arkei | 901caedcbf4e9285d14a2039d55fd6a8e2d5c6bc8ed118874854a9055ca19fa7

Analysis

max time kernel
151s
max time network
151s
platform
windows10_x64
resource
win10-en-20211208
submitted
16-12-2021 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

901caedcbf4e9285d14a2039d55fd6a8e2d5c6bc8ed118874854a9055ca19fa7.exe
Size

334KB
MD5

eb3438963d798545d8ec5b577d9adcf1
SHA1

9e49405b8154f8e0474fd7159b56c1d51d39e465
SHA256

901caedcbf4e9285d14a2039d55fd6a8e2d5c6bc8ed118874854a9055ca19fa7
SHA512

fd4de64097020189b6346b4a14d1534803a0b30dfc51422697b2d526b1541bd3c90dd185fc6f41a246953ce4822b13ce78ef22dc9724e1209f4775f4860934e3

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32

Extracted

Family

icedid

Campaign

3372020928

jeliskvosh.com

Extracted

Family

redline

Botnet

195.133.47.114:38127

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://45.77.127.230:8888

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

resource	yara_rule
behavioral1/memory/4372-134-0x0000000000D70000-0x0000000000DD9000-memory.dmp	family_redline
behavioral1/files/0x000600000001ab45-189.dat	family_redline
behavioral1/files/0x000600000001ab45-190.dat	family_redline
behavioral1/memory/4536-233-0x00000000008E0000-0x000000000097C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 916 created 4392	916	WerFault.exe	71

VKeylogger
A keylogger first seen in Nov 2020.
stealer keylogger vkeylogger

VKeylogger Payload 2 IoCs

resource	yara_rule
behavioral1/memory/4952-271-0x0000000000820000-0x00000000008CE000-memory.dmp	family_vkeylogger
behavioral1/memory/4952-272-0x0000000000400000-0x000000000081A000-memory.dmp	family_vkeylogger

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata

Arkei Stealer Payload 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/1060-169-0x00000000004F0000-0x000000000050C000-memory.dmp	family_arkei
behavioral1/memory/1060-171-0x0000000000400000-0x00000000004D6000-memory.dmp	family_arkei

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Blocklisted process makes network request 1 IoCs

flow	pid	Process
139	2492	powershell.exe

Blocks application from running via registry modification
Adds application to list of disallowed applications.
evasion
Downloads MZ/PE file

Executes dropped EXE 15 IoCs

pid	Process
4284	1578.exe
4392	22F6.exe
4440	1578.exe
4372	3259.exe
1060	43FE.exe
1344	4874.exe
2032	61AA.exe
2128	61AA.exe
3048	64D7.exe
2224	66AD.exe
4952	696D.exe
4536	74B9.exe
2520	83BE.exe
1616	8C4A.exe
2648	FA67.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	83BE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	83BE.exe

Deletes itself 1 IoCs

pid	Process
3032	Process not Found

Loads dropped DLL 6 IoCs

pid	Process
3792	regsvr32.exe
1060	43FE.exe
1060	43FE.exe
1060	43FE.exe
1616	8C4A.exe
1616	8C4A.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeDriver = "C:\\Users\\Admin\\AppData\\Local\\Temp\\696D.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\Firefox_update = "C:\\Windows\\system32\\mshta.exe javascript:x=new%20ActiveXObject(\"wscript.shell\");v=x.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\SMSvcHost\\\\ComponentID\");eval(v);"	explorer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	83BE.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4372	3259.exe
4536	74B9.exe
2648	FA67.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3648 set thread context of 4108	3648	901caedcbf4e9285d14a2039d55fd6a8e2d5c6bc8ed118874854a9055ca19fa7.exe	69
PID 4284 set thread context of 4440	4284	1578.exe	72
PID 2032 set thread context of 2128	2032	61AA.exe	79
PID 4952 set thread context of 2924	4952	696D.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
916	4392	WerFault.exe	71

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	901caedcbf4e9285d14a2039d55fd6a8e2d5c6bc8ed118874854a9055ca19fa7.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1578.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4874.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4874.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4874.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	901caedcbf4e9285d14a2039d55fd6a8e2d5c6bc8ed118874854a9055ca19fa7.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	901caedcbf4e9285d14a2039d55fd6a8e2d5c6bc8ed118874854a9055ca19fa7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1578.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1578.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	8C4A.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	8C4A.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	43FE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	43FE.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4364	timeout.exe
2580	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1144	taskkill.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	64D7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	64D7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	64D7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	64D7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	64D7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	64D7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	64D7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	64D7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	64D7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	64D7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4108	901caedcbf4e9285d14a2039d55fd6a8e2d5c6bc8ed118874854a9055ca19fa7.exe
4108	901caedcbf4e9285d14a2039d55fd6a8e2d5c6bc8ed118874854a9055ca19fa7.exe
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3032	Process not Found

Suspicious behavior: MapViewOfSection 9 IoCs

pid	Process
4108	901caedcbf4e9285d14a2039d55fd6a8e2d5c6bc8ed118874854a9055ca19fa7.exe
4440	1578.exe
1344	4874.exe
4952	696D.exe
2924	explorer.exe
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeRestorePrivilege	916	WerFault.exe
Token: SeBackupPrivilege	916	WerFault.exe
Token: SeDebugPrivilege	916	WerFault.exe
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeDebugPrivilege	2224	66AD.exe
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeDebugPrivilege	4536	74B9.exe
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeDebugPrivilege	2520	83BE.exe
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2924	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3648 wrote to memory of 4108	3648	901caedcbf4e9285d14a2039d55fd6a8e2d5c6bc8ed118874854a9055ca19fa7.exe	69
PID 3648 wrote to memory of 4108	3648	901caedcbf4e9285d14a2039d55fd6a8e2d5c6bc8ed118874854a9055ca19fa7.exe	69
PID 3648 wrote to memory of 4108	3648	901caedcbf4e9285d14a2039d55fd6a8e2d5c6bc8ed118874854a9055ca19fa7.exe	69
PID 3648 wrote to memory of 4108	3648	901caedcbf4e9285d14a2039d55fd6a8e2d5c6bc8ed118874854a9055ca19fa7.exe	69
PID 3648 wrote to memory of 4108	3648	901caedcbf4e9285d14a2039d55fd6a8e2d5c6bc8ed118874854a9055ca19fa7.exe	69
PID 3648 wrote to memory of 4108	3648	901caedcbf4e9285d14a2039d55fd6a8e2d5c6bc8ed118874854a9055ca19fa7.exe	69
PID 3032 wrote to memory of 4284	3032	Process not Found	70
PID 3032 wrote to memory of 4284	3032	Process not Found	70
PID 3032 wrote to memory of 4284	3032	Process not Found	70
PID 3032 wrote to memory of 4392	3032	Process not Found	71
PID 3032 wrote to memory of 4392	3032	Process not Found	71
PID 3032 wrote to memory of 4392	3032	Process not Found	71
PID 4284 wrote to memory of 4440	4284	1578.exe	72
PID 4284 wrote to memory of 4440	4284	1578.exe	72
PID 4284 wrote to memory of 4440	4284	1578.exe	72
PID 4284 wrote to memory of 4440	4284	1578.exe	72
PID 4284 wrote to memory of 4440	4284	1578.exe	72
PID 4284 wrote to memory of 4440	4284	1578.exe	72
PID 3032 wrote to memory of 4372	3032	Process not Found	73
PID 3032 wrote to memory of 4372	3032	Process not Found	73
PID 3032 wrote to memory of 4372	3032	Process not Found	73
PID 3032 wrote to memory of 3792	3032	Process not Found	74
PID 3032 wrote to memory of 3792	3032	Process not Found	74
PID 3032 wrote to memory of 1060	3032	Process not Found	77
PID 3032 wrote to memory of 1060	3032	Process not Found	77
PID 3032 wrote to memory of 1060	3032	Process not Found	77
PID 3032 wrote to memory of 1344	3032	Process not Found	78
PID 3032 wrote to memory of 1344	3032	Process not Found	78
PID 3032 wrote to memory of 1344	3032	Process not Found	78
PID 3032 wrote to memory of 2032	3032	Process not Found	80
PID 3032 wrote to memory of 2032	3032	Process not Found	80
PID 3032 wrote to memory of 2032	3032	Process not Found	80
PID 2032 wrote to memory of 2128	2032	61AA.exe	79
PID 2032 wrote to memory of 2128	2032	61AA.exe	79
PID 2032 wrote to memory of 2128	2032	61AA.exe	79
PID 2032 wrote to memory of 2128	2032	61AA.exe	79
PID 2032 wrote to memory of 2128	2032	61AA.exe	79
PID 2128 wrote to memory of 2492	2128	61AA.exe	81
PID 2128 wrote to memory of 2492	2128	61AA.exe	81
PID 2128 wrote to memory of 2492	2128	61AA.exe	81
PID 3032 wrote to memory of 3048	3032	Process not Found	83
PID 3032 wrote to memory of 3048	3032	Process not Found	83
PID 3032 wrote to memory of 2224	3032	Process not Found	84
PID 3032 wrote to memory of 2224	3032	Process not Found	84
PID 3032 wrote to memory of 2224	3032	Process not Found	84
PID 3032 wrote to memory of 4952	3032	Process not Found	85
PID 3032 wrote to memory of 4952	3032	Process not Found	85
PID 3032 wrote to memory of 4952	3032	Process not Found	85
PID 3032 wrote to memory of 4536	3032	Process not Found	86
PID 3032 wrote to memory of 4536	3032	Process not Found	86
PID 3032 wrote to memory of 4536	3032	Process not Found	86
PID 3032 wrote to memory of 2520	3032	Process not Found	88
PID 3032 wrote to memory of 2520	3032	Process not Found	88
PID 3032 wrote to memory of 2520	3032	Process not Found	88
PID 3032 wrote to memory of 1616	3032	Process not Found	89
PID 3032 wrote to memory of 1616	3032	Process not Found	89
PID 3032 wrote to memory of 1616	3032	Process not Found	89
PID 4952 wrote to memory of 2924	4952	696D.exe	90
PID 4952 wrote to memory of 2924	4952	696D.exe	90
PID 4952 wrote to memory of 2924	4952	696D.exe	90
PID 1060 wrote to memory of 1700	1060	43FE.exe	91
PID 1060 wrote to memory of 1700	1060	43FE.exe	91
PID 1060 wrote to memory of 1700	1060	43FE.exe	91
PID 1700 wrote to memory of 4364	1700	cmd.exe	93

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\901caedcbf4e9285d14a2039d55fd6a8e2d5c6bc8ed118874854a9055ca19fa7.exe
"C:\Users\Admin\AppData\Local\Temp\901caedcbf4e9285d14a2039d55fd6a8e2d5c6bc8ed118874854a9055ca19fa7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Users\Admin\AppData\Local\Temp\901caedcbf4e9285d14a2039d55fd6a8e2d5c6bc8ed118874854a9055ca19fa7.exe
  "C:\Users\Admin\AppData\Local\Temp\901caedcbf4e9285d14a2039d55fd6a8e2d5c6bc8ed118874854a9055ca19fa7.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4108

C:\Users\Admin\AppData\Local\Temp\1578.exe
C:\Users\Admin\AppData\Local\Temp\1578.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\AppData\Local\Temp\1578.exe
  C:\Users\Admin\AppData\Local\Temp\1578.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:4440

C:\Users\Admin\AppData\Local\Temp\22F6.exe
C:\Users\Admin\AppData\Local\Temp\22F6.exe
1⤵
- Executes dropped EXE
PID:4392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 248
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:916

C:\Users\Admin\AppData\Local\Temp\3259.exe
C:\Users\Admin\AppData\Local\Temp\3259.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4372

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\35A5.dll
1⤵
- Loads dropped DLL
PID:3792

C:\Users\Admin\AppData\Local\Temp\43FE.exe
C:\Users\Admin\AppData\Local\Temp\43FE.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\43FE.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:4364

C:\Users\Admin\AppData\Local\Temp\4874.exe
C:\Users\Admin\AppData\Local\Temp\4874.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1344

C:\Users\Admin\AppData\Local\Temp\61AA.exe
C:\Users\Admin\AppData\Local\Temp\61AA.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noexit
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of AdjustPrivilegeToken
  PID:2492

C:\Users\Admin\AppData\Local\Temp\61AA.exe
C:\Users\Admin\AppData\Local\Temp\61AA.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\64D7.exe
C:\Users\Admin\AppData\Local\Temp\64D7.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
PID:3048

C:\Users\Admin\AppData\Local\Temp\66AD.exe
C:\Users\Admin\AppData\Local\Temp\66AD.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Users\Admin\AppData\Local\Temp\696D.exe
C:\Users\Admin\AppData\Local\Temp\696D.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  PID:2924

C:\Users\Admin\AppData\Local\Temp\74B9.exe
C:\Users\Admin\AppData\Local\Temp\74B9.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\Users\Admin\AppData\Local\Temp\83BE.exe
C:\Users\Admin\AppData\Local\Temp\83BE.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Users\Admin\AppData\Local\Temp\8C4A.exe
C:\Users\Admin\AppData\Local\Temp\8C4A.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1616
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im 8C4A.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\8C4A.exe" & del C:\ProgramData\*.dll & exit
  2⤵
  PID:532
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im 8C4A.exe /f
    3⤵
    - Kills process with taskkill
    PID:1144
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:2580

C:\Users\Admin\AppData\Local\Temp\FA67.exe
C:\Users\Admin\AppData\Local\Temp\FA67.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2648

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1460

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1060-165-0x00000000006E6000-0x00000000006F8000-memory.dmp

Filesize
72KB

Download
memory/1060-171-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1060-169-0x00000000004F0000-0x000000000050C000-memory.dmp

Filesize
112KB

Download
memory/1344-174-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1344-166-0x0000000000766000-0x0000000000777000-memory.dmp

Filesize
68KB

Download
memory/1344-172-0x00000000004D0000-0x000000000057E000-memory.dmp

Filesize
696KB

Download
memory/2128-173-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2128-177-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2224-208-0x00000000054E0000-0x0000000005AE6000-memory.dmp

Filesize
6.0MB

Download
memory/2224-191-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/2492-209-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2492-198-0x0000000007E70000-0x0000000007E71000-memory.dmp

Filesize
4KB

Download
memory/2492-181-0x0000000006ED0000-0x0000000006ED1000-memory.dmp

Filesize
4KB

Download
memory/2492-182-0x0000000007580000-0x0000000007581000-memory.dmp

Filesize
4KB

Download
memory/2492-180-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2492-179-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2492-186-0x0000000006F40000-0x0000000006F41000-memory.dmp

Filesize
4KB

Download
memory/2492-187-0x0000000006F42000-0x0000000006F43000-memory.dmp

Filesize
4KB

Download
memory/2492-229-0x0000000009510000-0x0000000009511000-memory.dmp

Filesize
4KB

Download
memory/2492-219-0x00000000087F0000-0x00000000087F1000-memory.dmp

Filesize
4KB

Download
memory/2492-203-0x0000000008350000-0x0000000008351000-memory.dmp

Filesize
4KB

Download
memory/2492-199-0x0000000007F10000-0x0000000007F11000-memory.dmp

Filesize
4KB

Download
memory/2492-193-0x0000000007BF0000-0x0000000007BF1000-memory.dmp

Filesize
4KB

Download
memory/2492-195-0x0000000007C90000-0x0000000007C91000-memory.dmp

Filesize
4KB

Download
memory/2520-319-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/2520-322-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2520-324-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/2520-321-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/2520-320-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/2520-318-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/2520-317-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/2520-316-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/2520-314-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/2520-315-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/2520-311-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/2520-310-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/2520-308-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/2520-307-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/2520-306-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/2520-305-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/2520-303-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/2520-304-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/2520-302-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/2520-301-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/2520-300-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/2520-298-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/2520-299-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/2520-297-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/2520-296-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/2520-294-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/2520-292-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/2520-273-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/2520-290-0x00000000065E0000-0x00000000065E1000-memory.dmp

Filesize
4KB

Download
memory/2520-274-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/2520-275-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/2520-276-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/2520-277-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2520-278-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/2520-280-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/2520-284-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/2520-282-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/2520-286-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/2520-287-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/3032-119-0x0000000002CF0000-0x0000000002D06000-memory.dmp

Filesize
88KB

Download
memory/3032-228-0x00000000059F0000-0x0000000005A06000-memory.dmp

Filesize
88KB

Download
memory/3032-160-0x0000000003560000-0x0000000003576000-memory.dmp

Filesize
88KB

Download
memory/3048-207-0x00000000022D0000-0x00000000022D2000-memory.dmp

Filesize
8KB

Download
memory/3048-258-0x00000000022D5000-0x00000000022D6000-memory.dmp

Filesize
4KB

Download
memory/3648-116-0x0000000000640000-0x0000000000649000-memory.dmp

Filesize
36KB

Download
memory/3648-115-0x0000000000726000-0x0000000000736000-memory.dmp

Filesize
64KB

Download
memory/3792-164-0x0000000000FC0000-0x0000000000FCA000-memory.dmp

Filesize
40KB

Download
memory/4108-117-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4284-130-0x00000000004E0000-0x000000000058E000-memory.dmp

Filesize
696KB

Download
memory/4284-126-0x00000000006F6000-0x0000000000707000-memory.dmp

Filesize
68KB

Download
memory/4372-135-0x00000000013C0000-0x00000000013C1000-memory.dmp

Filesize
4KB

Download
memory/4372-136-0x0000000002F70000-0x0000000002FB5000-memory.dmp

Filesize
276KB

Download
memory/4372-152-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download
memory/4372-144-0x0000000005A20000-0x0000000005A21000-memory.dmp

Filesize
4KB

Download
memory/4372-143-0x00000000060A0000-0x00000000060A1000-memory.dmp

Filesize
4KB

Download
memory/4372-153-0x0000000072D30000-0x0000000072D7B000-memory.dmp

Filesize
300KB

Download
memory/4372-151-0x0000000074BD0000-0x0000000075F18000-memory.dmp

Filesize
19.3MB

Download
memory/4372-146-0x0000000005BA0000-0x0000000005BA1000-memory.dmp

Filesize
4KB

Download
memory/4372-150-0x00000000762B0000-0x0000000076834000-memory.dmp

Filesize
5.5MB

Download
memory/4372-134-0x0000000000D70000-0x0000000000DD9000-memory.dmp

Filesize
420KB

Download
memory/4372-137-0x0000000076E20000-0x0000000076FE2000-memory.dmp

Filesize
1.8MB

Download
memory/4372-141-0x0000000072DF0000-0x0000000072E70000-memory.dmp

Filesize
512KB

Download
memory/4372-148-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/4372-139-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/4372-138-0x0000000074430000-0x0000000074521000-memory.dmp

Filesize
964KB

Download
memory/4372-149-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/4392-155-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/4392-156-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4392-154-0x0000000000696000-0x00000000006A7000-memory.dmp

Filesize
68KB

Download
memory/4536-234-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/4536-237-0x0000000074430000-0x0000000074521000-memory.dmp

Filesize
964KB

Download
memory/4536-236-0x0000000076E20000-0x0000000076FE2000-memory.dmp

Filesize
1.8MB

Download
memory/4536-240-0x0000000002110000-0x0000000002155000-memory.dmp

Filesize
276KB

Download
memory/4536-252-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/4536-233-0x00000000008E0000-0x000000000097C000-memory.dmp

Filesize
624KB

Download
memory/4952-272-0x0000000000400000-0x000000000081A000-memory.dmp

Filesize
4.1MB

Download
memory/4952-271-0x0000000000820000-0x00000000008CE000-memory.dmp

Filesize
696KB

Download
memory/4952-270-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download