469c618e0a54f29

Download Submit
\Users\Admin\AppData\Local\Temp\{9F5t-rqzA7-uCdw-aaCMW}\42604669408.exe

MD5
90ae0e1aaabae3c8e40584611ed7fcab

SHA1
88a7ebdfef08c2d7728ec98e73478016570dc3bd

SHA256
d4264162a3de133ae8202bf1bd3eba3fd6e514c56aa4d286da200f52433dff4e

SHA512
5dd5043fdf145d53b143a3a2be374768f232897477b066bafd0af9a15d17329a88cd92734e07039defd7bfbd38b19366bea1c27886668b2a4469c618e0a54f29

Download Submit
\Users\Admin\AppData\Local\Temp\{9F5t-rqzA7-uCdw-aaCMW}\71513421402.exe

MD5
9f70f3c99573438e3a904a056f09798f

SHA1
47bcdc19b767d13515af816b08d95fdac24e8521

SHA256
88483e5e82b2362be92c707450c3205427359e6c18bf7ae4d723282451af18d5

SHA512
5ea56ee3e682b801a488a0cfd2dfd883e7480dffef75dfe2629a0e2c8aa53cb23bf525d909a76ace292ba7d36f407ee261656de29bc090f74c36f7018c69aeb0

Download Submit
\Users\Admin\AppData\Local\Temp\{9F5t-rqzA7-uCdw-aaCMW}\71513421402.exe

MD5
9f70f3c99573438e3a904a056f09798f

SHA1
47bcdc19b767d13515af816b08d95fdac24e8521

SHA256
88483e5e82b2362be92c707450c3205427359e6c18bf7ae4d723282451af18d5

SHA512
5ea56ee3e682b801a488a0cfd2dfd883e7480dffef75dfe2629a0e2c8aa53cb23bf525d909a76ace292ba7d36f407ee261656de29bc090f74c36f7018c69aeb0

Download Submit
\Users\Admin\AppData\Roaming\48KP6FN2CJM161HAD30LMM7P.exe

MD5
9c8697e583e0071d29bc362cdfba1a21

SHA1
4957e631d8c622ffd64ccb338b0ed2793928f935

SHA256
255a309aa4ac9d53e3de0f3247b3388d6376af9efb19f8256fd8d1db5bfb2448

SHA512
991633afe078ccdc2328df1a24fe6728592941993696a776b508567579bb8ef0c6f2fa007529ab0eebf0af82503e3d05cb5b5c4eb7aaa1a2bfdbcf12be0be3d4

Download Submit
\Users\Admin\AppData\Roaming\48KP6FN2CJM161HAD30LMM7P.exe

MD5
9c8697e583e0071d29bc362cdfba1a21

SHA1
4957e631d8c622ffd64ccb338b0ed2793928f935

SHA256
255a309aa4ac9d53e3de0f3247b3388d6376af9efb19f8256fd8d1db5bfb2448

SHA512
991633afe078ccdc2328df1a24fe6728592941993696a776b508567579bb8ef0c6f2fa007529ab0eebf0af82503e3d05cb5b5c4eb7aaa1a2bfdbcf12be0be3d4

Download Submit
\Users\Admin\AppData\Roaming\NR2E8ZKPOHKK1S8FX32KV12K.exe

MD5
a26406d7beb522db60ac21ec0a158dd2

SHA1
575b8d300bf7b3df2e6962e73597fc3d82c2aa65

SHA256
56d24713cac1089743fd25e9862a05f9388bcd0379bde63345d8447df2e8f93c

SHA512
72bfe8eb26a441c31cc672b6e0df3c9fe4a61ef6ce7b44e57bbe86726dc6c39f984a40d1698f761c6f1e438c3c48ac90cf3a77b289d5e9d255134b2738333d11

Download Submit
\Users\Admin\AppData\Roaming\NR2E8ZKPOHKK1S8FX32KV12K.exe

MD5
a26406d7beb522db60ac21ec0a158dd2

SHA1
575b8d300bf7b3df2e6962e73597fc3d82c2aa65

SHA256
56d24713cac1089743fd25e9862a05f9388bcd0379bde63345d8447df2e8f93c

SHA512
72bfe8eb26a441c31cc672b6e0df3c9fe4a61ef6ce7b44e57bbe86726dc6c39f984a40d1698f761c6f1e438c3c48ac90cf3a77b289d5e9d255134b2738333d11

Download Submit
\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe

MD5
84482ccc25d8732c2a33b2e731f53368

SHA1
24668ee2537bc9a1130a39a57a6905a3b2ef4542

SHA256
c8cbc34e33ac2d253932ce0767a96d461b40e70c0dc1dd0e1ac386d262328fa9

SHA512
4defe42ac2ee0c9914f955abb47cc34119a1b87d585cada7e31e1d167f9a8cb6b4d873e99d4ff80bf6026d216998c1fdccdc19e7a7791d0478492f1f4528c4af

Download Submit
memory/516-139-0x0000000000000000-mapping.dmp

Download
memory/920-123-0x0000000000000000-mapping.dmp

Download
memory/940-136-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/940-127-0x0000000000000000-mapping.dmp

Download
memory/944-157-0x0000000000000000-mapping.dmp

Download
memory/1020-112-0x0000000000000000-mapping.dmp

Download
memory/1020-118-0x00000000001D0000-0x00000000001FF000-memory.dmp

Filesize
188KB

Download
memory/1020-119-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1044-173-0x0000000004A14000-0x0000000004A16000-memory.dmp

Filesize
8KB

Download
memory/1044-166-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/1044-167-0x00000000007D0000-0x00000000007E9000-memory.dmp

Filesize
100KB

Download
memory/1044-169-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1044-162-0x0000000000000000-mapping.dmp

Download
memory/1044-172-0x0000000004A13000-0x0000000004A14000-memory.dmp

Filesize
4KB

Download
memory/1044-171-0x0000000004A12000-0x0000000004A13000-memory.dmp

Filesize
4KB

Download
memory/1044-168-0x0000000000230000-0x000000000025F000-memory.dmp

Filesize
188KB

Download
memory/1044-170-0x0000000004A11000-0x0000000004A12000-memory.dmp

Filesize
4KB

Download
memory/1104-62-0x0000000000000000-mapping.dmp

Download
memory/1176-160-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1176-154-0x0000000000000000-mapping.dmp

Download
memory/1176-159-0x00000000004E0000-0x00000000005AE000-memory.dmp

Filesize
824KB

Download
memory/1208-59-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1208-71-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/1208-61-0x0000000076661000-0x0000000076663000-memory.dmp

Filesize
8KB

Download
memory/1260-133-0x0000000000401480-mapping.dmp

Download
memory/1260-132-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1260-137-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1260-156-0x0000000000000000-mapping.dmp

Download
memory/1340-106-0x0000000000000000-mapping.dmp

Download
memory/1420-149-0x0000000001D30000-0x0000000001E11000-memory.dmp

Filesize
900KB

Download
memory/1420-146-0x0000000000000000-mapping.dmp

Download
memory/1420-150-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1508-151-0x0000000000000000-mapping.dmp

Download
memory/1524-165-0x0000000000000000-mapping.dmp

Download
memory/1608-142-0x0000000000000000-mapping.dmp

Download
memory/1648-105-0x0000000000000000-mapping.dmp

Download
memory/1808-69-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/1808-80-0x0000000006120000-0x0000000006121000-memory.dmp

Filesize
4KB

Download
memory/1808-65-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/1808-66-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/1808-68-0x0000000004942000-0x0000000004943000-memory.dmp

Filesize
4KB

Download
memory/1808-67-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/1808-103-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/1808-70-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1808-74-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/1808-104-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1808-79-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/1808-102-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/1808-88-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/1808-63-0x0000000000000000-mapping.dmp

Download
memory/1808-87-0x0000000006200000-0x0000000006201000-memory.dmp

Filesize
4KB

Download
memory/1976-164-0x0000000000000000-mapping.dmp

Download
memory/2040-120-0x0000000002A10000-0x000000000331C000-memory.dmp

Filesize
9.0MB

Download
memory/2040-114-0x0000000000000000-mapping.dmp

Download
memory/2040-121-0x0000000000400000-0x0000000000D26000-memory.dmp

Filesize
9.1MB

Download