glupteba | 8be6bf95b0faf13153d79974f9bee22107abffa51eae2d02bbf0b8e2c49485c1

Analysis

max time kernel
94s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2023 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

237KB
MD5

94f44206d911043f2d04a03000ee2280
SHA1

1d588b58c5b2eac5abf28ac4fc876c0fcf26a68e
SHA256

8be6bf95b0faf13153d79974f9bee22107abffa51eae2d02bbf0b8e2c49485c1
SHA512

6ab5ca31f731080a7962a2cf75f3ab582ddb9e1cdd5ba45d27180301ee3015370af97964b7a7bbebdc255c5f093354703f06212a532395fe5b10541401a93c2a
SSDEEP

3072:RG6Fo5y1GPPcBjGtPdyICWv9t7NyFQZM+nbiud/RVAD5Z5OeTC8L:K5bzFy0Vt8FCbiu1U3T

Score

10^/10

glupteba smokeloader pub1 backdoor collection discovery dropper evasion loader persistence spyware stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/

http://humydrole.com/tmp/index.php

http://trunk-co.ru/tmp/index.php

http://weareelight.com/tmp/index.php

http://pirateking.online/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

pub1

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2036-108-0x0000000002E20000-0x000000000370B000-memory.dmp	family_glupteba
behavioral2/memory/2036-115-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2036-275-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2036-293-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2036-529-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2036-580-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/680-648-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

81C0.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 81C0.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

4616 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	81C0.exe

pid	process
4616	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

81C0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	81C0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	81C0.exe

Deletes itself 1 IoCs

Processes:

pid process

3444

pid	process
3444

Executes dropped EXE 14 IoCs

Processes:

7607.exe81C0.exe90F3.exe9896.exeB0F1.exeB0F1.tmpDaisoLIB.exeDaisoLIB.exeE996.exeE996.tmpBF4.exeE47.exe9896.execsrss.exe

pid	process
4812	7607.exe
868	81C0.exe
4132	90F3.exe
2036	9896.exe
1916	B0F1.exe
2872	B0F1.tmp
1396	DaisoLIB.exe
5084	DaisoLIB.exe
3200	E996.exe
1756	E996.tmp
2460	BF4.exe
3640	E47.exe
680	9896.exe
4876	csrss.exe

Loads dropped DLL 7 IoCs

Processes:

regsvr32.exeB0F1.tmpE996.tmp

pid process

3252 regsvr32.exe
2872 B0F1.tmp
2872 B0F1.tmp
2872 B0F1.tmp
1756 E996.tmp
1756 E996.tmp
1756 E996.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3252	regsvr32.exe
2872	B0F1.tmp
2872	B0F1.tmp
2872	B0F1.tmp
1756	E996.tmp
1756	E996.tmp
1756	E996.tmp

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\81C0.exe	themida
C:\Users\Admin\AppData\Local\Temp\81C0.exe	themida
behavioral2/memory/868-82-0x0000000000600000-0x0000000001140000-memory.dmp	themida

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9896.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	9896.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

81C0.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 81C0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81C0.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

81C0.exe

pid process

868 81C0.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

7607.exe

description pid process target process

PID 4812 set thread context of 4208 4812 7607.exe AppLaunch.exe
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

9896.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 9896.exe

pid	process
868	81C0.exe

description	pid	process	target process
PID 4812 set thread context of 4208	4812	7607.exe	AppLaunch.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	9896.exe

Drops file in Program Files directory 64 IoCs

Processes:

B0F1.tmpE996.tmp

description	ioc	process
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-GGL84.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\is-FML82.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-3T5K7.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-79C80.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-E5DDT.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-CDDMC.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-TGEMS.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-7OH2H.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-E4HES.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-0UU5C.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-AIUPP.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-N91AS.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-06V6H.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-GDALU.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-B2L0U.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-V385J.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-NQH60.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-H08M9.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\stuff\is-FASR1.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-RLV7G.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-A8SRQ.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-1LCC2.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-VLKQI.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-NKJBD.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-1PVOR.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-3CPVO.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-F82JR.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-JIS0P.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-18MEC.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\lessmsi\is-PDA0E.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\stuff\is-27VVK.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-38VA1.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-V60EP.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-FPKR4.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-9KHDE.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-ISJF5.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-D98D6.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\uninstall\is-CTOPJ.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-2N1A7.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-TPVG5.tmp	B0F1.tmp
File opened for modification	C:\Program Files (x86)\DaisoLIB\DaisoLIB.exe	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-7A6EM.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-9C0R3.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\plugins\internal\is-1OB7U.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-ELFI2.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-N9ARM.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-52VCH.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\uninstall\is-7M32F.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-AQAE3.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-4F6D6.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-6SF6M.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-FFAUQ.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-AKJLS.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-L250R.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-MGCN6.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-US613.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-M95IU.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-IQ0LL.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-HL59F.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\stuff\is-0ND5E.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-A1KCU.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-DC3RJ.tmp	B0F1.tmp
File created	C:\Program Files (x86)\DaisoLIB\stuff\is-ILFUI.tmp	E996.tmp
File created	C:\Program Files (x86)\DaisoLIB\bin\x86\is-H2EVS.tmp	B0F1.tmp

Drops file in Windows directory 2 IoCs

Processes:

9896.exe

description ioc process

File opened for modification C:\Windows\rss 9896.exe
File created C:\Windows\rss\csrss.exe 9896.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1268 sc.exe
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1112 4812 WerFault.exe 7607.exe
3788 2036 WerFault.exe 9896.exe
1888 3640 WerFault.exe E47.exe
2568 680 WerFault.exe 9896.exe

description	ioc	process
File opened for modification	C:\Windows\rss	9896.exe
File created	C:\Windows\rss\csrss.exe	9896.exe

pid	process
1268	sc.exe

pid	pid_target	process	target process
1112	4812	WerFault.exe	7607.exe
3788	2036	WerFault.exe	9896.exe
1888	3640	WerFault.exe	E47.exe
2568	680	WerFault.exe	9896.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

90F3.exefile.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	90F3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	90F3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	90F3.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3868 schtasks.exe
3324 schtasks.exe

pid	process
3868	schtasks.exe
3324	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

9896.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	9896.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	9896.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	9896.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	9896.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	9896.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	9896.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	9896.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	9896.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	9896.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	9896.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	9896.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	9896.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	9896.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	9896.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	9896.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	9896.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	9896.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	9896.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	9896.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	9896.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	9896.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	9896.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	9896.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	9896.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	9896.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	9896.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	9896.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	9896.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	9896.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	9896.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	9896.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	9896.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	9896.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	9896.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	9896.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	9896.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	9896.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	9896.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	9896.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	9896.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
1560	file.exe
1560	file.exe
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3444
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

file.exe90F3.exe

pid process

1560 file.exe
4132 90F3.exe
3444
3444
3444
3444

pid	process
3444

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AppLaunch.exe81C0.exepowershell.exeBF4.exeWerFault.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeDebugPrivilege	4208	AppLaunch.exe
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeDebugPrivilege	868	81C0.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeDebugPrivilege	2460	BF4.exe
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeDebugPrivilege	2036	WerFault.exe
Token: SeImpersonatePrivilege	2036	WerFault.exe
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exe7607.exeB0F1.exeB0F1.tmpnet.exe9896.exeE996.exe

description	pid	process	target process
PID 3444 wrote to memory of 5080	3444		regsvr32.exe
PID 3444 wrote to memory of 5080	3444		regsvr32.exe
PID 5080 wrote to memory of 3252	5080	regsvr32.exe	regsvr32.exe
PID 5080 wrote to memory of 3252	5080	regsvr32.exe	regsvr32.exe
PID 5080 wrote to memory of 3252	5080	regsvr32.exe	regsvr32.exe
PID 3444 wrote to memory of 4812	3444		7607.exe
PID 3444 wrote to memory of 4812	3444		7607.exe
PID 3444 wrote to memory of 4812	3444		7607.exe
PID 3444 wrote to memory of 868	3444		81C0.exe
PID 3444 wrote to memory of 868	3444		81C0.exe
PID 3444 wrote to memory of 868	3444		81C0.exe
PID 3444 wrote to memory of 4132	3444		90F3.exe
PID 3444 wrote to memory of 4132	3444		90F3.exe
PID 3444 wrote to memory of 4132	3444		90F3.exe
PID 4812 wrote to memory of 4208	4812	7607.exe	AppLaunch.exe
PID 4812 wrote to memory of 4208	4812	7607.exe	AppLaunch.exe
PID 4812 wrote to memory of 4208	4812	7607.exe	AppLaunch.exe
PID 4812 wrote to memory of 4208	4812	7607.exe	AppLaunch.exe
PID 4812 wrote to memory of 4208	4812	7607.exe	AppLaunch.exe
PID 4812 wrote to memory of 4208	4812	7607.exe	AppLaunch.exe
PID 4812 wrote to memory of 4208	4812	7607.exe	AppLaunch.exe
PID 4812 wrote to memory of 4208	4812	7607.exe	AppLaunch.exe
PID 3444 wrote to memory of 2036	3444		9896.exe
PID 3444 wrote to memory of 2036	3444		9896.exe
PID 3444 wrote to memory of 2036	3444		9896.exe
PID 3444 wrote to memory of 1916	3444		B0F1.exe
PID 3444 wrote to memory of 1916	3444		B0F1.exe
PID 3444 wrote to memory of 1916	3444		B0F1.exe
PID 1916 wrote to memory of 2872	1916	B0F1.exe	B0F1.tmp
PID 1916 wrote to memory of 2872	1916	B0F1.exe	B0F1.tmp
PID 1916 wrote to memory of 2872	1916	B0F1.exe	B0F1.tmp
PID 2872 wrote to memory of 2412	2872	B0F1.tmp	schtasks.exe
PID 2872 wrote to memory of 2412	2872	B0F1.tmp	schtasks.exe
PID 2872 wrote to memory of 2412	2872	B0F1.tmp	schtasks.exe
PID 2872 wrote to memory of 1396	2872	B0F1.tmp	DaisoLIB.exe
PID 2872 wrote to memory of 1396	2872	B0F1.tmp	DaisoLIB.exe
PID 2872 wrote to memory of 1396	2872	B0F1.tmp	DaisoLIB.exe
PID 2872 wrote to memory of 3676	2872	B0F1.tmp	net.exe
PID 2872 wrote to memory of 3676	2872	B0F1.tmp	net.exe
PID 2872 wrote to memory of 3676	2872	B0F1.tmp	net.exe
PID 2872 wrote to memory of 5084	2872	B0F1.tmp	DaisoLIB.exe
PID 2872 wrote to memory of 5084	2872	B0F1.tmp	DaisoLIB.exe
PID 2872 wrote to memory of 5084	2872	B0F1.tmp	DaisoLIB.exe
PID 3676 wrote to memory of 4936	3676	net.exe	net1.exe
PID 3676 wrote to memory of 4936	3676	net.exe	net1.exe
PID 3676 wrote to memory of 4936	3676	net.exe	net1.exe
PID 2036 wrote to memory of 3224	2036	9896.exe	powershell.exe
PID 2036 wrote to memory of 3224	2036	9896.exe	powershell.exe
PID 2036 wrote to memory of 3224	2036	9896.exe	powershell.exe
PID 3444 wrote to memory of 3200	3444		E996.exe
PID 3444 wrote to memory of 3200	3444		E996.exe
PID 3444 wrote to memory of 3200	3444		E996.exe
PID 3200 wrote to memory of 1756	3200	E996.exe	E996.tmp
PID 3200 wrote to memory of 1756	3200	E996.exe	E996.tmp
PID 3200 wrote to memory of 1756	3200	E996.exe	E996.tmp
PID 3444 wrote to memory of 2460	3444		BF4.exe
PID 3444 wrote to memory of 2460	3444		BF4.exe
PID 3444 wrote to memory of 3640	3444		E47.exe
PID 3444 wrote to memory of 3640	3444		E47.exe
PID 3444 wrote to memory of 3640	3444		E47.exe
PID 3444 wrote to memory of 2360	3444		explorer.exe
PID 3444 wrote to memory of 2360	3444		explorer.exe
PID 3444 wrote to memory of 2360	3444		explorer.exe
PID 3444 wrote to memory of 2360	3444		explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1560

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\750C.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\750C.dll
2⤵
- Loads dropped DLL
PID:3252

C:\Users\Admin\AppData\Local\Temp\7607.exe
C:\Users\Admin\AppData\Local\Temp\7607.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 136
2⤵
- Program crash
PID:1112

C:\Users\Admin\AppData\Local\Temp\81C0.exe
C:\Users\Admin\AppData\Local\Temp\81C0.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Users\Admin\AppData\Local\Temp\90F3.exe
C:\Users\Admin\AppData\Local\Temp\90F3.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4812 -ip 4812
1⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\9896.exe
C:\Users\Admin\AppData\Local\Temp\9896.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Users\Admin\AppData\Local\Temp\9896.exe
"C:\Users\Admin\AppData\Local\Temp\9896.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:996

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:1560

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Executes dropped EXE
PID:4876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Modifies data under HKEY_USERS
PID:1596

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:3324

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:2976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:1268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:4140

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
PID:4528

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:3868

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
PID:676

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:2260

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 724
3⤵
- Program crash
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 752
2⤵
- Program crash
PID:3788

C:\Users\Admin\AppData\Local\Temp\B0F1.exe
C:\Users\Admin\AppData\Local\Temp\B0F1.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Local\Temp\is-T0R38.tmp\B0F1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-T0R38.tmp\B0F1.tmp" /SL5="$1E004A,7930751,54272,C:\Users\Admin\AppData\Local\Temp\B0F1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
3⤵
PID:2412

C:\Program Files (x86)\DaisoLIB\DaisoLIB.exe
"C:\Program Files (x86)\DaisoLIB\DaisoLIB.exe" -i
3⤵
- Executes dropped EXE
PID:1396

C:\Program Files (x86)\DaisoLIB\DaisoLIB.exe
"C:\Program Files (x86)\DaisoLIB\DaisoLIB.exe" -s
3⤵
- Executes dropped EXE
PID:5084

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 8
3⤵
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 8
4⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\E996.exe
C:\Users\Admin\AppData\Local\Temp\E996.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200

C:\Users\Admin\AppData\Local\Temp\is-RP0LI.tmp\E996.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RP0LI.tmp\E996.tmp" /SL5="$501F0,7920261,54272,C:\Users\Admin\AppData\Local\Temp\E996.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:1756

C:\Users\Admin\AppData\Local\Temp\BF4.exe
C:\Users\Admin\AppData\Local\Temp\BF4.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Users\Admin\AppData\Local\Temp\E47.exe
C:\Users\Admin\AppData\Local\Temp\E47.exe
1⤵
- Executes dropped EXE
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 7308
2⤵
- Program crash
PID:1888

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2360

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2036 -ip 2036
1⤵
PID:3552

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3640 -ip 3640
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 680 -ip 680
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DaisoLIB\DaisoLIB.exe

Filesize
3.6MB

MD5
20849790c5f7d3bd858b41a5ac0bf243

SHA1
a025d456efff9a6a51872005b6709b3cb0a747c6

SHA256
13302a1933e5a96f77591ca903e056f0cfe0e508876154330382e891af5056b6

SHA512
0b5a1d8a379b20f8b35c91b3eb25449e4b46b46df880c8e68e23a4cd982ce2d9d1b4164265415fbe0a3d7e164c1555610bf40659220c2ad17c182c67ee17d753

Download Submit
C:\Program Files (x86)\DaisoLIB\DaisoLIB.exe

Filesize
3.6MB

MD5
20849790c5f7d3bd858b41a5ac0bf243

SHA1
a025d456efff9a6a51872005b6709b3cb0a747c6

SHA256
13302a1933e5a96f77591ca903e056f0cfe0e508876154330382e891af5056b6

SHA512
0b5a1d8a379b20f8b35c91b3eb25449e4b46b46df880c8e68e23a4cd982ce2d9d1b4164265415fbe0a3d7e164c1555610bf40659220c2ad17c182c67ee17d753

Download Submit
C:\Program Files (x86)\DaisoLIB\DaisoLIB.exe

Filesize
3.6MB

MD5
20849790c5f7d3bd858b41a5ac0bf243

SHA1
a025d456efff9a6a51872005b6709b3cb0a747c6

SHA256
13302a1933e5a96f77591ca903e056f0cfe0e508876154330382e891af5056b6

SHA512
0b5a1d8a379b20f8b35c91b3eb25449e4b46b46df880c8e68e23a4cd982ce2d9d1b4164265415fbe0a3d7e164c1555610bf40659220c2ad17c182c67ee17d753

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\COPYING.LGPLv2.1

Filesize
25KB

MD5
bd7a443320af8c812e4c18d1b79df004

SHA1
37d2f1d62fec4da0caf06e5da21afc3521b597aa

SHA256
b634ab5640e258563c536e658cad87080553df6f34f62269a21d554844e58bfe

SHA512
21aef7129b5b70e3f9255b1ea4dc994bf48b8a7f42cd90748d71465738d934891bbec6c6fc6a1ccfaf7d3f35496677d62e2af346d5e8266f6a51ae21a65c4460

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\OptimFROG.dll

Filesize
209KB

MD5
2c747f19bf1295ebbdab9fb14bb19ee2

SHA1
6f3b71826c51c739d6bb75085e634b2b2ef538bc

SHA256
d2074b91a63219cfd3313c850b2833cd579cc869ef751b1f5ad7edfb77bd1edd

SHA512
c100c0a5af52d951f3905884e9b9d0ec1a0d0aebe70550a646ba6e5d33583247f67ca19e1d045170a286d92ee84e1676a6c1b0527e017a35b6242dd9dee05af4

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\avfilter-9.dll

Filesize
260KB

MD5
8b099fa7b51a8462683bd6ff5224a2dc

SHA1
c3aa74fff8bb1ec4034da2d48f0d9e18e490ea3d

SHA256
438de563db40c8e0906665249ecf0bdd466092c9a309c910f5de8599fb0b83d2

SHA512
9b81093f0853919bce3883c94c2c0921a96a95604fd2c2a45b29801a9ba898bd04aa17290095994db50cbffcbbd6c54519851ff813c63cd9ba132ae9c6efa572

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\avutil-58.dll

Filesize
885KB

MD5
af785965ab0bf2474b3dd6e53da2f368

SHA1
ef9eecbd07ccbd3069b30aa1671c2093fa38feb6

SHA256
8cdf4cad48406cdb2ff6f4f08a8bcaf41b9a5a656cc341f2757b610a7aca706a

SHA512
5f69c61e38d6930f8084dce001bd592c681850f073f1b82e2914f448750e7514e2b0f8f7591bcb089c84d91fc9f51e96cfc03d204ae052564820723e57b6fe27

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\bass.dll

Filesize
124KB

MD5
75c1d7a3bdf1a309c540b998901a35a7

SHA1
b06feeac73d496c435c66b9b7ff7514cbe768d84

SHA256
6303f205127c3b16d9cf1bdf4617c96109a03c5f2669341fbc0e1d37cd776b29

SHA512
8d2bbb7a7ad34529117c8d5a122f4daf38ea684aacd09d5ad0051fa41264f91fd5d86679a57913e5ada917f94a5ef693c39ebd8b465d7e69ef5d53ef941ad2ee

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\bass_aac.dll

Filesize
146KB

MD5
526e02e9eb8953655eb293d8bac59c8f

SHA1
7ca6025602681ef6efdee21cd11165a4a70aa6fe

SHA256
e2175e48a93b2a7fa25acc6879f3676e04a0c11bb8cdfd8d305e35fd9b5bbbb4

SHA512
053eb66d17e5652a12d5f7faf03f02f35d1e18146ee38308e39838647f91517f8a9dc0b7a7748225f2f48b8f0347b0a33215d7983e85fca55ef8679564471f0b

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\bass_fx.dll

Filesize
33KB

MD5
ea245b00b9d27ef2bd96548a50a9cc2c

SHA1
8463fdcdd5ced10c519ee0b406408ae55368e094

SHA256
4824a06b819cbe49c485d68a9802d9dae3e3c54d4c2d8b706c8a87b56ceefbf3

SHA512
ef1e107571402925ab5b1d9b096d7ceff39c1245a23692a3976164d0de0314f726cca0cb10246fe58a13618fd5629a92025628373b3264153fc1d79b0415d9a7

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\bass_ofr.dll

Filesize
5KB

MD5
b3cc560ac7a5d1d266cb54e9a5a4767e

SHA1
e169e924405c2114022674256afc28fe493fbfdf

SHA256
edde733a8d2ca65c8b4865525290e55b703530c954f001e68d1b76b2a54edcb5

SHA512
a836decacb42cc3f7d42e2bf7a482ae066f5d1df08cccc466880391028059516847e1bf71e4c6a90d2d34016519d16981ddeeacfb94e166e4a9a720d9cc5d699

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\bass_tta.dll

Filesize
7KB

MD5
1268dea570a7511fdc8e70c1149f6743

SHA1
1d646fc69145ec6a4c0c9cad80626ad40f22e8cd

SHA256
f266dba7b23321bf963c8d8b1257a50e1467faaab9952ef7ffed1b6844616649

SHA512
e19f0ea39ff7aa11830af5aad53343288c742be22299c815c84d24251fa2643b1e0401af04e5f9b25cab29601ea56783522ddb06c4195c6a609804880bae9e9b

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\bassalac.dll

Filesize
11KB

MD5
073f34b193f0831b3dd86313d74f1d2a

SHA1
3df5592532619c5d9b93b04ac8dbcec062c6dd09

SHA256
c5eec9cd18a344227374f2bc1a0d2ce2f1797cffd404a0a28cf85439d15941e9

SHA512
eefd583d1f213e5a5607c2cfbaed39e07aec270b184e61a1ba0b5ef67ed7ac5518b5c77345ca9bd4f39d2c86fcd261021568ed14945e7a7541adf78e18e64b0c

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\bassape.dll

Filesize
38KB

MD5
c7a50ace28dde05b897e000fa398bbce

SHA1
33da507b06614f890d8c8239e71d3d1372e61daa

SHA256
f02979610f9be2f267aa3260bb3df0f79eeeb6f491a77ebbe719a44814602bcc

SHA512
4cd7f851c7778c99afed492a040597356f1596bd81548c803c45565975ca6f075d61bc497fce68c6b4fedc1d0b5fd0d84feaa187dc5e149f4e8e44492d999358

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\basscd.dll

Filesize
18KB

MD5
f0f973781b6a66adf354b04a36c5e944

SHA1
8e8ee3a18d4cec163af8756e1644df41c747edc7

SHA256
04ab613c895b35044af8a9a98a372a5769c80245cc9d6bf710a94c5bc42fa1b3

SHA512
118d5dacc2379913b725bd338f8445016f5a0d1987283b082d37c1d1c76200240e8c79660e980f05e13e4eb79bda02256eac52385daa557c6e0c5d326d43a835

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\bassdsd.dll

Filesize
8KB

MD5
19e08b7f7b379a9d1f370e2b5cc622bd

SHA1
3e2d2767459a92b557380c5796190db15ec8a6ea

SHA256
ac97e5492a3ce1689a2b3c25d588fac68dff5c2b79fcf4067f2d781f092ba2a1

SHA512
564101a9428a053aa5b08e84586bcbb73874131154010a601fce8a6fc8c4850c614b4b0a07acf2a38fd2d4924d835584db0a8b49ef369e2e450e458ac32cf256

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\bassflac.dll

Filesize
35KB

MD5
9ff783bb73f8868fa6599cde65ed21d7

SHA1
f515f91d62d36dc64adaa06fa0ef6cf769376bdf

SHA256
e0234af5f71592c472439536e710ba8105d62dfa68722965df87fed50bab1816

SHA512
c9d3c3502601026b6d55a91c583e0bb607bfc695409b984c0561d0cbe7d4f8bd231bc614e0ec1621c287bf0f207017d3e041694320e692ff00bc2220bfa26c26

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\bassmidi.dll

Filesize
35KB

MD5
beba64522aa8265751187e38d1fc0653

SHA1
63ffb566aa7b2242fcc91a67e0eda940c4596e8e

SHA256
8c58bc6c89772d0cd72c61e6cf982a3f51dee9aac946e076a0273cd3aaf3be9d

SHA512
13214e191c6d94db914835577c048adf2240c7335c0a2c2274c096114b7b75cd2ce13a76316963ccd55ee371631998fac678fcf82ae2ae178b7813b2c35c6651

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\bassmix.dll

Filesize
18KB

MD5
8ee91149989d50dfcf9dad00df87c9b0

SHA1
e5581e6c1334a78e493539f8ea1ce585c9ffaf89

SHA256
3030e22f4a854e11a8aa2128991e4867ca1df33bc7b9aff76a5e6deef56927f6

SHA512
fa04e8524da444dd91e4bd682cc9adee445259e0c6190a7def82b8c4478a78aaa8049337079ad01f7984dba28316d72445a0f0d876f268a062ad9b8ff2a6e58d

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\bassopus.dll

Filesize
67KB

MD5
4e35ba785cd3b37a3702e577510f39e3

SHA1
a2fd74a68beff732e5f3cb0835713aea8d639902

SHA256
0afe688b6fca94c69780f454be65e12d616c6e6376e80c5b3835e3fa6de3eb8a

SHA512
1b839af5b4049a20d9b8a0779fe943a4238c8fbfbf306bc6d3a27af45c76f6c56b57b2ec8f087f7034d89b5b139e53a626a8d7316be1374eac28b06d23e7995d

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\basswma.dll

Filesize
17KB

MD5
7b52be6d702aa590db57a0e135f81c45

SHA1
518fb84c77e547dd73c335d2090a35537111f837

SHA256
9b5a8b323d2d1209a5696eaf521669886f028ce1ecdbb49d1610c09a22746330

SHA512
79c1959a689bdc29b63ca771f7e1ab6ff960552cadf0644a7c25c31775fe3458884821a0130b1bab425c3b41f1c680d4776dd5311ce3939775a39143c873a6fe

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\basswv.dll

Filesize
34KB

MD5
58521d1ac2c588b85642354f6c0c7812

SHA1
5912d2507f78c18d5dc567b2fa8d5ae305345972

SHA256
452eee1e4ef2fe2e00060113cce206e90986e2807bb966019ac4e9deb303a9bd

SHA512
3988b61f6b633718de36c0669101e438e70a17e3962a5c3a519bdecc3942201ba9c3b3f94515898bb2f8354338ba202a801b22129fc6d56598103b13364748c1

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\ff_helper.dll

Filesize
61KB

MD5
940eebdb301cb64c7ea2e7fa0646daa3

SHA1
0347f029da33c30bbf3fb067a634b49e8c89fec2

SHA256
b0b56f11549ce55b4dc6f94ecba84aeedba4300d92f4dc8f43c3c9eeefcbe3c5

SHA512
50d455c16076c0738fb1fecae7705e2c9757df5961d74b7155d7dfb3fab671f964c73f919cc749d100f6a90a3454bff0d15ed245a7d26abcaa5e0fde3dc958fd

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\gain_analysis.dll

Filesize
25KB

MD5
d1223f86edf0d5a2d32f1e2aaaf8ae3f

SHA1
c286ca29826a138f3e01a3d654b2f15e21dbe445

SHA256
e0e11a058c4b0add3892e0bea204f6f60a47afc86a21076036393607235b469c

SHA512
7ea1ffb23f8a850f5d3893c6bb66bf95fab2f10f236a781620e9dc6026f175aae824fd0e03082f0cf13d05d13a8eede4f5067491945fca82bbcdcf68a0109cff

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\is-BE2ME.tmp

Filesize
110KB

MD5
bdb65dce335ac29eccbc2ca7a7ad36b7

SHA1
ce7678dcf7af0dbf9649b660db63db87325e6f69

SHA256
7ec9ee07bfd67150d1bc26158000436b63ca8dbb2623095c049e06091fa374c3

SHA512
8aabca6be47a365acd28df8224f9b9b5e1654f67e825719286697fb9e1b75478dddf31671e3921f06632eed5bb3dda91d81e48d4550c2dcd8e2404d566f1bc29

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\libFLAC_dynamic.dll

Filesize
500KB

MD5
c4a2068c59597175cd1a29f3e7f31bc1

SHA1
89de0169028e2bdd5f87a51e2251f7364981044d

SHA256
7ae79f834a4b875a14d63a0db356eec1d356f8e64ff9964e458d1c2050e5d180

SHA512
0989ea9e0efadf1f6c31e7fc243371bb92bfd1446cf62798dca38a021fad8b6adb0aeabdfbdc5ce8b71fe920e341fc8ab4e906b1839c6e469c75d8148a74a08a

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\libmp4v2.dll

Filesize
825KB

MD5
00c672988c2b0a2cb818f4d382c1be5d

SHA1
57121c4852b36746146b10b5b97b5a76628f385f

SHA256
4e9f3e74e984b1c6e4696717ae36396e7504466419d8e4323af3a89de2e2b784

SHA512
c36cae5057a4d904ebdb5495e086b8429e99116acbe7d0f09fb66491f57a7fc44232448208044597316a53c7163e18c2f93336b37b302204c8af6c8f1a9c8353

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\libsox-3.dll

Filesize
633KB

MD5
ce7de939d74321a7d0e9bdf534b89ab9

SHA1
56082b4e09a543562297e098a36aadc3338deec5

SHA256
a9dc70abb4b59989c63b91755ba6177c491f6b4fe8d0bfbdf21a4ccf431bc939

SHA512
03c366506481b70e8bf6554727956e0340d27cb2853609d6210472aedf4b3180c52aad9152bc2cccba005723f5b2e3b5a19d0dce8b8d1e0897f894a4bfeefe55

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\libsoxr.dll

Filesize
222KB

MD5
bc824dc1d1417de0a0e47a30a51428fd

SHA1
c909c48c625488508026c57d1ed75a4ae6a7f9db

SHA256
a87aa800f996902f06c735ea44f4f1e47f03274fe714a193c9e13c5d47230fab

SHA512
566b5d5ddea920a31e0fb9e048e28ef2ac149ef075db44542a46671380f904427ac9a6f59fbc09fe3a4fbb2994f3caeee65452fe55804e403ceabc091ffaf670

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\mp3gain.exe

Filesize
120KB

MD5
b49ecfa819479c3dcd97fae2a8ab6ec6

SHA1
1b8d47d4125028bbb025aafca1759deb3fc0c298

SHA256
b9d5317e10e49aa9ad8ad738eebe9acd360cc5b20e2617e5c0c43740b95fc0f2

SHA512
18617e57a76eff6d95a1ed735ce8d5b752f1fb550045fbbedac4e8e67062acd7845adc6fbe62238c383ced5e01d7aa4ab8f968dc442b67d62d2ed712db67dc13

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\opusenc.exe

Filesize
549KB

MD5
713d04e7396d3a4eff6bf8ba8b9cb2cd

SHA1
d824f373c219b33988cfa3d4a53e7c2bfa096870

SHA256
00fb8e819ffdd2c246f0e6c8c3767a08e704812c6443c8d657dfb388aeb27cf9

SHA512
30311238ef1ee3b97df92084323a54764d79ded62bfeb12757f4c14f709eb2dbdf6625c260fb47da2d600e015750394aa914fc0cc40978ba494d860710f9dc40

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\rg_ebur128.dll

Filesize
42KB

MD5
b162992412e08888456ae13ba8bd3d90

SHA1
095fa02eb14fd4bd6ea06f112fdafe97522f9888

SHA256
2581a6bca6f4b307658b24a7584a6b300c91e32f2fe06eb1dca00adce60fa723

SHA512
078594de66f7e065dcb48da7c13a6a15f8516800d5cee14ba267f43dc73bc38779a4a4ed9444afdfa581523392cbe06b0241aa8ec0148e6bcea8e23b78486824

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\swresample-4.dll

Filesize
308KB

MD5
201ea988661f3d1f9ca5d93da83425e7

SHA1
d0294df7ba1f6cb0290e1efebb5b627a11c8b1f5

SHA256
4e4224b946a584b3d32bbabb8665b67d821bb8d15ab4c1cc4c39c71708298a39

SHA512
6e6fa44ce2e07177dec6e62d0bee5b5d3e23a243d9373fb8c6eeecec6c6150cbd457ed8b8c84ab29133dfe954550ca972dec504069cc411bd1193a24ea98aaee

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\tak_deco_lib.dll

Filesize
110KB

MD5
bdb65dce335ac29eccbc2ca7a7ad36b7

SHA1
ce7678dcf7af0dbf9649b660db63db87325e6f69

SHA256
7ec9ee07bfd67150d1bc26158000436b63ca8dbb2623095c049e06091fa374c3

SHA512
8aabca6be47a365acd28df8224f9b9b5e1654f67e825719286697fb9e1b75478dddf31671e3921f06632eed5bb3dda91d81e48d4550c2dcd8e2404d566f1bc29

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\uchardet.dll

Filesize
288KB

MD5
c76c9ae552e4ce69e3eb9ec380bc0a42

SHA1
effec2973c3d678441af76cfaa55e781271bd1fb

SHA256
574595b5fd6223e4a004fa85cbb3588c18cc6b83bf3140d8f94c83d11dbca7bd

SHA512
7fb385227e802a0c77749978831245235cd1343b95d97e610d20fb0454241c465387bccb937a2ee8a2e0b461dd3d2834f7f542e7739d8e428e146f378a24ee97

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\utils.dll

Filesize
13KB

MD5
9c55b3e5ed1365e82ae9d5da3eaec9f2

SHA1
bb3d30805a84c6f0803be549c070f21c735e10a9

SHA256
d2e374df7122c0676b4618aed537dfc8a7b5714b75d362bfbe85b38f47e3d4a4

SHA512
eefe8793309fdc801b1649661b0c17c38406a9daa1e12959cd20344975747d470d6d9c8be51a46279a42fe1843c254c432938981d108f4899b93cdd744b5d968

Download Submit
C:\Program Files (x86)\DaisoLIB\bin\x86\wavpackdll.dll

Filesize
252KB

MD5
db191b89f4d015b1b9aee99ac78a7e65

SHA1
8dac370768e7480481300dd5ebf8ba9ce36e11e3

SHA256
38a75f86db58eb8d2a7c0213861860a64833c78f59eff19141ffd6c3b6e28835

SHA512
a27e26962b43ba84a5a82238556d06672dcf17931f866d24e6e8dce88f7b30e80ba38b071943b407a7f150a57cf1da13d2137c235b902405bedbe229b6d03784

Download Submit
C:\Program Files (x86)\DaisoLIB\stuff\date.txt

Filesize
1KB

MD5
257d1bf38fa7859ffc3717ef36577c04

SHA1
a9d2606cfc35e17108d7c079a355a4db54c7c2ee

SHA256
dfacc2f208ebf6d6180ee6e882117c31bb58e8b6a76a26fb07ac4f40e245a0cb

SHA512
e13a6f489c9c5ba840502f73acd152d366e0ccdd9d3d8e74b65ff89fdc70cd46f52e42eee0b4ba9f151323ec07c4168cf82446334564adaa8666624f7b8035f3

Download Submit
C:\Program Files (x86)\DaisoLIB\stuff\is-20S0V.tmp

Filesize
1KB

MD5
992c00beab194ce392117bb419f53051

SHA1
8f9114c95e2a2c9f9c65b9243d941dcb5cea40de

SHA256
9e35c8e29ca055ce344e4c206e7b8ff1736158d0b47bf7b3dbc362f7ec7e722c

SHA512
facdca78ae7d874300eacbe3014a9e39868c93493b9cd44aae1ab39afa4d2e0868e167bca34f8c445aa7ccc9ddb27e1b607d739af94aa4840789a3f01e7bed9d

Download Submit
C:\Program Files (x86)\DaisoLIB\stuff\is-U4KF0.tmp

Filesize
1KB

MD5
257d1bf38fa7859ffc3717ef36577c04

SHA1
a9d2606cfc35e17108d7c079a355a4db54c7c2ee

SHA256
dfacc2f208ebf6d6180ee6e882117c31bb58e8b6a76a26fb07ac4f40e245a0cb

SHA512
e13a6f489c9c5ba840502f73acd152d366e0ccdd9d3d8e74b65ff89fdc70cd46f52e42eee0b4ba9f151323ec07c4168cf82446334564adaa8666624f7b8035f3

Download Submit
C:\Program Files (x86)\DaisoLIB\stuff\tagsreplace.txt

Filesize
1KB

MD5
992c00beab194ce392117bb419f53051

SHA1
8f9114c95e2a2c9f9c65b9243d941dcb5cea40de

SHA256
9e35c8e29ca055ce344e4c206e7b8ff1736158d0b47bf7b3dbc362f7ec7e722c

SHA512
facdca78ae7d874300eacbe3014a9e39868c93493b9cd44aae1ab39afa4d2e0868e167bca34f8c445aa7ccc9ddb27e1b607d739af94aa4840789a3f01e7bed9d

Download Submit
C:\Program Files (x86)\DaisoLIB\uninstall\unins000.dat

Filesize
7KB

MD5
b4c28965f341e5c03e4049ddfe101087

SHA1
75dbdbc6ce81e7b62892e17c83e77fcfd6afbfe5

SHA256
4584a749b319df0ab8b81869d7683c3084e492731ac027c8b99a4da88261ab21

SHA512
bc37c9cb43f5311f45ab4bd410c47b5a212fa9390437aaf2403a55a525728296922b21a7f7e312be453b11d77a913d723364741758a0749fa56a9220e68953eb

Download Submit
C:\Program Files (x86)\DaisoLIB\uninstall\unins000.exe

Filesize
704KB

MD5
74e2eeb50e5400cd42bc84b3682294c7

SHA1
575e3a4fcdc80ae85ff2443a761f5b959a0b6b71

SHA256
16dd6479ae9776502838dc4d253eed1c43f538eb14ea0b5a9ed8947e348f5721

SHA512
d1d7cfbcf79ac21f617b5d75084d69af63bf7b2b455769eacfe4b1e33a496c244a6c0726d0d25a86ad922f1b346ccad2f67e9bfe9c9b20dc07f8c3da70771eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\750C.dll

Filesize
3.0MB

MD5
3a750b231ca7d49b77a2811578e223ac

SHA1
dbf0520ff8919405d4ffaa620dfce2db63e56367

SHA256
f75b0fc647b7f0a05d07ec3fe7b8880d6099074151e889108eff670a4dc675c2

SHA512
05751db3d113250df57bcf99dae3fe2b04737adfd29384caf17002fcbd272aca85675fb33a25083315fb0f4f2c5524f6c425c3f42f1afc7eceda154aa54578d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\750C.dll

Filesize
3.0MB

MD5
3a750b231ca7d49b77a2811578e223ac

SHA1
dbf0520ff8919405d4ffaa620dfce2db63e56367

SHA256
f75b0fc647b7f0a05d07ec3fe7b8880d6099074151e889108eff670a4dc675c2

SHA512
05751db3d113250df57bcf99dae3fe2b04737adfd29384caf17002fcbd272aca85675fb33a25083315fb0f4f2c5524f6c425c3f42f1afc7eceda154aa54578d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7607.exe

Filesize
1.1MB

MD5
8d6db1c0be603e301e14d59ef24d7b06

SHA1
4d31f48256ed1320605284c119dffadd14dcc510

SHA256
e6bc630ef036093b32773f92b3204391b31285dcd173f12ce2acb7830f812de2

SHA512
53abdf54aabd735dfccd02045f47381136bd37b5bc1d7d6c8ec164b228b8b4d73c4847d2798619e9bae86e3317eee39b7bf40cea1fe4f31451fa4b2d8b2f22e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7607.exe

Filesize
1.1MB

MD5
8d6db1c0be603e301e14d59ef24d7b06

SHA1
4d31f48256ed1320605284c119dffadd14dcc510

SHA256
e6bc630ef036093b32773f92b3204391b31285dcd173f12ce2acb7830f812de2

SHA512
53abdf54aabd735dfccd02045f47381136bd37b5bc1d7d6c8ec164b228b8b4d73c4847d2798619e9bae86e3317eee39b7bf40cea1fe4f31451fa4b2d8b2f22e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\81C0.exe

Filesize
4.6MB

MD5
18522f12bc42b23be611bd4d961d7bff

SHA1
6c37991adeb58df30b3476acddb97ac7152d2662

SHA256
ad68b573ce00db5608871f4a64c1f92bf77f63be5f149d7cbb176d24d63d12fd

SHA512
019df8189e2889fb500c849faee9984f2bb42ac74ffe843eb6f964febdea48a3ef8963f02d38f233a4abd8156dee543a14da786dfa5e6025e3ab34f0020dafb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\81C0.exe

Filesize
4.6MB

MD5
18522f12bc42b23be611bd4d961d7bff

SHA1
6c37991adeb58df30b3476acddb97ac7152d2662

SHA256
ad68b573ce00db5608871f4a64c1f92bf77f63be5f149d7cbb176d24d63d12fd

SHA512
019df8189e2889fb500c849faee9984f2bb42ac74ffe843eb6f964febdea48a3ef8963f02d38f233a4abd8156dee543a14da786dfa5e6025e3ab34f0020dafb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\90F3.exe

Filesize
238KB

MD5
83490772df4c5c1867cb7d0d1cae2fb1

SHA1
abd0a91752c928d91a34d3c0a79e4ce5c9363c4d

SHA256
07e0d30e8be5182f9607f029d1d19d09c44c36f1835f2aa9aba1c15264482b9b

SHA512
fbe979460a6eb9d0300259e01da88eceeffe6f42aae158e899f0f2c3e7cbfd74c0a1e2f98eb1a0e4473d0587dc4ac64e298beaff6d5fe1919fb01a558298ec84

Download Submit
C:\Users\Admin\AppData\Local\Temp\90F3.exe

Filesize
238KB

MD5
83490772df4c5c1867cb7d0d1cae2fb1

SHA1
abd0a91752c928d91a34d3c0a79e4ce5c9363c4d

SHA256
07e0d30e8be5182f9607f029d1d19d09c44c36f1835f2aa9aba1c15264482b9b

SHA512
fbe979460a6eb9d0300259e01da88eceeffe6f42aae158e899f0f2c3e7cbfd74c0a1e2f98eb1a0e4473d0587dc4ac64e298beaff6d5fe1919fb01a558298ec84

Download Submit
C:\Users\Admin\AppData\Local\Temp\9896.exe

Filesize
4.1MB

MD5
20ef67d27729a102f1d7eb78a1d096b7

SHA1
72e0000abca7dafa74b7d9ea08aa1cef818c7060

SHA256
a44c86d66d73625631213ade970c34ae88a53035c1b8ccad151cc620f4e72083

SHA512
511f23c3be99574c6a28c07a3858bcfa3e0c802502dc158f2301ef2cc5171fb59917859a920cff30cc410fe24b55e8bded10868bac9ba1d069906a35b72448f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9896.exe

Filesize
4.1MB

MD5
20ef67d27729a102f1d7eb78a1d096b7

SHA1
72e0000abca7dafa74b7d9ea08aa1cef818c7060

SHA256
a44c86d66d73625631213ade970c34ae88a53035c1b8ccad151cc620f4e72083

SHA512
511f23c3be99574c6a28c07a3858bcfa3e0c802502dc158f2301ef2cc5171fb59917859a920cff30cc410fe24b55e8bded10868bac9ba1d069906a35b72448f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0F1.exe

Filesize
7.8MB

MD5
e203e89dd023b399768a9951f892a280

SHA1
371e2df48fec847e2e47dbdccf1397dde9570e47

SHA256
2e645bf6be22f90e4b593585498d45f6c7c4cff05c64c9a6890a5afbb73dd067

SHA512
24a690d3934bc81f2d94f4b8b89180dead78e54bbc409bed4b61d3bb57327e2eeae74c9460026f4b8e38f3e7c64327d9da726ed8b662c9850537b4ffa5ebbfca

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0F1.exe

Filesize
7.8MB

MD5
e203e89dd023b399768a9951f892a280

SHA1
371e2df48fec847e2e47dbdccf1397dde9570e47

SHA256
2e645bf6be22f90e4b593585498d45f6c7c4cff05c64c9a6890a5afbb73dd067

SHA512
24a690d3934bc81f2d94f4b8b89180dead78e54bbc409bed4b61d3bb57327e2eeae74c9460026f4b8e38f3e7c64327d9da726ed8b662c9850537b4ffa5ebbfca

Download Submit
C:\Users\Admin\AppData\Local\Temp\E996.exe

Filesize
7.8MB

MD5
b215f3726cc4ad0ee51479c703226921

SHA1
4ba2b845ec53115b9e9d1553377782becd749430

SHA256
fc82ae779fe7fe22a71d9baca800a7318ee5bccc419b301916a24dcba9a93e70

SHA512
a9667cb046c0530f216bf2116f7f93087f8ae2745f22654a9a486dfed3510496a403d3443a26d142252ef2ac9177b81115fd24127faa6092dc6173e2c369b27e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E996.exe

Filesize
7.8MB

MD5
b215f3726cc4ad0ee51479c703226921

SHA1
4ba2b845ec53115b9e9d1553377782becd749430

SHA256
fc82ae779fe7fe22a71d9baca800a7318ee5bccc419b301916a24dcba9a93e70

SHA512
a9667cb046c0530f216bf2116f7f93087f8ae2745f22654a9a486dfed3510496a403d3443a26d142252ef2ac9177b81115fd24127faa6092dc6173e2c369b27e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_10tqfnub.xvx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FRVO6.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FRVO6.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FRVO6.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RP0LI.tmp\E996.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RP0LI.tmp\E996.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T0R38.tmp\B0F1.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T0R38.tmp\B0F1.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VOBEQ.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VOBEQ.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VOBEQ.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VOBEQ.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VOBEQ.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VOBEQ.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Roaming\grvjehf

Filesize
238KB

MD5
83490772df4c5c1867cb7d0d1cae2fb1

SHA1
abd0a91752c928d91a34d3c0a79e4ce5c9363c4d

SHA256
07e0d30e8be5182f9607f029d1d19d09c44c36f1835f2aa9aba1c15264482b9b

SHA512
fbe979460a6eb9d0300259e01da88eceeffe6f42aae158e899f0f2c3e7cbfd74c0a1e2f98eb1a0e4473d0587dc4ac64e298beaff6d5fe1919fb01a558298ec84

Download Submit
memory/680-648-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/868-146-0x0000000075650000-0x0000000075740000-memory.dmp

Filesize
960KB

Download
memory/868-279-0x0000000075650000-0x0000000075740000-memory.dmp

Filesize
960KB

Download
memory/868-72-0x0000000075650000-0x0000000075740000-memory.dmp

Filesize
960KB

Download
memory/868-66-0x0000000000600000-0x0000000001140000-memory.dmp

Filesize
11.2MB

Download
memory/868-67-0x0000000075650000-0x0000000075740000-memory.dmp

Filesize
960KB

Download
memory/868-68-0x0000000075650000-0x0000000075740000-memory.dmp

Filesize
960KB

Download
memory/868-280-0x0000000075650000-0x0000000075740000-memory.dmp

Filesize
960KB

Download
memory/868-74-0x0000000075650000-0x0000000075740000-memory.dmp

Filesize
960KB

Download
memory/868-90-0x0000000007FD0000-0x0000000008062000-memory.dmp

Filesize
584KB

Download
memory/868-77-0x0000000076ED4000-0x0000000076ED6000-memory.dmp

Filesize
8KB

Download
memory/868-127-0x0000000075650000-0x0000000075740000-memory.dmp

Filesize
960KB

Download
memory/868-89-0x0000000008580000-0x0000000008B24000-memory.dmp

Filesize
5.6MB

Download
memory/868-278-0x0000000075650000-0x0000000075740000-memory.dmp

Filesize
960KB

Download
memory/868-70-0x0000000075650000-0x0000000075740000-memory.dmp

Filesize
960KB

Download
memory/868-126-0x0000000075650000-0x0000000075740000-memory.dmp

Filesize
960KB

Download
memory/868-125-0x0000000000600000-0x0000000001140000-memory.dmp

Filesize
11.2MB

Download
memory/868-82-0x0000000000600000-0x0000000001140000-memory.dmp

Filesize
11.2MB

Download
memory/868-101-0x0000000008180000-0x000000000818A000-memory.dmp

Filesize
40KB

Download
memory/868-75-0x0000000075650000-0x0000000075740000-memory.dmp

Filesize
960KB

Download
memory/1396-283-0x0000000000400000-0x0000000000796000-memory.dmp

Filesize
3.6MB

Download
memory/1396-277-0x0000000000400000-0x0000000000796000-memory.dmp

Filesize
3.6MB

Download
memory/1560-8-0x00000000008F0000-0x00000000008FB000-memory.dmp

Filesize
44KB

Download
memory/1560-548-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/1560-2-0x00000000008F0000-0x00000000008FB000-memory.dmp

Filesize
44KB

Download
memory/1560-3-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/1560-5-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/1560-1-0x0000000000910000-0x0000000000A10000-memory.dmp

Filesize
1024KB

Download
memory/1756-549-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1916-144-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1916-119-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2036-108-0x0000000002E20000-0x000000000370B000-memory.dmp

Filesize
8.9MB

Download
memory/2036-275-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2036-529-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2036-115-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2036-107-0x0000000002A20000-0x0000000002E20000-memory.dmp

Filesize
4.0MB

Download
memory/2036-293-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2036-580-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2360-538-0x0000000000890000-0x00000000008FB000-memory.dmp

Filesize
428KB

Download
memory/2872-145-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2872-297-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3200-305-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3200-534-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3252-69-0x0000000003270000-0x0000000003383000-memory.dmp

Filesize
1.1MB

Download
memory/3252-58-0x00000000013C0000-0x00000000013C6000-memory.dmp

Filesize
24KB

Download
memory/3252-59-0x0000000010000000-0x00000000102FB000-memory.dmp

Filesize
3.0MB

Download
memory/3252-61-0x0000000003130000-0x0000000003262000-memory.dmp

Filesize
1.2MB

Download
memory/3252-81-0x0000000003270000-0x0000000003383000-memory.dmp

Filesize
1.1MB

Download
memory/3252-76-0x0000000003270000-0x0000000003383000-memory.dmp

Filesize
1.1MB

Download
memory/3444-32-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3444-14-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3444-4-0x0000000001330000-0x0000000001346000-memory.dmp

Filesize
88KB

Download
memory/3444-109-0x0000000003760000-0x0000000003776000-memory.dmp

Filesize
88KB

Download
memory/3444-9-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3444-10-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3444-43-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3444-42-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3444-40-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3444-39-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3444-38-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3444-36-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3444-35-0x00000000035D0000-0x00000000035E0000-memory.dmp

Filesize
64KB

Download
memory/3444-33-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3444-34-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3444-11-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3444-29-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3444-30-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3444-24-0x00000000035D0000-0x00000000035E0000-memory.dmp

Filesize
64KB

Download
memory/3444-27-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3444-25-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3444-23-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3444-22-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3444-21-0x00000000035D0000-0x00000000035E0000-memory.dmp

Filesize
64KB

Download
memory/3444-20-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3444-12-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3444-19-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3444-17-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3444-15-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3444-13-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/4132-112-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/4132-99-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/4132-97-0x0000000000970000-0x000000000097B000-memory.dmp

Filesize
44KB

Download
memory/4132-96-0x0000000000A70000-0x0000000000B70000-memory.dmp

Filesize
1024KB

Download
memory/4208-147-0x00000000065A0000-0x00000000065BE000-memory.dmp

Filesize
120KB

Download
memory/4208-102-0x0000000005710000-0x000000000581A000-memory.dmp

Filesize
1.0MB

Download
memory/4208-116-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/4208-98-0x0000000005C20000-0x0000000006238000-memory.dmp

Filesize
6.1MB

Download
memory/4208-105-0x0000000005600000-0x000000000564C000-memory.dmp

Filesize
304KB

Download
memory/4208-143-0x00000000064C0000-0x0000000006536000-memory.dmp

Filesize
472KB

Download
memory/4208-87-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4208-100-0x0000000005540000-0x0000000005552000-memory.dmp

Filesize
72KB

Download
memory/4208-288-0x0000000074000000-0x00000000747B0000-memory.dmp

Filesize
7.7MB

Download
memory/4208-104-0x00000000055A0000-0x00000000055DC000-memory.dmp

Filesize
240KB

Download
memory/4208-88-0x0000000074000000-0x00000000747B0000-memory.dmp

Filesize
7.7MB

Download
memory/5084-287-0x0000000000400000-0x0000000000796000-memory.dmp

Filesize
3.6MB

Download
memory/5084-583-0x0000000000400000-0x0000000000796000-memory.dmp

Filesize
3.6MB

Download
memory/5084-647-0x0000000000400000-0x0000000000796000-memory.dmp

Filesize
3.6MB

Download
memory/5084-289-0x0000000000400000-0x0000000000796000-memory.dmp

Filesize
3.6MB

Download
memory/5084-505-0x0000000000400000-0x0000000000796000-memory.dmp

Filesize
3.6MB

Download