af7b627d3caa69c65fc216080fca958656a71cf82706d70e7d46a813cd65d2d4

Analysis

max time kernel
261s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
20/12/2022, 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LDsetup.exe
Size

3.8MB
MD5

b7e4986aef0fc05ef8469deef7b26f5c
SHA1

a0865174ce46291352219601ea64f1e66e258a72
SHA256

af7b627d3caa69c65fc216080fca958656a71cf82706d70e7d46a813cd65d2d4
SHA512

e1d04a29859143c993e12d4ad7704d9684da0225c622e2af08b7b168f7ac197e1ad74fd84a6cfaa5db5899ad58a4d9e3fe083ded6b7255153f07dae662224c91
SSDEEP

98304:7kLY9HJk9WcIE6mMuT205ggn7TsTkvrsuxH73b55ljQ:w0pOzkuT20557Q4vrsCb3dnk

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1188	LDsetup.tmp
2016	LuckyDays.exe

Loads dropped DLL 6 IoCs

pid	Process
1748	LDsetup.exe
1188	LDsetup.tmp
1188	LDsetup.tmp
268	regsvr32.exe
1924	regsvr32.exe
1048	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\is-J5FUA.tmp	LDsetup.tmp
File created	C:\Windows\SysWOW64\is-0OSIV.tmp	LDsetup.tmp
File created	C:\Windows\SysWOW64\is-9R3GJ.tmp	LDsetup.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Lucky Days 2.3\is-QT9K1.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-6KFBP.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-FPLMG.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-N67ER.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-H1K8V.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-57UDG.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-9SH9L.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-6HDUU.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-FBPTR.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\is-RHGI8.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-DQ1JR.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-9QOJI.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-SQ0MN.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-QQGQ7.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-1J1R4.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-JJSLV.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-KJ9T2.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-GFU0K.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-MGKAQ.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-C5A02.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-KVSV3.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-6BG01.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-ICD2C.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-3L0KS.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-1GHV7.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-MN7TH.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\is-JH0FS.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-U25LD.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-1DIA8.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-8E4S1.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-IV5IJ.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-JL4A1.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-JG7UO.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-DMC3J.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-ROCTC.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-V5AI5.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-UU4B1.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-50TQG.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-JEBJ0.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-47R94.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-A8AHN.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-9GP3E.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\is-UOVAE.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-7NAUS.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-NQGUN.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-KKJ0T.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-OF27E.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-UEJ1T.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-PKVFJ.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-AKB65.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-DKUNO.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-VQ20O.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-L71LD.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-CJQ0R.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-4NRDN.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-B2LOJ.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-BGB91.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-VI0UG.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-4HMTJ.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-5NSJB.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-PV01C.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-P59QA.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-8JMU7.tmp	LDsetup.tmp
File created	C:\Program Files (x86)\Lucky Days 2.3\ephemeris\is-2U0HG.tmp	LDsetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\AlternateCLSID = "{627C8B79-918A-4C5C-9E19-20F66BF30B86}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{A0E7BF67-8D30-4620-8825-7111714C7CAB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\AlternateCLSID = "{7DC6F291-BF55-4E50-B619-EF672D9DCC58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\AlternateCLSID = "{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\AlternateCLSID = "{F91CAF91-225B-43A7-BB9E-472F991FC402}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\AlternateCLSID = "{0B314611-2C19-4AB4-8513-A6EEA569D3C4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\AlternateCLSID = "{996BF5E0-8044-4650-ADEB-0B013914E99C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\AlternateCLSID = "{24B224E0-9545-4A2F-ABD5-86AA8A849385}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B7E6392-850A-101B-AFC0-4210102A8DA7}\1.3\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE35-8596-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E7BF67-8D30-4620-8825-7111714C7CAB}\Version\ = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.ProgCtrl\CLSID\ = "{0713E8D2-850A-101B-AFC0-4210102A8DA7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E451-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D94-9D6A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{373FF7F1-EB8B-11CD-8820-08002B2F4F5A}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F050-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\COMCTL32.OCX, 17"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{612A8626-0FB3-11CE-8747-524153480004}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8D1-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4D83604-895E-11D0-B0A6-000000000000}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\MiscStatus\ = "0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9ED94440-E5E8-101B-B9B5-444553540000}\ProgID\ = "COMCTL.TabStrip.1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2C787A50-E01C-11CF-8E74-00A0C90F26F8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0713E953-850A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C787A52-E01C-11CF-8E74-00A0C90F26F8}\ = "IPanel11"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DA8D8C-9D6A-101B-AFC0-4210102A8DA7}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D91-9D6A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F26-8591-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08DF953-8592-11D1-B16A-00C0F0283628}\ = "ISliderEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6E17E8C-DF38-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{996BF5E0-8044-4650-ADEB-0B013914E99C}\Version\ = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Slider.2\CLSID\ = "{F08DF954-8592-11D1-B16A-00C0F0283628}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib\ = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E944-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E1B5150-DB62-11D0-A0D8-0080C7E7B78D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE4-8583-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04C-858B-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B314611-2C19-4AB4-8513-A6EEA569D3C4}\CONTROL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A4-8586-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04C-858B-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0713E8A0-850A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{026371C0-1B7C-11CF-9D53-00AA003C9CB6}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ListViewCtrl\CLSID\ = "{BDD1F04B-858B-11D1-B16A-00C0F0283628}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E7BF67-8D30-4620-8825-7111714C7CAB}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F91CAF91-225B-43A7-BB9E-472F991FC402}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B7E6390-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E216240-1B7D-11CF-9D53-00AA003C9CB6}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{026371C0-1B7C-11CF-9D53-00AA003C9CB6}\ProgID\ = "ComCtl2.UpDown.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{996BF5E0-8044-4650-ADEB-0B013914E99C}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.TabStrip	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612A8624-0FB3-11CE-8747-524153480004}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83601-895E-11D0-B0A6-000000000000}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0713E8AF-850A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A1-8586-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9ED94441-E5E8-101B-B9B5-444553540000}\ = "ITabStrip10"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSCOMCTL.OCX"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E791-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{612A8626-0FB3-11CE-8747-524153480004}\TypeLib\Version = "1.3"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1188	LDsetup.tmp
1188	LDsetup.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1812	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1188	LDsetup.tmp

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1812	AcroRd32.exe
1812	AcroRd32.exe
1812	AcroRd32.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 1188	1748	LDsetup.exe	28
PID 1748 wrote to memory of 1188	1748	LDsetup.exe	28
PID 1748 wrote to memory of 1188	1748	LDsetup.exe	28
PID 1748 wrote to memory of 1188	1748	LDsetup.exe	28
PID 1748 wrote to memory of 1188	1748	LDsetup.exe	28
PID 1748 wrote to memory of 1188	1748	LDsetup.exe	28
PID 1748 wrote to memory of 1188	1748	LDsetup.exe	28
PID 1188 wrote to memory of 268	1188	LDsetup.tmp	29
PID 1188 wrote to memory of 268	1188	LDsetup.tmp	29
PID 1188 wrote to memory of 268	1188	LDsetup.tmp	29
PID 1188 wrote to memory of 268	1188	LDsetup.tmp	29
PID 1188 wrote to memory of 268	1188	LDsetup.tmp	29
PID 1188 wrote to memory of 268	1188	LDsetup.tmp	29
PID 1188 wrote to memory of 268	1188	LDsetup.tmp	29
PID 1188 wrote to memory of 1924	1188	LDsetup.tmp	31
PID 1188 wrote to memory of 1924	1188	LDsetup.tmp	31
PID 1188 wrote to memory of 1924	1188	LDsetup.tmp	31
PID 1188 wrote to memory of 1924	1188	LDsetup.tmp	31
PID 1188 wrote to memory of 1924	1188	LDsetup.tmp	31
PID 1188 wrote to memory of 1924	1188	LDsetup.tmp	31
PID 1188 wrote to memory of 1924	1188	LDsetup.tmp	31
PID 1188 wrote to memory of 1048	1188	LDsetup.tmp	32
PID 1188 wrote to memory of 1048	1188	LDsetup.tmp	32
PID 1188 wrote to memory of 1048	1188	LDsetup.tmp	32
PID 1188 wrote to memory of 1048	1188	LDsetup.tmp	32
PID 1188 wrote to memory of 1048	1188	LDsetup.tmp	32
PID 1188 wrote to memory of 1048	1188	LDsetup.tmp	32
PID 1188 wrote to memory of 1048	1188	LDsetup.tmp	32
PID 1188 wrote to memory of 1680	1188	LDsetup.tmp	33
PID 1188 wrote to memory of 1680	1188	LDsetup.tmp	33
PID 1188 wrote to memory of 1680	1188	LDsetup.tmp	33
PID 1188 wrote to memory of 1680	1188	LDsetup.tmp	33
PID 1188 wrote to memory of 1680	1188	LDsetup.tmp	33
PID 1188 wrote to memory of 1680	1188	LDsetup.tmp	33
PID 1188 wrote to memory of 1680	1188	LDsetup.tmp	33
PID 1188 wrote to memory of 1812	1188	LDsetup.tmp	34
PID 1188 wrote to memory of 1812	1188	LDsetup.tmp	34
PID 1188 wrote to memory of 1812	1188	LDsetup.tmp	34
PID 1188 wrote to memory of 1812	1188	LDsetup.tmp	34
PID 1188 wrote to memory of 2016	1188	LDsetup.tmp	35
PID 1188 wrote to memory of 2016	1188	LDsetup.tmp	35
PID 1188 wrote to memory of 2016	1188	LDsetup.tmp	35
PID 1188 wrote to memory of 2016	1188	LDsetup.tmp	35

C:\Users\Admin\AppData\Local\Temp\LDsetup.exe
"C:\Users\Admin\AppData\Local\Temp\LDsetup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\is-2KR01.tmp\LDsetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-2KR01.tmp\LDsetup.tmp" /SL5="$70126,3153348,832512,C:\Users\Admin\AppData\Local\Temp\LDsetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\COMDLG32.OCX"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:268
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\COMCTL32.OCX"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1924
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\COMCT232.OCX"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1048
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\MSCOMCTL.OCX"
    3⤵
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1680
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Program Files (x86)\Lucky Days 2.3\ReadMe.pdf"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1812
- - C:\Program Files (x86)\Lucky Days 2.3\LuckyDays.exe
    "C:\Program Files (x86)\Lucky Days 2.3\LuckyDays.exe"
    3⤵
    - Executes dropped EXE
    PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Lucky Days 2.3\LuckyDays.exe

Filesize
2.9MB

MD5
0be8ac9aab867605cba3c1f736169330

SHA1
a6611d8a1a97460c2690b06790b07ddbec67c045

SHA256
19c74e70f276e41d19a3e87cf4ea7048267023ed7b5aab5be99f10fe69ae5076

SHA512
3cfa558ba10d9987451cf076ab9db49e5c7249789bb07c11d89f19312ea8da749d8efffad5a635e1877eb55d2bf05c3b038489b8774ba6fd97afc26661bb884f

Download Submit
C:\Program Files (x86)\Lucky Days 2.3\LuckyDays.exe

Filesize
2.9MB

MD5
0be8ac9aab867605cba3c1f736169330

SHA1
a6611d8a1a97460c2690b06790b07ddbec67c045

SHA256
19c74e70f276e41d19a3e87cf4ea7048267023ed7b5aab5be99f10fe69ae5076

SHA512
3cfa558ba10d9987451cf076ab9db49e5c7249789bb07c11d89f19312ea8da749d8efffad5a635e1877eb55d2bf05c3b038489b8774ba6fd97afc26661bb884f

Download Submit
C:\Program Files (x86)\Lucky Days 2.3\ReadMe.pdf

Filesize
20KB

MD5
b13abb8e6f5c7dce3d20fec88c6ed4fa

SHA1
12794767da664e033276c8de4fe6be2294098cea

SHA256
c274b2c8a0a360d55bb71678ba1880811259479c7247cfa6a0b4683f98f95036

SHA512
2a6c95ef998220088c7dd9bfd33dadbf25c6696c10fa12576fb1cded26fa6b963bab0bee6c5062bd74dbcefd2432b72dbeba902b08b74e3cfb5f03a4deca702f

Download Submit
C:\Program Files (x86)\Lucky Days 2.3\ephemeris\2000.N

Filesize
29KB

MD5
0958f2eca84e1d4d0ec53df7b1eefb4d

SHA1
7cc095141eb9c47befd313a2462bce24d72f17e4

SHA256
edfac8e75fe9504ce8138d25b56b683f5de1776ea293c174274454c1b3a05909

SHA512
781a9a309107585e6c57b330b0db203bc71e22083de369f6564a9c9439197f90f6b1fdb9eb1b1a621a0b346aeaee61871e95cf68883256719b43c9667099d165

Download Submit
C:\Program Files (x86)\Lucky Days 2.3\ephemeris\2021.N

Filesize
29KB

MD5
9499114072f79c984652d4def57ec537

SHA1
df6eb664ab80235278280da4fbc965f3b5581624

SHA256
351ed30c388e4c489f30b6f29c5c855f67be1df4b584b723860e779f0cce7cba

SHA512
a16265c925650b14494946634844277542257da1f6049d84c8d5a5f0b474de53442c75c22dd9740b40e374c0809e9d4ecac72d38b5dff5f8328abc93d2cb6ff0

Download Submit
C:\Program Files (x86)\Lucky Days 2.3\ephemeris\2022.N

Filesize
29KB

MD5
f58e1e683c70a735711232dcc73c48c9

SHA1
2544acfe5a8ef9da283c5a0e72418007cd3b7445

SHA256
0761f0459c8f2832b3f1f3cc69f7d83b33796fbdb4e868e3ba55abf27e27ea26

SHA512
2a7efb8e0b2179c98ac8c157de69288ca3904acbb4643369e838611c0da48d0be3c40ed95a8e7e6425d671a728dee3707d252c06fba96be3bad99140bc2b6ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2KR01.tmp\LDsetup.tmp

Filesize
3.0MB

MD5
8abcb6c8f865d6515e9aa1e271ad1bb6

SHA1
5c6d17eea410641cf7233d9d55884fbb89e05b55

SHA256
5c495afb3b1b9cd0a62ef3d41320384f3abdd9bdaec9f6789045f016fb86ed20

SHA512
711ac1dd94ed05ba572a5250b470775991e61daa5181ea8d26649a5d539d5019dd711f8d2e262f7d1b98fc05ab37a75dfac982ea7753909e9fe656bb2d36f92a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2KR01.tmp\LDsetup.tmp

Filesize
3.0MB

MD5
8abcb6c8f865d6515e9aa1e271ad1bb6

SHA1
5c6d17eea410641cf7233d9d55884fbb89e05b55

SHA256
5c495afb3b1b9cd0a62ef3d41320384f3abdd9bdaec9f6789045f016fb86ed20

SHA512
711ac1dd94ed05ba572a5250b470775991e61daa5181ea8d26649a5d539d5019dd711f8d2e262f7d1b98fc05ab37a75dfac982ea7753909e9fe656bb2d36f92a

Download Submit
C:\Windows\SysWOW64\COMCT232.OCX

Filesize
160KB

MD5
1b63af252cfeff520871f0ae37c80c5e

SHA1
d52d32b1e1c0136803846049f5919484a64d0a85

SHA256
45af0570ac918a57a0e4f868cc4198cbac02957c6be35ec131987101683a9f97

SHA512
34b0e3b0f7f160cff89c369218af9e761050ee235b926fb2204b29776c748bb5198c0ca82cdf19c4d96aad0fc3591d921e38b9223c83dd8585c5656441b2353e

Download Submit
C:\Windows\SysWOW64\COMCTL32.OCX

Filesize
594KB

MD5
eb5f811c1f78005b3c147599a0cccf51

SHA1
19e8153569d1379634ba9d12e84dc35b10faf689

SHA256
bf4147f8a12bec3d54e3ef941475e29d852a1876117c6ce88f47b882ef6d4a03

SHA512
2eeed9e02c2fbff39c021340a8fa10417a47e243ae2d6d5a54e3e69114dccb402f2d836500c6d771ff971cf0070def3004f3e828a9e7686ef0e1457e1583ecec

Download Submit
C:\Windows\SysWOW64\COMDLG32.OCX

Filesize
137KB

MD5
b73809a916e6d7c1ae56f182a2e8f7e2

SHA1
34e4213d8bf0e150d3f50ae0bd3f5b328e1105f5

SHA256
64c6ee999562961d11af130254ad3ffd24bb725d3c18e7877f9fd362f4936195

SHA512
26c28cb6c7e1b47425403ab8850a765ac420dd6474327ce8469376219c830ab46218383d15a73c9ea3a23fc6b5f392ee6e2a1632a1bf644b1bd1a05a4729e333

Download Submit
\Program Files (x86)\Lucky Days 2.3\LuckyDays.exe

Filesize
2.9MB

MD5
0be8ac9aab867605cba3c1f736169330

SHA1
a6611d8a1a97460c2690b06790b07ddbec67c045

SHA256
19c74e70f276e41d19a3e87cf4ea7048267023ed7b5aab5be99f10fe69ae5076

SHA512
3cfa558ba10d9987451cf076ab9db49e5c7249789bb07c11d89f19312ea8da749d8efffad5a635e1877eb55d2bf05c3b038489b8774ba6fd97afc26661bb884f

Download Submit
\Program Files (x86)\Lucky Days 2.3\LuckyDays.exe

Filesize
2.9MB

MD5
0be8ac9aab867605cba3c1f736169330

SHA1
a6611d8a1a97460c2690b06790b07ddbec67c045

SHA256
19c74e70f276e41d19a3e87cf4ea7048267023ed7b5aab5be99f10fe69ae5076

SHA512
3cfa558ba10d9987451cf076ab9db49e5c7249789bb07c11d89f19312ea8da749d8efffad5a635e1877eb55d2bf05c3b038489b8774ba6fd97afc26661bb884f

Download Submit
\Users\Admin\AppData\Local\Temp\is-2KR01.tmp\LDsetup.tmp

Filesize
3.0MB

MD5
8abcb6c8f865d6515e9aa1e271ad1bb6

SHA1
5c6d17eea410641cf7233d9d55884fbb89e05b55

SHA256
5c495afb3b1b9cd0a62ef3d41320384f3abdd9bdaec9f6789045f016fb86ed20

SHA512
711ac1dd94ed05ba572a5250b470775991e61daa5181ea8d26649a5d539d5019dd711f8d2e262f7d1b98fc05ab37a75dfac982ea7753909e9fe656bb2d36f92a

Download Submit
\Windows\SysWOW64\COMCT232.OCX

Filesize
160KB

MD5
1b63af252cfeff520871f0ae37c80c5e

SHA1
d52d32b1e1c0136803846049f5919484a64d0a85

SHA256
45af0570ac918a57a0e4f868cc4198cbac02957c6be35ec131987101683a9f97

SHA512
34b0e3b0f7f160cff89c369218af9e761050ee235b926fb2204b29776c748bb5198c0ca82cdf19c4d96aad0fc3591d921e38b9223c83dd8585c5656441b2353e

Download Submit
\Windows\SysWOW64\COMCTL32.OCX

Filesize
594KB

MD5
eb5f811c1f78005b3c147599a0cccf51

SHA1
19e8153569d1379634ba9d12e84dc35b10faf689

SHA256
bf4147f8a12bec3d54e3ef941475e29d852a1876117c6ce88f47b882ef6d4a03

SHA512
2eeed9e02c2fbff39c021340a8fa10417a47e243ae2d6d5a54e3e69114dccb402f2d836500c6d771ff971cf0070def3004f3e828a9e7686ef0e1457e1583ecec

Download Submit
\Windows\SysWOW64\COMDLG32.OCX

Filesize
137KB

MD5
b73809a916e6d7c1ae56f182a2e8f7e2

SHA1
34e4213d8bf0e150d3f50ae0bd3f5b328e1105f5

SHA256
64c6ee999562961d11af130254ad3ffd24bb725d3c18e7877f9fd362f4936195

SHA512
26c28cb6c7e1b47425403ab8850a765ac420dd6474327ce8469376219c830ab46218383d15a73c9ea3a23fc6b5f392ee6e2a1632a1bf644b1bd1a05a4729e333

Download Submit
memory/1188-62-0x0000000074401000-0x0000000074403000-memory.dmp

Filesize
8KB

Download
memory/1748-87-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1748-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download
memory/1748-61-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1748-55-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2016-85-0x000007FEF3B40000-0x000007FEF4563000-memory.dmp

Filesize
10.1MB

Download
memory/2016-86-0x000007FEF24C0000-0x000007FEF3556000-memory.dmp

Filesize
16.6MB

Download
memory/2016-89-0x0000000000B36000-0x0000000000B55000-memory.dmp

Filesize
124KB

Download
memory/2016-90-0x0000000000B36000-0x0000000000B55000-memory.dmp

Filesize
124KB

Download