38ca958c1ad969cac938e0b17fc6633d04160bdf4003e0355c8a314c08ab1447

Analysis

max time kernel
895s
max time network
940s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lauth-Setup.exe
Size

142.3MB
MD5

7a08634e98607e620f8ac65348b42c85
SHA1

2f9bf931ff363fe439be5c641db2f8d218d0541d
SHA256

38ca958c1ad969cac938e0b17fc6633d04160bdf4003e0355c8a314c08ab1447
SHA512

beab269011348fecac653ca8f52115c6aa24110d7400d5ad13a29551aaf0585262cdfd8c0f46d1eaa2231a996e49a3856dae2f85e0a9e77b30f75431ab0c95b0
SSDEEP

3145728:09H1SX9J0JX0Yj7tTRmRfqxjrWH1SX9J0JX0sgIy95i2/zRoVsQlFs:aSNm7TRmajKSNmI5FRoVrs

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1124	Lauth.exe
4532	Lauth.exe
4588	Lauth.exe
5072	Lauth.exe
2976	Lauth.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Lauth.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Lauth.exe

Loads dropped DLL 20 IoCs

pid	Process
3132	Lauth-Setup.exe
3132	Lauth-Setup.exe
3132	Lauth-Setup.exe
3132	Lauth-Setup.exe
3132	Lauth-Setup.exe
3132	Lauth-Setup.exe
3132	Lauth-Setup.exe
3132	Lauth-Setup.exe
3132	Lauth-Setup.exe
1124	Lauth.exe
4532	Lauth.exe
4588	Lauth.exe
5072	Lauth.exe
4532	Lauth.exe
4532	Lauth.exe
4532	Lauth.exe
4532	Lauth.exe
4532	Lauth.exe
2976	Lauth.exe
2976	Lauth.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Lauth\locales\en-US.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\lv.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\mr.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\pl.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\ro.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\snapshot_blob.bin	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\af.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\ar.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\ml.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\te.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\th.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\resources\elevate.exe	Lauth-Setup.exe
File created	C:\Program Files\Lauth\Uninstall Lauth.exe	Lauth-Setup.exe
File created	C:\Program Files\Lauth\chrome_100_percent.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\cs.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\id.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\bg.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\pt-BR.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\sl.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\el.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\lt.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\chrome_200_percent.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\resources.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\vk_swiftshader_icd.json	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\hr.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\sr.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\zh-TW.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\Lauth.exe	Lauth-Setup.exe
File created	C:\Program Files\Lauth\libGLESv2.dll	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\da.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\he.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\hu.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\kn.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\ta.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\icudtl.dat	Lauth-Setup.exe
File created	C:\Program Files\Lauth\v8_context_snapshot.bin	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\fa.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\fi.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\gu.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\fil.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\nb.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\tr.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\uk.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\resources\app.asar	Lauth-Setup.exe
File created	C:\Program Files\Lauth\vulkan-1.dll	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\ca.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\es.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\ur.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\ja.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\sv.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\et.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\it.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\libEGL.dll	Lauth-Setup.exe
File created	C:\Program Files\Lauth\LICENSES.chromium.html	Lauth-Setup.exe
File opened for modification	C:\Program Files\Lauth\locales	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\fr.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\ko.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\resources\app-update.yml	Lauth-Setup.exe
File created	C:\Program Files\Lauth\d3dcompiler_47.dll	Lauth-Setup.exe
File created	C:\Program Files\Lauth\LICENSE.electron.txt	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\de.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\sk.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\sw.pak	Lauth-Setup.exe
File created	C:\Program Files\Lauth\locales\zh-CN.pak	Lauth-Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\lauth-app	Lauth.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\lauth-app\ = "URL:lauth-app"	Lauth.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\lauth-app\shell	Lauth.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2711"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\HyperText Markup Language (HTML)\shell\open	Lauth-Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1208"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\HyperText Markup Language (HTML)	Lauth-Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2711"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2215"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\lauth	Lauth.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HyperText Markup Language (HTML)\shell\ = "open"	Lauth-Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\lauth\ = "URL:lauth"	Lauth.exe
Key created	\REGISTRY\MACHINE\Software\Classes\HyperText Markup Language (HTML)\shell	Lauth-Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\ = "HyperText Markup Language (HTML)"	Lauth-Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\lauth-app\shell\open	Lauth.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\lauth-app\shell\open\command\ = "\"C:\\Program Files\\Lauth\\Lauth.exe\" \"%1\""	Lauth.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "7242"	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.html\HyperText Markup Language (HTML)_backup = "htmlfile"	Lauth-Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "129"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "162"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "162"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2215"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\lauth\shell\open\command\ = "\"C:\\Program Files\\Lauth\\Lauth.exe\" \"%1\""	Lauth.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\lauth\shell\open\command	Lauth.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\ = "HyperText Markup Language (HTML)"	Lauth-Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HyperText Markup Language (HTML)\shell\open\ = "Open with Lauth"	Lauth-Setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.html	Lauth-Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\HyperText Markup Language (HTML)_backup = "shtmlfile"	Lauth-Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "129"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1208"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.htm	Lauth-Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\lauth-app\URL Protocol	Lauth.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2215"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "7242"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.jhtml	Lauth-Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HyperText Markup Language (HTML)\shell\open\command\ = "C:\\Program Files\\Lauth\\Lauth.exe \"%1\""	Lauth-Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\lauth\shell\open	Lauth.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HyperText Markup Language (HTML)\DefaultIcon\ = "C:\\Program Files\\Lauth\\Lauth.exe,0"	Lauth-Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "162"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "7242"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2711"	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jhtml\ = "HyperText Markup Language (HTML)"	Lauth-Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jhtml\HyperText Markup Language (HTML)_backup	Lauth-Setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.shtml	Lauth-Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\HyperText Markup Language (HTML)\DefaultIcon	Lauth-Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HyperText Markup Language (HTML)\	Lauth-Setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\HyperText Markup Language (HTML)\shell\open\command	Lauth-Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\lauth\URL Protocol	Lauth.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Lauth.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Lauth.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Lauth.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Lauth.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c137e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Lauth.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Lauth.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Lauth.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Lauth.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Lauth.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Lauth.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c000000010000000400000000080000190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Lauth.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3132	Lauth-Setup.exe
3132	Lauth-Setup.exe
3132	Lauth-Setup.exe
3132	Lauth-Setup.exe
3132	Lauth-Setup.exe
3132	Lauth-Setup.exe
2976	Lauth.exe
2976	Lauth.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3132	Lauth-Setup.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe
Token: SeCreatePagefilePrivilege	1124	Lauth.exe
Token: SeShutdownPrivilege	1124	Lauth.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3948	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4532	1124	Lauth.exe	102
PID 1124 wrote to memory of 4588	1124	Lauth.exe	103
PID 1124 wrote to memory of 4588	1124	Lauth.exe	103
PID 1124 wrote to memory of 5072	1124	Lauth.exe	104
PID 1124 wrote to memory of 5072	1124	Lauth.exe	104
PID 1124 wrote to memory of 5072	1124	Lauth.exe	104
PID 1124 wrote to memory of 5072	1124	Lauth.exe	104
PID 1124 wrote to memory of 5072	1124	Lauth.exe	104
PID 1124 wrote to memory of 5072	1124	Lauth.exe	104
PID 1124 wrote to memory of 5072	1124	Lauth.exe	104
PID 1124 wrote to memory of 5072	1124	Lauth.exe	104
PID 1124 wrote to memory of 5072	1124	Lauth.exe	104
PID 1124 wrote to memory of 5072	1124	Lauth.exe	104
PID 1124 wrote to memory of 5072	1124	Lauth.exe	104
PID 1124 wrote to memory of 5072	1124	Lauth.exe	104
PID 1124 wrote to memory of 5072	1124	Lauth.exe	104
PID 1124 wrote to memory of 5072	1124	Lauth.exe	104
PID 1124 wrote to memory of 5072	1124	Lauth.exe	104
PID 1124 wrote to memory of 5072	1124	Lauth.exe	104
PID 1124 wrote to memory of 5072	1124	Lauth.exe	104
PID 1124 wrote to memory of 5072	1124	Lauth.exe	104
PID 1124 wrote to memory of 5072	1124	Lauth.exe	104
PID 1124 wrote to memory of 5072	1124	Lauth.exe	104
PID 1124 wrote to memory of 5072	1124	Lauth.exe	104
PID 1124 wrote to memory of 5072	1124	Lauth.exe	104
PID 1124 wrote to memory of 5072	1124	Lauth.exe	104
PID 1124 wrote to memory of 5072	1124	Lauth.exe	104

C:\Users\Admin\AppData\Local\Temp\Lauth-Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Lauth-Setup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Program Files\Lauth\Lauth.exe
"C:\Program Files\Lauth\Lauth.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Program Files\Lauth\Lauth.exe
  "C:\Program Files\Lauth\Lauth.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Lauth" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1900,i,17687124267155163014,10802307114774550565,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4532
- C:\Program Files\Lauth\Lauth.exe
  "C:\Program Files\Lauth\Lauth.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --ignore-certificate-errors --ignore-certificate-errors --user-data-dir="C:\Users\Admin\AppData\Roaming\Lauth" --standard-schemes=lauth,lauth-app --secure-schemes=lauth-app --bypasscsp-schemes=lauth-app --cors-schemes=lauth-app --fetch-schemes=lauth-app --service-worker-schemes=lauth-app --streaming-schemes=lauth,lauth-app --mojo-platform-channel-handle=2004 --field-trial-handle=1900,i,17687124267155163014,10802307114774550565,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4588
- C:\Program Files\Lauth\Lauth.exe
  "C:\Program Files\Lauth\Lauth.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Lauth" --standard-schemes=lauth,lauth-app --secure-schemes=lauth-app --bypasscsp-schemes=lauth-app --cors-schemes=lauth-app --fetch-schemes=lauth-app --service-worker-schemes=lauth-app --streaming-schemes=lauth,lauth-app --app-path="C:\Program Files\Lauth\resources\app.asar" --enable-sandbox --enable-blink-features=WebAppWindowControlsOverlay --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2868 --field-trial-handle=1900,i,17687124267155163014,10802307114774550565,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  PID:5072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
  2⤵
  PID:4540
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
    3⤵
    PID:1392
- C:\Program Files\Lauth\Lauth.exe
  "C:\Program Files\Lauth\Lauth.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Lauth" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4064 --field-trial-handle=1900,i,17687124267155163014,10802307114774550565,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2976

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Lauth\D3DCompiler_47.dll

Filesize
4.7MB

MD5
cb9807f6cf55ad799e920b7e0f97df99

SHA1
bb76012ded5acd103adad49436612d073d159b29

SHA256
5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a

SHA512
f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

Download Submit
C:\Program Files\Lauth\Lauth.exe

Filesize
147.1MB

MD5
3c78536212faab9f38b98891cbf51ad6

SHA1
d56f94bb835c25e1e3afa19dd013aca61ab8a8c9

SHA256
b1ba1306320b18fc3ef2a062eea94f76da6c3e2139c34e596f0e6b5dfd7a398e

SHA512
214217f06d794981136ca4c6effc35e2bac863f00190819c1330889f531d77d29564258b8cdeabde6e8928e5025c06f94b9b601a50884c83ea08fe3845ce3057

Download Submit
C:\Program Files\Lauth\Lauth.exe

Filesize
147.1MB

MD5
3c78536212faab9f38b98891cbf51ad6

SHA1
d56f94bb835c25e1e3afa19dd013aca61ab8a8c9

SHA256
b1ba1306320b18fc3ef2a062eea94f76da6c3e2139c34e596f0e6b5dfd7a398e

SHA512
214217f06d794981136ca4c6effc35e2bac863f00190819c1330889f531d77d29564258b8cdeabde6e8928e5025c06f94b9b601a50884c83ea08fe3845ce3057

Download Submit
C:\Program Files\Lauth\Lauth.exe

Filesize
147.1MB

MD5
3c78536212faab9f38b98891cbf51ad6

SHA1
d56f94bb835c25e1e3afa19dd013aca61ab8a8c9

SHA256
b1ba1306320b18fc3ef2a062eea94f76da6c3e2139c34e596f0e6b5dfd7a398e

SHA512
214217f06d794981136ca4c6effc35e2bac863f00190819c1330889f531d77d29564258b8cdeabde6e8928e5025c06f94b9b601a50884c83ea08fe3845ce3057

Download Submit
C:\Program Files\Lauth\Lauth.exe

Filesize
147.1MB

MD5
3c78536212faab9f38b98891cbf51ad6

SHA1
d56f94bb835c25e1e3afa19dd013aca61ab8a8c9

SHA256
b1ba1306320b18fc3ef2a062eea94f76da6c3e2139c34e596f0e6b5dfd7a398e

SHA512
214217f06d794981136ca4c6effc35e2bac863f00190819c1330889f531d77d29564258b8cdeabde6e8928e5025c06f94b9b601a50884c83ea08fe3845ce3057

Download Submit
C:\Program Files\Lauth\Lauth.exe

Filesize
147.1MB

MD5
3c78536212faab9f38b98891cbf51ad6

SHA1
d56f94bb835c25e1e3afa19dd013aca61ab8a8c9

SHA256
b1ba1306320b18fc3ef2a062eea94f76da6c3e2139c34e596f0e6b5dfd7a398e

SHA512
214217f06d794981136ca4c6effc35e2bac863f00190819c1330889f531d77d29564258b8cdeabde6e8928e5025c06f94b9b601a50884c83ea08fe3845ce3057

Download Submit
C:\Program Files\Lauth\Lauth.exe

Filesize
147.1MB

MD5
3c78536212faab9f38b98891cbf51ad6

SHA1
d56f94bb835c25e1e3afa19dd013aca61ab8a8c9

SHA256
b1ba1306320b18fc3ef2a062eea94f76da6c3e2139c34e596f0e6b5dfd7a398e

SHA512
214217f06d794981136ca4c6effc35e2bac863f00190819c1330889f531d77d29564258b8cdeabde6e8928e5025c06f94b9b601a50884c83ea08fe3845ce3057

Download Submit
C:\Program Files\Lauth\chrome_100_percent.pak

Filesize
126KB

MD5
44a69827d4aa75426f3c577af2f8618e

SHA1
7bdd115425b05414b64dcdb7d980b92ecd3f15b3

SHA256
bca4401b578a6ac0fe793e8519fed82b5444972b7d6c176ec0369ed13beaad7b

SHA512
5c7bdf1f1deb72c79b860bf48f16c19cb19b4d861c0b6beb585512ad58b1bc4b64e24edfcd97233e5b91dcd0f63ed1c7b278d22ec062fd0dfe28fe49cae52049

Download Submit
C:\Program Files\Lauth\chrome_200_percent.pak

Filesize
175KB

MD5
9c379fc04a7bf1a853b14834f58c9f4b

SHA1
c105120fd00001c9ebdf2b3b981ecccb02f8eefb

SHA256
b2c25fb30fee5f04ccdb8bf3c937a667502d266e428425feeb5af964f6167d48

SHA512
f28844dba7780e5f5c9d77ac3d29069dfcd6698447d5723886e510eadd51d6285e06adbda06bf4a69f841afc161c764cb2e5b9ad2c92f0a87176709b4acd2c13

Download Submit
C:\Program Files\Lauth\d3dcompiler_47.dll

Filesize
4.7MB

MD5
cb9807f6cf55ad799e920b7e0f97df99

SHA1
bb76012ded5acd103adad49436612d073d159b29

SHA256
5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a

SHA512
f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

Download Submit
C:\Program Files\Lauth\ffmpeg.dll

Filesize
2.6MB

MD5
4a9dff84a2b20d8eed0909e63c8b15b4

SHA1
81bc82a7aa3dea7caf9b4043befa6007f85d8a2c

SHA256
800f4dfe8174883439b1f0f359f8eb4c0313ce993d79295de727c111b164183d

SHA512
6c0a6bd30faf4b510dbb369cfdd12eba5df55f1963659344c1167c714e4e602db72159261756fd470551e5209e7ca7620ab5e2348a86bd031b052650ff5f0188

Download Submit
C:\Program Files\Lauth\ffmpeg.dll

Filesize
2.6MB

MD5
4a9dff84a2b20d8eed0909e63c8b15b4

SHA1
81bc82a7aa3dea7caf9b4043befa6007f85d8a2c

SHA256
800f4dfe8174883439b1f0f359f8eb4c0313ce993d79295de727c111b164183d

SHA512
6c0a6bd30faf4b510dbb369cfdd12eba5df55f1963659344c1167c714e4e602db72159261756fd470551e5209e7ca7620ab5e2348a86bd031b052650ff5f0188

Download Submit
C:\Program Files\Lauth\ffmpeg.dll

Filesize
2.6MB

MD5
4a9dff84a2b20d8eed0909e63c8b15b4

SHA1
81bc82a7aa3dea7caf9b4043befa6007f85d8a2c

SHA256
800f4dfe8174883439b1f0f359f8eb4c0313ce993d79295de727c111b164183d

SHA512
6c0a6bd30faf4b510dbb369cfdd12eba5df55f1963659344c1167c714e4e602db72159261756fd470551e5209e7ca7620ab5e2348a86bd031b052650ff5f0188

Download Submit
C:\Program Files\Lauth\ffmpeg.dll

Filesize
2.6MB

MD5
4a9dff84a2b20d8eed0909e63c8b15b4

SHA1
81bc82a7aa3dea7caf9b4043befa6007f85d8a2c

SHA256
800f4dfe8174883439b1f0f359f8eb4c0313ce993d79295de727c111b164183d

SHA512
6c0a6bd30faf4b510dbb369cfdd12eba5df55f1963659344c1167c714e4e602db72159261756fd470551e5209e7ca7620ab5e2348a86bd031b052650ff5f0188

Download Submit
C:\Program Files\Lauth\ffmpeg.dll

Filesize
2.6MB

MD5
4a9dff84a2b20d8eed0909e63c8b15b4

SHA1
81bc82a7aa3dea7caf9b4043befa6007f85d8a2c

SHA256
800f4dfe8174883439b1f0f359f8eb4c0313ce993d79295de727c111b164183d

SHA512
6c0a6bd30faf4b510dbb369cfdd12eba5df55f1963659344c1167c714e4e602db72159261756fd470551e5209e7ca7620ab5e2348a86bd031b052650ff5f0188

Download Submit
C:\Program Files\Lauth\ffmpeg.dll

Filesize
2.6MB

MD5
4a9dff84a2b20d8eed0909e63c8b15b4

SHA1
81bc82a7aa3dea7caf9b4043befa6007f85d8a2c

SHA256
800f4dfe8174883439b1f0f359f8eb4c0313ce993d79295de727c111b164183d

SHA512
6c0a6bd30faf4b510dbb369cfdd12eba5df55f1963659344c1167c714e4e602db72159261756fd470551e5209e7ca7620ab5e2348a86bd031b052650ff5f0188

Download Submit
C:\Program Files\Lauth\icudtl.dat

Filesize
10.0MB

MD5
cf9421b601645bda331c7136a0a9c3f8

SHA1
9950d66df9022f1caa941ab0e9647636f7b7a286

SHA256
8d8a74ca376338623170d59c455476218d5a667d5991a52556aa9c9a70ebc5e5

SHA512
bc9601e2b4ab28130bfadfd6f61b3ed500deb0bd235dc5ca94999c09f59d10bdcbf278869a9802f918830041f620c88e2c3b506608ade661db48ccd84c1977eb

Download Submit
C:\Program Files\Lauth\libEGL.dll

Filesize
464KB

MD5
17b170a8dab2e2e19356d20d6ce5375c

SHA1
4a1c303223bd0b2ab0aee5716f0776fc05086455

SHA256
fe32775c207888994a4c51f47214a78c5b04908a2d4ed4f2407e1c1af54c1cb9

SHA512
14f4bfce62b464b1f75ae0bc7cd1230eb9958dacf2659761f5eb5678af4bf2d866b413c667238a1d7d16ae9b23b7928f9e3c3ec1feb5402864b2ed688aba7682

Download Submit
C:\Program Files\Lauth\libGLESv2.dll

Filesize
7.0MB

MD5
0fe62a65e2be5894e46e13e92a8fd441

SHA1
7e198adefaf94d4ec7fa40b399ff801520e5232d

SHA256
6e92c3133e37baedccfd6681e4e2ee3b1d8469a43a15322decbf7f453172b09b

SHA512
44c9a3dfa23fae20cda330ae17d44ebef2995265f0bc57cd8adc624cab04aa9c72693dc69f64e94f33b59f95f3b0a321b2071b790ff389f370c1e38e46e2f6ba

Download Submit
C:\Program Files\Lauth\libegl.dll

Filesize
464KB

MD5
17b170a8dab2e2e19356d20d6ce5375c

SHA1
4a1c303223bd0b2ab0aee5716f0776fc05086455

SHA256
fe32775c207888994a4c51f47214a78c5b04908a2d4ed4f2407e1c1af54c1cb9

SHA512
14f4bfce62b464b1f75ae0bc7cd1230eb9958dacf2659761f5eb5678af4bf2d866b413c667238a1d7d16ae9b23b7928f9e3c3ec1feb5402864b2ed688aba7682

Download Submit
C:\Program Files\Lauth\libglesv2.dll

Filesize
7.0MB

MD5
0fe62a65e2be5894e46e13e92a8fd441

SHA1
7e198adefaf94d4ec7fa40b399ff801520e5232d

SHA256
6e92c3133e37baedccfd6681e4e2ee3b1d8469a43a15322decbf7f453172b09b

SHA512
44c9a3dfa23fae20cda330ae17d44ebef2995265f0bc57cd8adc624cab04aa9c72693dc69f64e94f33b59f95f3b0a321b2071b790ff389f370c1e38e46e2f6ba

Download Submit
C:\Program Files\Lauth\locales\en-US.pak

Filesize
302KB

MD5
3fef69b20e6f9599e9c2369398e571c0

SHA1
92be2b65b62938e6426ab333c82d70d337666784

SHA256
a99bd31907bbdc12bdfbff7b9da6ddd850c273f3a6ece64ee8d1d9b6ef0c501c

SHA512
3057edfb719c07972fd230514ac5e02f88b04c72356fa4a5e5291677dcbab03297942d5ecdc62c8e58d0088aed4d6ea53806c01f0ea622942feb06584241ad2d

Download Submit
C:\Program Files\Lauth\resources.pak

Filesize
5.2MB

MD5
e0edee97edec5b289b676de680f03b9a

SHA1
d52ee45e0c2342b7df59856c6200ea1f31cd9ed7

SHA256
9d82f0f1edcaa1673e05002453f8e28516d15b5579186f29d8f968c56a38b655

SHA512
1cafb5921b65605ca3d05af863d2367fdfad72e91dd46b973cee1e548984abffe47b87f92237295aed2d5aaf68cfe0fcdc16731204bfe29865610959aaff7a94

Download Submit
C:\Program Files\Lauth\resources\app.asar

Filesize
52.7MB

MD5
9adf7c37e55dd358a194cbed39311863

SHA1
b839194fcd130e7e914d20c4bdaf4e67204c7c7c

SHA256
4019c550115388e89f7f92e5b3acb2d8c72276c1cc7c469f25598af09ad39601

SHA512
2cfb4bd7c905a3368c6d2820db327662b94230f954730237590333348825263f7478d3a257c6f898157a4d19730d59f2f92280d82d5b5cd1aadf83636f1e789a

Download Submit
C:\Program Files\Lauth\v8_context_snapshot.bin

Filesize
710KB

MD5
e15880fb71f70bd29f9c31d002bfb883

SHA1
9eb1aff0e07ecd0e7624e0c1f8a626eabc7354d6

SHA256
2aa2fdf8da0b239d058ddf13827f4514af2c20ecc8f30fedf0bee8c54a4e7439

SHA512
4121b8d4fa065a1fc06f4a33210fc8a10af349e28906d1dc1c4907aa27fcd89771609319fc8b37bcd024b4fb682f45518cc2fbda5bde05ea9f32fad4fe78f1c2

Download Submit
C:\Program Files\Lauth\vk_swiftshader.dll

Filesize
4.8MB

MD5
50b70539542cbddb8ac40b26d507ce3d

SHA1
9b3c758a69032974ec8b8ce47d4e56d40c94977b

SHA256
cea8333a4a38cfaa0936e2c3e3edde95e0d8ba0a11ce3ce2148c2a7f73a647f5

SHA512
1f257b6d3864325ba36580ec31c150d7a1e1cb9d342d92bae99b8249e8100d3135f7a1d94f7abf6839a2fa81ee9c727fe338559829d2378d8b3b3b23ab6c40fb

Download Submit
C:\Program Files\Lauth\vk_swiftshader.dll

Filesize
4.8MB

MD5
50b70539542cbddb8ac40b26d507ce3d

SHA1
9b3c758a69032974ec8b8ce47d4e56d40c94977b

SHA256
cea8333a4a38cfaa0936e2c3e3edde95e0d8ba0a11ce3ce2148c2a7f73a647f5

SHA512
1f257b6d3864325ba36580ec31c150d7a1e1cb9d342d92bae99b8249e8100d3135f7a1d94f7abf6839a2fa81ee9c727fe338559829d2378d8b3b3b23ab6c40fb

Download Submit
C:\Program Files\Lauth\vk_swiftshader.dll

Filesize
4.8MB

MD5
50b70539542cbddb8ac40b26d507ce3d

SHA1
9b3c758a69032974ec8b8ce47d4e56d40c94977b

SHA256
cea8333a4a38cfaa0936e2c3e3edde95e0d8ba0a11ce3ce2148c2a7f73a647f5

SHA512
1f257b6d3864325ba36580ec31c150d7a1e1cb9d342d92bae99b8249e8100d3135f7a1d94f7abf6839a2fa81ee9c727fe338559829d2378d8b3b3b23ab6c40fb

Download Submit
C:\Program Files\Lauth\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Program Files\Lauth\vulkan-1.dll

Filesize
858KB

MD5
68c46ba86797717dbeefe393a617f8f4

SHA1
6f55bdd530110d96d196fc9cf0efe3bb38fefb2f

SHA256
5a686093ad1136594b54070ddd0ff679bd5f1b8a149e796655bb5216dcc36aa7

SHA512
0d63c97518b999a44c00301e3bbf25e44518a5d769476d986c4ca4fb8b2cd535499d2867d241cad0de65aea743c9c8297743590707a52f6a7ce540249e98acce

Download Submit
C:\Program Files\Lauth\vulkan-1.dll

Filesize
858KB

MD5
68c46ba86797717dbeefe393a617f8f4

SHA1
6f55bdd530110d96d196fc9cf0efe3bb38fefb2f

SHA256
5a686093ad1136594b54070ddd0ff679bd5f1b8a149e796655bb5216dcc36aa7

SHA512
0d63c97518b999a44c00301e3bbf25e44518a5d769476d986c4ca4fb8b2cd535499d2867d241cad0de65aea743c9c8297743590707a52f6a7ce540249e98acce

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6DD9.tmp\SpiderBanner.dll

Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6DD9.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6DD9.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6DD9.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6DD9.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6DD9.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6DD9.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6DD9.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6DD9.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/3948-191-0x0000019E553ED000-0x0000019E553F1000-memory.dmp

Filesize
16KB

Download
memory/3948-199-0x0000019E553F1000-0x0000019E553F4000-memory.dmp

Filesize
12KB

Download
memory/3948-188-0x0000019E531C0000-0x0000019E531E0000-memory.dmp

Filesize
128KB

Download
memory/3948-192-0x0000019E553ED000-0x0000019E553F1000-memory.dmp

Filesize
16KB

Download
memory/3948-184-0x0000019E531A0000-0x0000019E531C0000-memory.dmp

Filesize
128KB

Download
memory/3948-193-0x0000019E553ED000-0x0000019E553F1000-memory.dmp

Filesize
16KB

Download
memory/3948-195-0x0000019E553ED000-0x0000019E553F1000-memory.dmp

Filesize
16KB

Download
memory/3948-194-0x0000019E553ED000-0x0000019E553F1000-memory.dmp

Filesize
16KB

Download
memory/3948-198-0x0000019E553F1000-0x0000019E553F4000-memory.dmp

Filesize
12KB

Download
memory/3948-197-0x0000019E553F1000-0x0000019E553F4000-memory.dmp

Filesize
12KB

Download
memory/3948-185-0x0000019E53400000-0x0000019E53420000-memory.dmp

Filesize
128KB

Download
memory/3948-200-0x0000019E553F1000-0x0000019E553F4000-memory.dmp

Filesize
12KB

Download