redline | fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f

Target

Setup.exe
Size

631KB
MD5

cb927513ff8ebff4dd52a47f7e42f934
SHA1

0de47c02a8adc4940a6c18621b4e4a619641d029
SHA256

fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
SHA512

988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c

Score

10^/10

redline mybirja spnewportspectr agilenet discovery evasion infostealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

mybirja

45.14.49.232:63850

Extracted

Family

redline

Botnet

spnewportspectr

135.148.139.222:1594

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2760	rundll32.exe	81

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x00030000000130d9-68.dat	family_redline
behavioral1/files/0x00030000000130d9-63.dat	family_redline
behavioral1/files/0x00030000000130d9-149.dat	family_redline
behavioral1/memory/2332-174-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 28 IoCs

pid	Process
1388	CGYRCfCgvlC_9XiU7Fhy9uMe.exe
340	Zk17vtAeYbrEG3kOdWdSrkni.exe
1152	ZM0HwI9mJU4lvonM5nq_9kTk.exe
908	1BYpmuqxpoVUKM3XDcInAiRl.exe
956	garD476G0WLcVRPecIvIt7MH.exe
976	xp6TcWFC3Begrv6F4_lMAlP_.exe
800	3AFCfCHLadqLeNGS6fIaE_vo.exe
592	2KytRoGyS2hISFGojpqM6o2w.exe
564	jIvQqzr5t9HvnaMeJswofVGG.exe
1776	AWr5VrdLpyDwITJp7b6f6t4c.exe
1588	7kwAtBUW5STJIg6ha1LOS4dT.exe
1692	y4mC7lqqw1373oVH1QsnkMbj.exe
1432	WQLifcoXzsYEtAyKyDKDTzyF.exe
820	RZ_itK1QVOMvKvpAadS1yDmN.exe
1216	YWpDCrXfPM2El548uJ3S3xwS.exe
1752	lRUFfKolp05XjqiL1zSQVPaE.exe
760	2IliOKqipizpeBwGNe8DxnLY.exe
560	RW_84koZio44UIB4QUW4k8Sn.exe
1116	8Q7sJXZwtLmjvvHbRnr12zIg.exe
1032	iMZh5vN3PPjXh3PGVvOOSIPJ.exe
1340	I4EJTePBQ7QbDvx2oWLUHmQi.exe
2148	ZM0HwI9mJU4lvonM5nq_9kTk.exe
2132	inst001.exe
2436	cutm3.exe
2460	md8_8eus.exe
2788	WQLifcoXzsYEtAyKyDKDTzyF.exe
2848	IQ0V_Fe_.eXE
2992	2IliOKqipizpeBwGNe8DxnLY.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\International\Geo\Nation	Setup.exe

Loads dropped DLL 45 IoCs

pid	Process
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1612	Setup.exe
1340	I4EJTePBQ7QbDvx2oWLUHmQi.exe
1340	I4EJTePBQ7QbDvx2oWLUHmQi.exe
1340	I4EJTePBQ7QbDvx2oWLUHmQi.exe
1340	I4EJTePBQ7QbDvx2oWLUHmQi.exe
2600	cmd.exe
2256	WerFault.exe
2256	WerFault.exe
2256	WerFault.exe
2256	WerFault.exe
2328	rundll32.exe
2328	rundll32.exe
2328	rundll32.exe
2328	rundll32.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x00030000000130e8-86.dat	agile_net

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x00030000000130e3-70.dat	themida
behavioral1/files/0x00030000000130e7-103.dat	themida
behavioral1/files/0x00030000000130e3-100.dat	themida
behavioral1/files/0x00030000000130e7-78.dat	themida
behavioral1/files/0x000300000001310e-108.dat	themida
behavioral1/files/0x000300000001310e-113.dat	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
141	ipinfo.io
142	ipinfo.io
21	ipinfo.io
22	ipinfo.io
117	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1152 set thread context of 2148	1152	ZM0HwI9mJU4lvonM5nq_9kTk.exe	63
PID 1216 set thread context of 2332	1216	YWpDCrXfPM2El548uJ3S3xwS.exe	69

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	jIvQqzr5t9HvnaMeJswofVGG.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst001.exe	I4EJTePBQ7QbDvx2oWLUHmQi.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	I4EJTePBQ7QbDvx2oWLUHmQi.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	I4EJTePBQ7QbDvx2oWLUHmQi.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	I4EJTePBQ7QbDvx2oWLUHmQi.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	I4EJTePBQ7QbDvx2oWLUHmQi.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	jIvQqzr5t9HvnaMeJswofVGG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2256	1116	WerFault.exe	60

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2188	schtasks.exe
2272	schtasks.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2908	taskkill.exe
2348	taskkill.exe
2736	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	2IliOKqipizpeBwGNe8DxnLY.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	2IliOKqipizpeBwGNe8DxnLY.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	2IliOKqipizpeBwGNe8DxnLY.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	2IliOKqipizpeBwGNe8DxnLY.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	2IliOKqipizpeBwGNe8DxnLY.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	2IliOKqipizpeBwGNe8DxnLY.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	2IliOKqipizpeBwGNe8DxnLY.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	2IliOKqipizpeBwGNe8DxnLY.exe

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118	jIvQqzr5t9HvnaMeJswofVGG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	jIvQqzr5t9HvnaMeJswofVGG.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	jIvQqzr5t9HvnaMeJswofVGG.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 1900000001000000100000000b6cd9778e41ad67fd6be0a6903710440300000001000000140000006252dc40f71143a22fde9ef7348e064251b181180b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded309000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703090f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad2000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	jIvQqzr5t9HvnaMeJswofVGG.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	8Q7sJXZwtLmjvvHbRnr12zIg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	8Q7sJXZwtLmjvvHbRnr12zIg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181182000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	jIvQqzr5t9HvnaMeJswofVGG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	8Q7sJXZwtLmjvvHbRnr12zIg.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	158	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1612	Setup.exe
2256	WerFault.exe
2256	WerFault.exe
2256	WerFault.exe
2256	WerFault.exe
2256	WerFault.exe
2256	WerFault.exe
2256	WerFault.exe
760	2IliOKqipizpeBwGNe8DxnLY.exe
760	2IliOKqipizpeBwGNe8DxnLY.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2256	WerFault.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	taskkill.exe
Token: SeDebugPrivilege	2256	WerFault.exe
Token: SeDebugPrivilege	760	2IliOKqipizpeBwGNe8DxnLY.exe
Token: SeImpersonatePrivilege	760	2IliOKqipizpeBwGNe8DxnLY.exe
Token: SeDebugPrivilege	760	2IliOKqipizpeBwGNe8DxnLY.exe
Token: SeImpersonatePrivilege	760	2IliOKqipizpeBwGNe8DxnLY.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 340	1612	Setup.exe	31
PID 1612 wrote to memory of 340	1612	Setup.exe	31
PID 1612 wrote to memory of 340	1612	Setup.exe	31
PID 1612 wrote to memory of 340	1612	Setup.exe	31
PID 1612 wrote to memory of 1388	1612	Setup.exe	33
PID 1612 wrote to memory of 1388	1612	Setup.exe	33
PID 1612 wrote to memory of 1388	1612	Setup.exe	33
PID 1612 wrote to memory of 1388	1612	Setup.exe	33
PID 1612 wrote to memory of 1152	1612	Setup.exe	32
PID 1612 wrote to memory of 1152	1612	Setup.exe	32
PID 1612 wrote to memory of 1152	1612	Setup.exe	32
PID 1612 wrote to memory of 1152	1612	Setup.exe	32
PID 1612 wrote to memory of 956	1612	Setup.exe	42
PID 1612 wrote to memory of 956	1612	Setup.exe	42
PID 1612 wrote to memory of 956	1612	Setup.exe	42
PID 1612 wrote to memory of 956	1612	Setup.exe	42
PID 1612 wrote to memory of 976	1612	Setup.exe	43
PID 1612 wrote to memory of 976	1612	Setup.exe	43
PID 1612 wrote to memory of 976	1612	Setup.exe	43
PID 1612 wrote to memory of 976	1612	Setup.exe	43
PID 1612 wrote to memory of 908	1612	Setup.exe	44
PID 1612 wrote to memory of 908	1612	Setup.exe	44
PID 1612 wrote to memory of 908	1612	Setup.exe	44
PID 1612 wrote to memory of 908	1612	Setup.exe	44
PID 1612 wrote to memory of 908	1612	Setup.exe	44
PID 1612 wrote to memory of 908	1612	Setup.exe	44
PID 1612 wrote to memory of 908	1612	Setup.exe	44
PID 1612 wrote to memory of 800	1612	Setup.exe	41
PID 1612 wrote to memory of 800	1612	Setup.exe	41
PID 1612 wrote to memory of 800	1612	Setup.exe	41
PID 1612 wrote to memory of 800	1612	Setup.exe	41
PID 1612 wrote to memory of 800	1612	Setup.exe	41
PID 1612 wrote to memory of 800	1612	Setup.exe	41
PID 1612 wrote to memory of 800	1612	Setup.exe	41
PID 1612 wrote to memory of 564	1612	Setup.exe	40
PID 1612 wrote to memory of 564	1612	Setup.exe	40
PID 1612 wrote to memory of 564	1612	Setup.exe	40
PID 1612 wrote to memory of 564	1612	Setup.exe	40
PID 1612 wrote to memory of 1692	1612	Setup.exe	38
PID 1612 wrote to memory of 1692	1612	Setup.exe	38
PID 1612 wrote to memory of 1692	1612	Setup.exe	38
PID 1612 wrote to memory of 1692	1612	Setup.exe	38
PID 1612 wrote to memory of 2008	1612	Setup.exe	37
PID 1612 wrote to memory of 2008	1612	Setup.exe	37
PID 1612 wrote to memory of 2008	1612	Setup.exe	37
PID 1612 wrote to memory of 2008	1612	Setup.exe	37
PID 1612 wrote to memory of 2012	1612	Setup.exe	36
PID 1612 wrote to memory of 2012	1612	Setup.exe	36
PID 1612 wrote to memory of 2012	1612	Setup.exe	36
PID 1612 wrote to memory of 2012	1612	Setup.exe	36
PID 1612 wrote to memory of 1588	1612	Setup.exe	39
PID 1612 wrote to memory of 1588	1612	Setup.exe	39
PID 1612 wrote to memory of 1588	1612	Setup.exe	39
PID 1612 wrote to memory of 1588	1612	Setup.exe	39
PID 1612 wrote to memory of 592	1612	Setup.exe	35
PID 1612 wrote to memory of 592	1612	Setup.exe	35
PID 1612 wrote to memory of 592	1612	Setup.exe	35
PID 1612 wrote to memory of 592	1612	Setup.exe	35
PID 1612 wrote to memory of 1432	1612	Setup.exe	45
PID 1612 wrote to memory of 1432	1612	Setup.exe	45
PID 1612 wrote to memory of 1432	1612	Setup.exe	45
PID 1612 wrote to memory of 1432	1612	Setup.exe	45
PID 1612 wrote to memory of 1776	1612	Setup.exe	52
PID 1612 wrote to memory of 1776	1612	Setup.exe	52

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\Documents\Zk17vtAeYbrEG3kOdWdSrkni.exe
  "C:\Users\Admin\Documents\Zk17vtAeYbrEG3kOdWdSrkni.exe"
  2⤵
  - Executes dropped EXE
  PID:340
- C:\Users\Admin\Documents\ZM0HwI9mJU4lvonM5nq_9kTk.exe
  "C:\Users\Admin\Documents\ZM0HwI9mJU4lvonM5nq_9kTk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1152
- - C:\Users\Admin\Documents\ZM0HwI9mJU4lvonM5nq_9kTk.exe
    "C:\Users\Admin\Documents\ZM0HwI9mJU4lvonM5nq_9kTk.exe"
    3⤵
    - Executes dropped EXE
    PID:2148
- C:\Users\Admin\Documents\CGYRCfCgvlC_9XiU7Fhy9uMe.exe
  "C:\Users\Admin\Documents\CGYRCfCgvlC_9XiU7Fhy9uMe.exe"
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Users\Admin\Documents\2KytRoGyS2hISFGojpqM6o2w.exe
  "C:\Users\Admin\Documents\2KytRoGyS2hISFGojpqM6o2w.exe"
  2⤵
  - Executes dropped EXE
  PID:592
- C:\Users\Admin\Documents\TPJESoRM8EkMybZAsFub0Ozo.exe
  "C:\Users\Admin\Documents\TPJESoRM8EkMybZAsFub0Ozo.exe"
  2⤵
  PID:2012
- C:\Users\Admin\Documents\Q98kB2GKzgulEibSDru6Tu7b.exe
  "C:\Users\Admin\Documents\Q98kB2GKzgulEibSDru6Tu7b.exe"
  2⤵
  PID:2008
- C:\Users\Admin\Documents\y4mC7lqqw1373oVH1QsnkMbj.exe
  "C:\Users\Admin\Documents\y4mC7lqqw1373oVH1QsnkMbj.exe"
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Users\Admin\Documents\7kwAtBUW5STJIg6ha1LOS4dT.exe
  "C:\Users\Admin\Documents\7kwAtBUW5STJIg6ha1LOS4dT.exe"
  2⤵
  - Executes dropped EXE
  PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "7kwAtBUW5STJIg6ha1LOS4dT.exe" /f & erase "C:\Users\Admin\Documents\7kwAtBUW5STJIg6ha1LOS4dT.exe" & exit
    3⤵
    PID:2536
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "7kwAtBUW5STJIg6ha1LOS4dT.exe" /f
      4⤵
      Kills process with taskkill
      PID:2736
- C:\Users\Admin\Documents\jIvQqzr5t9HvnaMeJswofVGG.exe
  "C:\Users\Admin\Documents\jIvQqzr5t9HvnaMeJswofVGG.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies system certificate store
  PID:564
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2188
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2272
- C:\Users\Admin\Documents\3AFCfCHLadqLeNGS6fIaE_vo.exe
  "C:\Users\Admin\Documents\3AFCfCHLadqLeNGS6fIaE_vo.exe"
  2⤵
  - Executes dropped EXE
  PID:800
- C:\Users\Admin\Documents\garD476G0WLcVRPecIvIt7MH.exe
  "C:\Users\Admin\Documents\garD476G0WLcVRPecIvIt7MH.exe"
  2⤵
  - Executes dropped EXE
  PID:956
- C:\Users\Admin\Documents\xp6TcWFC3Begrv6F4_lMAlP_.exe
  "C:\Users\Admin\Documents\xp6TcWFC3Begrv6F4_lMAlP_.exe"
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Users\Admin\Documents\1BYpmuqxpoVUKM3XDcInAiRl.exe
  "C:\Users\Admin\Documents\1BYpmuqxpoVUKM3XDcInAiRl.exe"
  2⤵
  - Executes dropped EXE
  PID:908
- C:\Users\Admin\Documents\WQLifcoXzsYEtAyKyDKDTzyF.exe
  "C:\Users\Admin\Documents\WQLifcoXzsYEtAyKyDKDTzyF.exe"
  2⤵
  - Executes dropped EXE
  PID:1432
- - C:\Users\Admin\Documents\WQLifcoXzsYEtAyKyDKDTzyF.exe
    "C:\Users\Admin\Documents\WQLifcoXzsYEtAyKyDKDTzyF.exe" -u
    3⤵
    - Executes dropped EXE
    PID:2788
- C:\Users\Admin\Documents\RZ_itK1QVOMvKvpAadS1yDmN.exe
  "C:\Users\Admin\Documents\RZ_itK1QVOMvKvpAadS1yDmN.exe"
  2⤵
  - Executes dropped EXE
  PID:820
- C:\Users\Admin\Documents\AWr5VrdLpyDwITJp7b6f6t4c.exe
  "C:\Users\Admin\Documents\AWr5VrdLpyDwITJp7b6f6t4c.exe"
  2⤵
  - Executes dropped EXE
  PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "AWr5VrdLpyDwITJp7b6f6t4c.exe" /f & erase "C:\Users\Admin\Documents\AWr5VrdLpyDwITJp7b6f6t4c.exe" & exit
    3⤵
    PID:2164
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "AWr5VrdLpyDwITJp7b6f6t4c.exe" /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2348
- C:\Users\Admin\Documents\RW_84koZio44UIB4QUW4k8Sn.exe
  "C:\Users\Admin\Documents\RW_84koZio44UIB4QUW4k8Sn.exe"
  2⤵
  - Executes dropped EXE
  PID:560
- C:\Users\Admin\Documents\2IliOKqipizpeBwGNe8DxnLY.exe
  "C:\Users\Admin\Documents\2IliOKqipizpeBwGNe8DxnLY.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:760
- - C:\Users\Admin\Documents\2IliOKqipizpeBwGNe8DxnLY.exe
    "C:\Users\Admin\Documents\2IliOKqipizpeBwGNe8DxnLY.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:2992
- C:\Users\Admin\Documents\lRUFfKolp05XjqiL1zSQVPaE.exe
  "C:\Users\Admin\Documents\lRUFfKolp05XjqiL1zSQVPaE.exe"
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Users\Admin\Documents\YWpDCrXfPM2El548uJ3S3xwS.exe
  "C:\Users\Admin\Documents\YWpDCrXfPM2El548uJ3S3xwS.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1216
- - C:\Users\Admin\Documents\YWpDCrXfPM2El548uJ3S3xwS.exe
    C:\Users\Admin\Documents\YWpDCrXfPM2El548uJ3S3xwS.exe
    3⤵
    PID:2332
- C:\Users\Admin\Documents\I4EJTePBQ7QbDvx2oWLUHmQi.exe
  "C:\Users\Admin\Documents\I4EJTePBQ7QbDvx2oWLUHmQi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:1340
- - C:\Program Files (x86)\Company\NewProduct\inst001.exe
    "C:\Program Files (x86)\Company\NewProduct\inst001.exe"
    3⤵
    - Executes dropped EXE
    PID:2132
- - C:\Program Files (x86)\Company\NewProduct\cutm3.exe
    "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
    3⤵
    - Executes dropped EXE
    PID:2436
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    - Executes dropped EXE
    PID:2460
- C:\Users\Admin\Documents\iMZh5vN3PPjXh3PGVvOOSIPJ.exe
  "C:\Users\Admin\Documents\iMZh5vN3PPjXh3PGVvOOSIPJ.exe"
  2⤵
  - Executes dropped EXE
  PID:1032
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VbsCrIPt: cLOSe( CREAteobjecT ("wScRiPT.ShElL" ).RUN ( "C:\Windows\system32\cmd.exe /C tYpe ""C:\Users\Admin\Documents\iMZh5vN3PPjXh3PGVvOOSIPJ.exe"" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi & if """"== """" for %m in ( ""C:\Users\Admin\Documents\iMZh5vN3PPjXh3PGVvOOSIPJ.exe"" ) do taskkill /iM ""%~NXm"" -F" ,0 , TRUE ))
    3⤵
    PID:2372
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C tYpe "C:\Users\Admin\Documents\iMZh5vN3PPjXh3PGVvOOSIPJ.exe" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi& if ""== "" for %m in ("C:\Users\Admin\Documents\iMZh5vN3PPjXh3PGVvOOSIPJ.exe" ) do taskkill /iM "%~NXm" -F
      4⤵
      Loads dropped DLL
      PID:2600
    - - C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE
        
        IQ0v_FE_.ExE -poRsuYEMryiLi
        5⤵
        Executes dropped EXE
        
        PID:2848
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /iM "iMZh5vN3PPjXh3PGVvOOSIPJ.exe" -F
        5⤵
        Kills process with taskkill
        
        PID:2908
- C:\Users\Admin\Documents\8Q7sJXZwtLmjvvHbRnr12zIg.exe
  "C:\Users\Admin\Documents\8Q7sJXZwtLmjvvHbRnr12zIg.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:1116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 868
    3⤵
    - Loads dropped DLL
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2256

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2096
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:2328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/560-142-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/592-159-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/956-160-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/1216-162-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/1388-165-0x00000000013C0000-0x00000000013C1000-memory.dmp

Filesize
4KB

Download
memory/1612-60-0x0000000004090000-0x00000000041CF000-memory.dmp

Filesize
1.2MB

Download
memory/1612-59-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1692-158-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/1752-161-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/1752-185-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1776-132-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2148-169-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2332-174-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download