redline | 79ff85f42095cb721a36127f3e837a5e45a53645398215da960e15308879a58f

Analysis

max time kernel
111s
max time network
143s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
10-08-2022 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0341232d23900cb4c2a4de8c8618b887.exe
Size

980KB
MD5

0341232d23900cb4c2a4de8c8618b887
SHA1

2e1786e38ed0dab09220973160ea046d354343c8
SHA256

79ff85f42095cb721a36127f3e837a5e45a53645398215da960e15308879a58f
SHA512

4e46b36dacd53f8cc1431d0ab18ab54d0dbc6aad08637df41e9654fc12d369c7f4fb6976a8d79664a5d29fc7fbf97ddebb72adf1b0429e54843badf5924455f6

Score

10^/10

redline 4 @tag12312341 nam3 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

nam3

103.89.90.61:18728

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

31.41.244.134:11643

Attributes

auth_value
a516b2d034ecd34338f12b50347fbd92

Extracted

Family

redline

Botnet

@tag12312341

62.204.41.144:14096

Attributes

auth_value
71466795417275fac01979e57016e277

Extracted

Family

redline

213.226.123.169:2014

Attributes

auth_value
5466def9b32e35b6a53d1117abb19867

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 16 IoCs

Processes:

resource	yara_rule
\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\default_usar.exe	family_redline
\Program Files (x86)\Company\NewProduct\default_usar.exe	family_redline
\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\default_usar.exe	family_redline
behavioral1/memory/2004-101-0x0000000000B90000-0x0000000000BD4000-memory.dmp	family_redline
behavioral1/memory/1096-100-0x0000000000DA0000-0x0000000000DC0000-memory.dmp	family_redline
behavioral1/memory/1664-99-0x0000000000D70000-0x0000000000DB4000-memory.dmp	family_redline
behavioral1/memory/2040-98-0x0000000000BD0000-0x0000000000BF0000-memory.dmp	family_redline

Executes dropped EXE 9 IoCs

Processes:

F0geI.exekukurzka9000.exenamdoitntn.exenuplat.exereal.exesafert44.exedefault_usar.exetag.exeEU1.exe

pid process

1892 F0geI.exe
1940 kukurzka9000.exe
1664 namdoitntn.exe
332 nuplat.exe
616 real.exe
2004 safert44.exe
2040 default_usar.exe
1096 tag.exe
1712 EU1.exe

pid	process
1892	F0geI.exe
1940	kukurzka9000.exe
1664	namdoitntn.exe
332	nuplat.exe
616	real.exe
2004	safert44.exe
2040	default_usar.exe
1096	tag.exe
1712	EU1.exe

Loads dropped DLL 14 IoCs

Processes:

0341232d23900cb4c2a4de8c8618b887.exe

pid	process
112	0341232d23900cb4c2a4de8c8618b887.exe
112	0341232d23900cb4c2a4de8c8618b887.exe
112	0341232d23900cb4c2a4de8c8618b887.exe
112	0341232d23900cb4c2a4de8c8618b887.exe
112	0341232d23900cb4c2a4de8c8618b887.exe
112	0341232d23900cb4c2a4de8c8618b887.exe
112	0341232d23900cb4c2a4de8c8618b887.exe
112	0341232d23900cb4c2a4de8c8618b887.exe
112	0341232d23900cb4c2a4de8c8618b887.exe
112	0341232d23900cb4c2a4de8c8618b887.exe
112	0341232d23900cb4c2a4de8c8618b887.exe
112	0341232d23900cb4c2a4de8c8618b887.exe
112	0341232d23900cb4c2a4de8c8618b887.exe
112	0341232d23900cb4c2a4de8c8618b887.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 9 IoCs

Processes:

0341232d23900cb4c2a4de8c8618b887.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	0341232d23900cb4c2a4de8c8618b887.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	0341232d23900cb4c2a4de8c8618b887.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\nuplat.exe	0341232d23900cb4c2a4de8c8618b887.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	0341232d23900cb4c2a4de8c8618b887.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	0341232d23900cb4c2a4de8c8618b887.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\safert44.exe	0341232d23900cb4c2a4de8c8618b887.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\tag.exe	0341232d23900cb4c2a4de8c8618b887.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\default_usar.exe	0341232d23900cb4c2a4de8c8618b887.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\EU1.exe	0341232d23900cb4c2a4de8c8618b887.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nuplat.exereal.exeEU1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nuplat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nuplat.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	real.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	real.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EU1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EU1.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{13D1E441-18F8-11ED-B7AE-42A87FE789E3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 707ac5fa04add801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{13CF82E1-18F8-11ED-B7AE-42A87FE789E3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

default_usar.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	default_usar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	default_usar.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	default_usar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	default_usar.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	default_usar.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	default_usar.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

tag.exesafert44.exedefault_usar.exenamdoitntn.exenuplat.exereal.exeEU1.exe

pid process

1096 tag.exe
2004 safert44.exe
2040 default_usar.exe
1664 namdoitntn.exe
332 nuplat.exe
332 nuplat.exe
616 real.exe
616 real.exe
1712 EU1.exe

pid	process
1096	tag.exe
2004	safert44.exe
2040	default_usar.exe
1664	namdoitntn.exe
332	nuplat.exe
332	nuplat.exe
616	real.exe
616	real.exe
1712	EU1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tag.exesafert44.exedefault_usar.exenamdoitntn.exe

description	pid	process
Token: SeDebugPrivilege	1096	tag.exe
Token: SeDebugPrivilege	2004	safert44.exe
Token: SeDebugPrivilege	2040	default_usar.exe
Token: SeDebugPrivilege	1664	namdoitntn.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

840 iexplore.exe
1316 iexplore.exe
528 iexplore.exe
1124 iexplore.exe
1392 iexplore.exe
1904 iexplore.exe
1088 iexplore.exe

pid	process
840	iexplore.exe
1316	iexplore.exe
528	iexplore.exe
1124	iexplore.exe
1392	iexplore.exe
1904	iexplore.exe
1088	iexplore.exe

Suspicious use of SetWindowsHookEx 30 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1316	iexplore.exe
1316	iexplore.exe
1392	iexplore.exe
1392	iexplore.exe
1088	iexplore.exe
1088	iexplore.exe
840	iexplore.exe
840	iexplore.exe
528	iexplore.exe
528	iexplore.exe
1904	iexplore.exe
1904	iexplore.exe
1124	iexplore.exe
1124	iexplore.exe
2128	IEXPLORE.EXE
2120	IEXPLORE.EXE
2128	IEXPLORE.EXE
2120	IEXPLORE.EXE
2160	IEXPLORE.EXE
2112	IEXPLORE.EXE
2144	IEXPLORE.EXE
2160	IEXPLORE.EXE
2152	IEXPLORE.EXE
2112	IEXPLORE.EXE
2136	IEXPLORE.EXE
2144	IEXPLORE.EXE
2152	IEXPLORE.EXE
2136	IEXPLORE.EXE
2144	IEXPLORE.EXE
2144	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0341232d23900cb4c2a4de8c8618b887.exe

description	pid	process	target process
PID 112 wrote to memory of 528	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 528	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 528	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 528	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 1316	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 1316	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 1316	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 1316	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 1088	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 1088	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 1088	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 1088	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 1904	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 1904	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 1904	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 1904	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 1124	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 1124	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 1124	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 1124	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 840	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 840	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 840	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 840	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 1392	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 1392	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 1392	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 1392	112	0341232d23900cb4c2a4de8c8618b887.exe	iexplore.exe
PID 112 wrote to memory of 1892	112	0341232d23900cb4c2a4de8c8618b887.exe	F0geI.exe
PID 112 wrote to memory of 1892	112	0341232d23900cb4c2a4de8c8618b887.exe	F0geI.exe
PID 112 wrote to memory of 1892	112	0341232d23900cb4c2a4de8c8618b887.exe	F0geI.exe
PID 112 wrote to memory of 1892	112	0341232d23900cb4c2a4de8c8618b887.exe	F0geI.exe
PID 112 wrote to memory of 1940	112	0341232d23900cb4c2a4de8c8618b887.exe	kukurzka9000.exe
PID 112 wrote to memory of 1940	112	0341232d23900cb4c2a4de8c8618b887.exe	kukurzka9000.exe
PID 112 wrote to memory of 1940	112	0341232d23900cb4c2a4de8c8618b887.exe	kukurzka9000.exe
PID 112 wrote to memory of 1940	112	0341232d23900cb4c2a4de8c8618b887.exe	kukurzka9000.exe
PID 112 wrote to memory of 1664	112	0341232d23900cb4c2a4de8c8618b887.exe	namdoitntn.exe
PID 112 wrote to memory of 1664	112	0341232d23900cb4c2a4de8c8618b887.exe	namdoitntn.exe
PID 112 wrote to memory of 1664	112	0341232d23900cb4c2a4de8c8618b887.exe	namdoitntn.exe
PID 112 wrote to memory of 1664	112	0341232d23900cb4c2a4de8c8618b887.exe	namdoitntn.exe
PID 112 wrote to memory of 332	112	0341232d23900cb4c2a4de8c8618b887.exe	nuplat.exe
PID 112 wrote to memory of 332	112	0341232d23900cb4c2a4de8c8618b887.exe	nuplat.exe
PID 112 wrote to memory of 332	112	0341232d23900cb4c2a4de8c8618b887.exe	nuplat.exe
PID 112 wrote to memory of 332	112	0341232d23900cb4c2a4de8c8618b887.exe	nuplat.exe
PID 112 wrote to memory of 616	112	0341232d23900cb4c2a4de8c8618b887.exe	real.exe
PID 112 wrote to memory of 616	112	0341232d23900cb4c2a4de8c8618b887.exe	real.exe
PID 112 wrote to memory of 616	112	0341232d23900cb4c2a4de8c8618b887.exe	real.exe
PID 112 wrote to memory of 616	112	0341232d23900cb4c2a4de8c8618b887.exe	real.exe
PID 112 wrote to memory of 2004	112	0341232d23900cb4c2a4de8c8618b887.exe	safert44.exe
PID 112 wrote to memory of 2004	112	0341232d23900cb4c2a4de8c8618b887.exe	safert44.exe
PID 112 wrote to memory of 2004	112	0341232d23900cb4c2a4de8c8618b887.exe	safert44.exe
PID 112 wrote to memory of 2004	112	0341232d23900cb4c2a4de8c8618b887.exe	safert44.exe
PID 112 wrote to memory of 1096	112	0341232d23900cb4c2a4de8c8618b887.exe	tag.exe
PID 112 wrote to memory of 1096	112	0341232d23900cb4c2a4de8c8618b887.exe	tag.exe
PID 112 wrote to memory of 1096	112	0341232d23900cb4c2a4de8c8618b887.exe	tag.exe
PID 112 wrote to memory of 1096	112	0341232d23900cb4c2a4de8c8618b887.exe	tag.exe
PID 112 wrote to memory of 2040	112	0341232d23900cb4c2a4de8c8618b887.exe	default_usar.exe
PID 112 wrote to memory of 2040	112	0341232d23900cb4c2a4de8c8618b887.exe	default_usar.exe
PID 112 wrote to memory of 2040	112	0341232d23900cb4c2a4de8c8618b887.exe	default_usar.exe
PID 112 wrote to memory of 2040	112	0341232d23900cb4c2a4de8c8618b887.exe	default_usar.exe
PID 112 wrote to memory of 1712	112	0341232d23900cb4c2a4de8c8618b887.exe	EU1.exe
PID 112 wrote to memory of 1712	112	0341232d23900cb4c2a4de8c8618b887.exe	EU1.exe
PID 112 wrote to memory of 1712	112	0341232d23900cb4c2a4de8c8618b887.exe	EU1.exe
PID 112 wrote to memory of 1712	112	0341232d23900cb4c2a4de8c8618b887.exe	EU1.exe

C:\Users\Admin\AppData\Local\Temp\0341232d23900cb4c2a4de8c8618b887.exe
"C:\Users\Admin\AppData\Local\Temp\0341232d23900cb4c2a4de8c8618b887.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:112

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1AbtZ4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:528

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:528 CREDAT:275457 /prefetch:2
3⤵
- Suspicious use of SetWindowsHookEx
PID:2144

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RyjC4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1316

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1316 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2136

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1A4aK4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1088

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1088 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2112

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RLtX4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1904

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1904 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2160

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1naEL4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1124

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1124 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2152

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1AuTZ4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:840

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:840 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2120

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RCgX4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1392

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1392 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2128

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
2⤵
- Executes dropped EXE
PID:1892

C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
2⤵
- Executes dropped EXE
PID:1940

C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Program Files (x86)\Company\NewProduct\nuplat.exe
"C:\Program Files (x86)\Company\NewProduct\nuplat.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:332

C:\Program Files (x86)\Company\NewProduct\real.exe
"C:\Program Files (x86)\Company\NewProduct\real.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:616

C:\Program Files (x86)\Company\NewProduct\safert44.exe
"C:\Program Files (x86)\Company\NewProduct\safert44.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Program Files (x86)\Company\NewProduct\tag.exe
"C:\Program Files (x86)\Company\NewProduct\tag.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Program Files (x86)\Company\NewProduct\default_usar.exe
"C:\Program Files (x86)\Company\NewProduct\default_usar.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Program Files (x86)\Company\NewProduct\EU1.exe
"C:\Program Files (x86)\Company\NewProduct\EU1.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\EU1.exe
Filesize
286KB

MD5
eaa8eacd3c59ed71b7f68ef7a96602a3

SHA1
9b35e7b6cd147a4a729d3f6b1791e774a754c589

SHA256
2f7a5ab1ce00d00b1196b2cd815457176467928a47a8c652b8af41e6bab8772b

SHA512
c19934e143dcf1242f2f1584baaad4cebbd2e06d048c2ef9d347683ef0d77e2791c364608957e8ea4c1b9613450c3c2e4112bb56280ee12a4b1b1a63c714d83e

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\default_usar.exe
Filesize
104KB

MD5
9794cca9468db118fd913036946b98f5

SHA1
4b322fd740797f9fbe00c653834adab1d8c7d495

SHA256
1bf559aeb4a734e84cee9a541edcda47e11023b8587d9e0cc60c27274e56003c

SHA512
09246a3967d2a3c43a33aec76d38f93f831a4ca7730ac1e9e800a18d0e07b2b0bcc480618f839790d595d16d8e3d440ba9cea7f5395e463c14e0fdb81b6a04de

Download Submit
C:\Program Files (x86)\Company\NewProduct\default_usar.exe
Filesize
104KB

MD5
9794cca9468db118fd913036946b98f5

SHA1
4b322fd740797f9fbe00c653834adab1d8c7d495

SHA256
1bf559aeb4a734e84cee9a541edcda47e11023b8587d9e0cc60c27274e56003c

SHA512
09246a3967d2a3c43a33aec76d38f93f831a4ca7730ac1e9e800a18d0e07b2b0bcc480618f839790d595d16d8e3d440ba9cea7f5395e463c14e0fdb81b6a04de

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
491KB

MD5
681d98300c552b8c470466d9e8328c8a

SHA1
d15f4a432a2abce96ba9ba74443e566c1ffb933f

SHA256
8bbc892aedc1424ca5c66677b465c826f867515a3fea28821d015edcee71c912

SHA512
b909975d0212d5a5a0cb2e2809ee02224aac729cb761be97a8e3be4ee0a1d7470946da8cf725953c1b2d71fb5fc9dc3c26fd74bce5db5cc0e91a106f8bded887

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
245KB

MD5
b16134159e66a72fb36d93bc703b4188

SHA1
e869e91a2b0f77e7ac817e0b30a9a23d537b3001

SHA256
b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c

SHA512
3fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
245KB

MD5
b16134159e66a72fb36d93bc703b4188

SHA1
e869e91a2b0f77e7ac817e0b30a9a23d537b3001

SHA256
b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c

SHA512
3fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c

Download Submit
C:\Program Files (x86)\Company\NewProduct\nuplat.exe
Filesize
287KB

MD5
17c42a0dad379448ee1e6b21c85e5ac9

SHA1
2fec7fbb4a47092f9c17cd5ebb509a6403cb6d69

SHA256
e080161f57d4eaaad9173b63219ba5a9c2c595324a6b3ffe96783db40839807b

SHA512
5ddfe9af625c54e417452fe582041cdd373b52d4ededbcba71a88050fd834bc8af822257f7ad606e89db3fde15be98f58c1d8ff139dac71d81a23f669617a189

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
286KB

MD5
8a370815d8a47020150efa559ffdf736

SHA1
ba9d8df8f484b8da51161a0e29fd29e5001cff5d

SHA256
975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58

SHA512
d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
244KB

MD5
dbe947674ea388b565ae135a09cc6638

SHA1
ae8e1c69bd1035a92b7e06baad5e387de3a70572

SHA256
86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

SHA512
67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
244KB

MD5
dbe947674ea388b565ae135a09cc6638

SHA1
ae8e1c69bd1035a92b7e06baad5e387de3a70572

SHA256
86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

SHA512
67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
5078ad5341577832d93c7715d876dcf2

SHA1
d33532043122be14e4e1b5a5fa726970484b44a3

SHA256
c048076a3adfceb576d1f5826417d0ec586138fc6d6add90420ef8dc33c0350f

SHA512
063a20769e6e128490f013aa1a89a03db1f522bd2e2f64ed01ee554296c5666f05b912bd386d0d3a8376e5f1c91386fc5bbcddce9c2833c86dc5b1195f51df13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
0aa7d52e0bc84594933f181e238a1df8

SHA1
44262255affab076a808679dc63a31732975d684

SHA256
0363d4d116772ebd2a8de7dc206c61358b10c9f579621b827836e74e232e38c0

SHA512
cb4a06b3828f13020ba66acc9f464ac1cbd7a9ce063ba7c63aee7b8116b1639db9b37c0f9ff74367e2984453ae4c942f24d439f349b4aa98eeb49bb6d8853da6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{13D1BD31-18F8-11ED-B7AE-42A87FE789E3}.dat
Filesize
3KB

MD5
7e9165c58e11598ef656d83eb40f7ffb

SHA1
699e7b6aa75b7d7932ef0a392ad7845a1f5c23be

SHA256
144842a8f0cb135bf3d698120a23dee6bbc634db903a74805c46dc8110323aac

SHA512
b9ee6e5d6e3f4084ab74d99b3a6b3993b242770d77343e9c354a8b8bf9fe8443f1caf835f2032c4694ec72d4d3abef6aa1ea3c18e103c2944385472045a398b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\24HVJ8Y5.txt
Filesize
596B

MD5
e7ae89110238c22dcbb92b868925fcb3

SHA1
1567bd517b3b76b473889177224d1dc923566463

SHA256
36128972d857266aa39054cbd05617aa57a28329c53f0642f9ebf868486d4fbe

SHA512
1619d4b0e711cdd18ed791a44c9e3482c818d2ec695adced63ea71b91520d7e734874447828a220ef0dbcb7a76abf7aacd2500499b283a795c8014718dfbf384

Download Submit
\Program Files (x86)\Company\NewProduct\EU1.exe
Filesize
286KB

MD5
eaa8eacd3c59ed71b7f68ef7a96602a3

SHA1
9b35e7b6cd147a4a729d3f6b1791e774a754c589

SHA256
2f7a5ab1ce00d00b1196b2cd815457176467928a47a8c652b8af41e6bab8772b

SHA512
c19934e143dcf1242f2f1584baaad4cebbd2e06d048c2ef9d347683ef0d77e2791c364608957e8ea4c1b9613450c3c2e4112bb56280ee12a4b1b1a63c714d83e

Download Submit
\Program Files (x86)\Company\NewProduct\EU1.exe
Filesize
286KB

MD5
eaa8eacd3c59ed71b7f68ef7a96602a3

SHA1
9b35e7b6cd147a4a729d3f6b1791e774a754c589

SHA256
2f7a5ab1ce00d00b1196b2cd815457176467928a47a8c652b8af41e6bab8772b

SHA512
c19934e143dcf1242f2f1584baaad4cebbd2e06d048c2ef9d347683ef0d77e2791c364608957e8ea4c1b9613450c3c2e4112bb56280ee12a4b1b1a63c714d83e

Download Submit
\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
\Program Files (x86)\Company\NewProduct\default_usar.exe
Filesize
104KB

MD5
9794cca9468db118fd913036946b98f5

SHA1
4b322fd740797f9fbe00c653834adab1d8c7d495

SHA256
1bf559aeb4a734e84cee9a541edcda47e11023b8587d9e0cc60c27274e56003c

SHA512
09246a3967d2a3c43a33aec76d38f93f831a4ca7730ac1e9e800a18d0e07b2b0bcc480618f839790d595d16d8e3d440ba9cea7f5395e463c14e0fdb81b6a04de

Download Submit
\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
491KB

MD5
681d98300c552b8c470466d9e8328c8a

SHA1
d15f4a432a2abce96ba9ba74443e566c1ffb933f

SHA256
8bbc892aedc1424ca5c66677b465c826f867515a3fea28821d015edcee71c912

SHA512
b909975d0212d5a5a0cb2e2809ee02224aac729cb761be97a8e3be4ee0a1d7470946da8cf725953c1b2d71fb5fc9dc3c26fd74bce5db5cc0e91a106f8bded887

Download Submit
\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
491KB

MD5
681d98300c552b8c470466d9e8328c8a

SHA1
d15f4a432a2abce96ba9ba74443e566c1ffb933f

SHA256
8bbc892aedc1424ca5c66677b465c826f867515a3fea28821d015edcee71c912

SHA512
b909975d0212d5a5a0cb2e2809ee02224aac729cb761be97a8e3be4ee0a1d7470946da8cf725953c1b2d71fb5fc9dc3c26fd74bce5db5cc0e91a106f8bded887

Download Submit
\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
245KB

MD5
b16134159e66a72fb36d93bc703b4188

SHA1
e869e91a2b0f77e7ac817e0b30a9a23d537b3001

SHA256
b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c

SHA512
3fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c

Download Submit
\Program Files (x86)\Company\NewProduct\nuplat.exe
Filesize
287KB

MD5
17c42a0dad379448ee1e6b21c85e5ac9

SHA1
2fec7fbb4a47092f9c17cd5ebb509a6403cb6d69

SHA256
e080161f57d4eaaad9173b63219ba5a9c2c595324a6b3ffe96783db40839807b

SHA512
5ddfe9af625c54e417452fe582041cdd373b52d4ededbcba71a88050fd834bc8af822257f7ad606e89db3fde15be98f58c1d8ff139dac71d81a23f669617a189

Download Submit
\Program Files (x86)\Company\NewProduct\nuplat.exe
Filesize
287KB

MD5
17c42a0dad379448ee1e6b21c85e5ac9

SHA1
2fec7fbb4a47092f9c17cd5ebb509a6403cb6d69

SHA256
e080161f57d4eaaad9173b63219ba5a9c2c595324a6b3ffe96783db40839807b

SHA512
5ddfe9af625c54e417452fe582041cdd373b52d4ededbcba71a88050fd834bc8af822257f7ad606e89db3fde15be98f58c1d8ff139dac71d81a23f669617a189

Download Submit
\Program Files (x86)\Company\NewProduct\real.exe
Filesize
286KB

MD5
8a370815d8a47020150efa559ffdf736

SHA1
ba9d8df8f484b8da51161a0e29fd29e5001cff5d

SHA256
975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58

SHA512
d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf

Download Submit
\Program Files (x86)\Company\NewProduct\real.exe
Filesize
286KB

MD5
8a370815d8a47020150efa559ffdf736

SHA1
ba9d8df8f484b8da51161a0e29fd29e5001cff5d

SHA256
975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58

SHA512
d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf

Download Submit
\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
244KB

MD5
dbe947674ea388b565ae135a09cc6638

SHA1
ae8e1c69bd1035a92b7e06baad5e387de3a70572

SHA256
86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

SHA512
67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

Download Submit
\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
memory/112-54-0x00000000768C1000-0x00000000768C3000-memory.dmp

Filesize
8KB

Download
memory/332-113-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/332-69-0x0000000000000000-mapping.dmp

Download
memory/616-74-0x0000000000000000-mapping.dmp

Download
memory/1096-100-0x0000000000DA0000-0x0000000000DC0000-memory.dmp

Filesize
128KB

Download
memory/1096-80-0x0000000000000000-mapping.dmp

Download
memory/1664-64-0x0000000000000000-mapping.dmp

Download
memory/1664-102-0x00000000001F0000-0x00000000001F6000-memory.dmp

Filesize
24KB

Download
memory/1664-99-0x0000000000D70000-0x0000000000DB4000-memory.dmp

Filesize
272KB

Download
memory/1712-88-0x0000000000000000-mapping.dmp

Download
memory/1892-96-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1892-97-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1892-57-0x0000000000000000-mapping.dmp

Download
memory/1892-152-0x000000000053B000-0x000000000054C000-memory.dmp

Filesize
68KB

Download
memory/1892-95-0x000000000053B000-0x000000000054C000-memory.dmp

Filesize
68KB

Download
memory/1892-112-0x000000000053B000-0x000000000054C000-memory.dmp

Filesize
68KB

Download
memory/1940-94-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1940-61-0x0000000000000000-mapping.dmp

Download
memory/1940-93-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2004-77-0x0000000000000000-mapping.dmp

Download
memory/2004-101-0x0000000000B90000-0x0000000000BD4000-memory.dmp

Filesize
272KB

Download
memory/2004-103-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2040-98-0x0000000000BD0000-0x0000000000BF0000-memory.dmp

Filesize
128KB

Download
memory/2040-83-0x0000000000000000-mapping.dmp

Download