glupteba | 16023232b2134dd03f546c94c9675d188c3b51cc8b8beff279f18524be3868da

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2023 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

238KB
MD5

9aaa84453035703bc4cdfaa8042dd4e6
SHA1

affee5ae0ea7219822fc8699712fe089e555ef98
SHA256

16023232b2134dd03f546c94c9675d188c3b51cc8b8beff279f18524be3868da
SHA512

10eef60d8889466c59567825c66c711a2c91e2d1fc580e411089fac999ee8fe8bc043bb51c0e2542df457ca2baeddf9286f630f4e820c578aa9298fff6293f29
SSDEEP

3072:7JFeDpVySIPwwxY9W8kYsC1uWk9xHELHRq8Z5OhTC8L:eDpVoPzY9WbEDYHr8sT

Malware Config

Extracted

Family

smokeloader

Version

2022

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/

http://humydrole.com/tmp/index.php

http://trunk-co.ru/tmp/index.php

http://weareelight.com/tmp/index.php

http://pirateking.online/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

lumma

http://opposesicknessopw.pw/api

Signatures

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\57C5.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\57C5.exe	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4656-52-0x0000000002E70000-0x000000000375B000-memory.dmp	family_glupteba
behavioral2/memory/4656-53-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4656-245-0x0000000002E70000-0x000000000375B000-memory.dmp	family_glupteba
behavioral2/memory/4656-248-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4656-259-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4656-479-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/756-626-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/756-659-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2808-761-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2808-779-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1528-581-0x0000000000400000-0x000000000085E000-memory.dmp	family_raccoon_v2

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

DB7.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DB7.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

4704 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DB7.exe

pid	process
4704	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DB7.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DB7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DB7.exe

Deletes itself 1 IoCs

Processes:

pid process

3184

pid	process
3184

Executes dropped EXE 19 IoCs

Processes:

DB7.exe19CD.exe2170.exe317E.exe317E.tmpMaildelivery.exeMaildelivery.exe4E8C.exe4E8C.tmpDaisoLIB.exe57C5.exeDaisoLIB.exe5AD3.exe5DB2.exe2170.execsrss.exeinjector.exewindefender.exewindefender.exe

pid	process
384	DB7.exe
4108	19CD.exe
4656	2170.exe
3532	317E.exe
4716	317E.tmp
4548	Maildelivery.exe
1792	Maildelivery.exe
4460	4E8C.exe
1532	4E8C.tmp
4072	DaisoLIB.exe
3864	57C5.exe
4252	DaisoLIB.exe
1528	5AD3.exe
4776	5DB2.exe
756	2170.exe
2808	csrss.exe
2824	injector.exe
1960	windefender.exe
3468	windefender.exe

Loads dropped DLL 8 IoCs

Processes:

317E.tmp4E8C.tmpregsvr32.exe57C5.exe

pid process

4716 317E.tmp
4716 317E.tmp
4716 317E.tmp
1532 4E8C.tmp
1532 4E8C.tmp
1532 4E8C.tmp
3972 regsvr32.exe
3864 57C5.exe

pid	process
4716	317E.tmp
4716	317E.tmp
4716	317E.tmp
1532	4E8C.tmp
1532	4E8C.tmp
1532	4E8C.tmp
3972	regsvr32.exe
3864	57C5.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DB7.exe	themida
C:\Users\Admin\AppData\Local\Temp\DB7.exe	themida
behavioral2/memory/384-29-0x0000000000DE0000-0x0000000001920000-memory.dmp	themida

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx
behavioral2/memory/1960-780-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2170.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	2170.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

DB7.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DB7.exe
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DB7.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

DB7.exe

pid process

384 DB7.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5DB2.exe57C5.exe

description	pid	process	target process
PID 4776 set thread context of 4428	4776	5DB2.exe	AppLaunch.exe
PID 3864 set thread context of 700	3864	57C5.exe	RegSvcs.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

2170.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 2170.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	2170.exe

Drops file in Program Files directory 63 IoCs

Processes:

317E.tmp

description	ioc	process
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-J39OF.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-SRILU.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\stuff\is-2QCUM.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-H4F1J.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-4D98D.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-PSLKU.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\plugins\internal\is-J8VTP.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\stuff\is-TL7LN.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\stuff\is-2S645.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-1RGDS.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-BRIQ2.tmp	317E.tmp
File opened for modification	C:\Program Files (x86)\Maildelivery\uninstall\unins000.dat	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-BS6DK.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-B7EUP.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-4NCRO.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-BLBQU.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-JE8LI.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-CRKAM.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\uninstall\is-3LMM3.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\stuff\is-V51P3.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-DHCJK.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-FH198.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\plugins\internal\is-518CF.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-3E2QL.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-LII0O.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-TBA8E.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-IT1CC.tmp	317E.tmp
File opened for modification	C:\Program Files (x86)\Maildelivery\Maildelivery.exe	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-OIB5M.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-533C0.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-CJS2S.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-7H6QE.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\is-D7065.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-STS79.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-VKSAI.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-UUNH1.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-75FFD.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-NTL7T.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-BU0A2.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\uninstall\unins000.dat	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-N20BF.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-G2P5P.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-FKNDR.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-9DJAH.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-G1G9R.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-NPOCB.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-NGAB9.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-S9FH5.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\lessmsi\is-I7708.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-5QP2E.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-N81U9.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-T7V28.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-9AT6J.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-8JE4T.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-HUKTL.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-HA1QJ.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-COPIE.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-EQ5DM.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-RHSMT.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-0M475.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-9V7LU.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-K1AUA.tmp	317E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-D5ADH.tmp	317E.tmp

Drops file in Windows directory 4 IoCs

Processes:

2170.execsrss.exe

description	ioc	process
File opened for modification	C:\Windows\rss	2170.exe
File created	C:\Windows\rss\csrss.exe	2170.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4868 sc.exe
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4752 700 WerFault.exe RegSvcs.exe
3444 756 WerFault.exe 2170.exe
4972 1528 WerFault.exe 5AD3.exe

pid	process
4868	sc.exe

pid	pid_target	process	target process
4752	700	WerFault.exe	RegSvcs.exe
3444	756	WerFault.exe	2170.exe
4972	1528	WerFault.exe	5AD3.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exe19CD.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	19CD.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	19CD.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	19CD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2088 schtasks.exe
2940 schtasks.exe

pid	process
2088	schtasks.exe
2940	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

2170.exepowershell.exepowershell.exewindefender.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	2170.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	2170.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	2170.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	2170.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	2170.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	2170.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	2170.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	2170.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	2170.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	2170.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	2170.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	2170.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-162 = "Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	2170.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	2170.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	2170.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	2170.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	2170.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	2170.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	2170.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	2170.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	2170.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time"	windefender.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
3444	file.exe
3444	file.exe
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

file.exe19CD.exe

pid process

3444 file.exe
4108 19CD.exe
3184
3184
3184
3184

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe2170.exepowershell.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeDebugPrivilege	4656	2170.exe
Token: SeImpersonatePrivilege	4656	2170.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	4428	AppLaunch.exe
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2170.exe317E.exe317E.tmpnet.exe4E8C.exe4E8C.tmpnet.exe5DB2.exe

description	pid	process	target process
PID 3184 wrote to memory of 384	3184		DB7.exe
PID 3184 wrote to memory of 384	3184		DB7.exe
PID 3184 wrote to memory of 384	3184		DB7.exe
PID 3184 wrote to memory of 4108	3184		19CD.exe
PID 3184 wrote to memory of 4108	3184		19CD.exe
PID 3184 wrote to memory of 4108	3184		19CD.exe
PID 3184 wrote to memory of 4656	3184		2170.exe
PID 3184 wrote to memory of 4656	3184		2170.exe
PID 3184 wrote to memory of 4656	3184		2170.exe
PID 4656 wrote to memory of 2132	4656	2170.exe	powershell.exe
PID 4656 wrote to memory of 2132	4656	2170.exe	powershell.exe
PID 4656 wrote to memory of 2132	4656	2170.exe	powershell.exe
PID 3184 wrote to memory of 3532	3184		317E.exe
PID 3184 wrote to memory of 3532	3184		317E.exe
PID 3184 wrote to memory of 3532	3184		317E.exe
PID 3532 wrote to memory of 4716	3532	317E.exe	317E.tmp
PID 3532 wrote to memory of 4716	3532	317E.exe	317E.tmp
PID 3532 wrote to memory of 4716	3532	317E.exe	317E.tmp
PID 4716 wrote to memory of 644	4716	317E.tmp	schtasks.exe
PID 4716 wrote to memory of 644	4716	317E.tmp	schtasks.exe
PID 4716 wrote to memory of 644	4716	317E.tmp	schtasks.exe
PID 4716 wrote to memory of 4548	4716	317E.tmp	Maildelivery.exe
PID 4716 wrote to memory of 4548	4716	317E.tmp	Maildelivery.exe
PID 4716 wrote to memory of 4548	4716	317E.tmp	Maildelivery.exe
PID 4716 wrote to memory of 3096	4716	317E.tmp	net.exe
PID 4716 wrote to memory of 3096	4716	317E.tmp	net.exe
PID 4716 wrote to memory of 3096	4716	317E.tmp	net.exe
PID 4716 wrote to memory of 1792	4716	317E.tmp	Maildelivery.exe
PID 4716 wrote to memory of 1792	4716	317E.tmp	Maildelivery.exe
PID 4716 wrote to memory of 1792	4716	317E.tmp	Maildelivery.exe
PID 3096 wrote to memory of 2140	3096	net.exe	net1.exe
PID 3096 wrote to memory of 2140	3096	net.exe	net1.exe
PID 3096 wrote to memory of 2140	3096	net.exe	net1.exe
PID 3184 wrote to memory of 4460	3184		4E8C.exe
PID 3184 wrote to memory of 4460	3184		4E8C.exe
PID 3184 wrote to memory of 4460	3184		4E8C.exe
PID 4460 wrote to memory of 1532	4460	4E8C.exe	4E8C.tmp
PID 4460 wrote to memory of 1532	4460	4E8C.exe	4E8C.tmp
PID 4460 wrote to memory of 1532	4460	4E8C.exe	4E8C.tmp
PID 1532 wrote to memory of 1020	1532	4E8C.tmp	schtasks.exe
PID 1532 wrote to memory of 1020	1532	4E8C.tmp	schtasks.exe
PID 1532 wrote to memory of 1020	1532	4E8C.tmp	schtasks.exe
PID 1532 wrote to memory of 4072	1532	4E8C.tmp	DaisoLIB.exe
PID 1532 wrote to memory of 4072	1532	4E8C.tmp	DaisoLIB.exe
PID 1532 wrote to memory of 4072	1532	4E8C.tmp	DaisoLIB.exe
PID 3184 wrote to memory of 3864	3184		57C5.exe
PID 3184 wrote to memory of 3864	3184		57C5.exe
PID 3184 wrote to memory of 3864	3184		57C5.exe
PID 1532 wrote to memory of 2208	1532	4E8C.tmp	net.exe
PID 1532 wrote to memory of 2208	1532	4E8C.tmp	net.exe
PID 1532 wrote to memory of 2208	1532	4E8C.tmp	net.exe
PID 1532 wrote to memory of 4252	1532	4E8C.tmp	DaisoLIB.exe
PID 1532 wrote to memory of 4252	1532	4E8C.tmp	DaisoLIB.exe
PID 1532 wrote to memory of 4252	1532	4E8C.tmp	DaisoLIB.exe
PID 3184 wrote to memory of 1528	3184		5AD3.exe
PID 3184 wrote to memory of 1528	3184		5AD3.exe
PID 3184 wrote to memory of 1528	3184		5AD3.exe
PID 2208 wrote to memory of 3564	2208	net.exe	net1.exe
PID 2208 wrote to memory of 3564	2208	net.exe	net1.exe
PID 2208 wrote to memory of 3564	2208	net.exe	net1.exe
PID 3184 wrote to memory of 4776	3184		5DB2.exe
PID 3184 wrote to memory of 4776	3184		5DB2.exe
PID 3184 wrote to memory of 4776	3184		5DB2.exe
PID 4776 wrote to memory of 5008	4776	5DB2.exe	AppLaunch.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3444

C:\Users\Admin\AppData\Local\Temp\DB7.exe
C:\Users\Admin\AppData\Local\Temp\DB7.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:384

C:\Users\Admin\AppData\Local\Temp\19CD.exe
C:\Users\Admin\AppData\Local\Temp\19CD.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4108

C:\Users\Admin\AppData\Local\Temp\2170.exe
C:\Users\Admin\AppData\Local\Temp\2170.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Users\Admin\AppData\Local\Temp\2170.exe
"C:\Users\Admin\AppData\Local\Temp\2170.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:3468

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2220

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3112

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:2808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:920

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:2940

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:3772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2176

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
- Executes dropped EXE
PID:2824

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:2088

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
- Executes dropped EXE
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:4084

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 888
3⤵
- Program crash
PID:3444

C:\Users\Admin\AppData\Local\Temp\317E.exe
C:\Users\Admin\AppData\Local\Temp\317E.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532

C:\Users\Admin\AppData\Local\Temp\is-8NHKR.tmp\317E.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8NHKR.tmp\317E.tmp" /SL5="$501C8,7905477,54272,C:\Users\Admin\AppData\Local\Temp\317E.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
3⤵
PID:644

C:\Program Files (x86)\Maildelivery\Maildelivery.exe
"C:\Program Files (x86)\Maildelivery\Maildelivery.exe" -i
3⤵
- Executes dropped EXE
PID:4548

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 8
3⤵
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 8
4⤵
PID:2140

C:\Program Files (x86)\Maildelivery\Maildelivery.exe
"C:\Program Files (x86)\Maildelivery\Maildelivery.exe" -s
3⤵
- Executes dropped EXE
PID:1792

C:\Users\Admin\AppData\Local\Temp\4E8C.exe
C:\Users\Admin\AppData\Local\Temp\4E8C.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460

C:\Users\Admin\AppData\Local\Temp\is-RHOQT.tmp\4E8C.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RHOQT.tmp\4E8C.tmp" /SL5="$A0228,7920261,54272,C:\Users\Admin\AppData\Local\Temp\4E8C.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
3⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\is-7MQM4.tmp\DaisoLIB\DaisoLIB.exe
"C:\Users\Admin\AppData\Local\Temp\is-7MQM4.tmp\DaisoLIB\DaisoLIB.exe" -i
3⤵
- Executes dropped EXE
PID:4072

C:\Users\Admin\AppData\Local\Temp\is-7MQM4.tmp\DaisoLIB\DaisoLIB.exe
"C:\Users\Admin\AppData\Local\Temp\is-7MQM4.tmp\DaisoLIB\DaisoLIB.exe" -s
3⤵
- Executes dropped EXE
PID:4252

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 8
3⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 8
4⤵
PID:3564

C:\Users\Admin\AppData\Local\Temp\57C5.exe
C:\Users\Admin\AppData\Local\Temp\57C5.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:3864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
2⤵
PID:700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 700 -s 852
3⤵
- Program crash
PID:4752

C:\Users\Admin\AppData\Local\Temp\5AD3.exe
C:\Users\Admin\AppData\Local\Temp\5AD3.exe
1⤵
- Executes dropped EXE
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 7300
2⤵
- Program crash
PID:4972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
1⤵
PID:5008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Users\Admin\AppData\Local\Temp\5DB2.exe
C:\Users\Admin\AppData\Local\Temp\5DB2.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6506.dll
1⤵
PID:4900

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\6506.dll
2⤵
- Loads dropped DLL
PID:3972

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1900

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 700 -ip 700
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 756 -ip 756
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1528 -ip 1528
1⤵
PID:3064

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Maildelivery\Maildelivery.exe

Filesize
3.5MB

MD5
27afd644b9ee5bf5b70c6a7793842ffb

SHA1
9e6e7cfbd05127413f629e743f8b917d2827ca36

SHA256
e19cfb7de1b988ac75beb15b974d03bc1366c94daf8f65110243234147281e1c

SHA512
4c3efcbcbfe1b7e234362da27a3e9bd493cadb594a2590c72a7afcc2c92d47863d2d98ce11d7b3339cc67b5e2fb37f3d39397651eeb5c091fb3f162eccd1f9a1

Download Submit
C:\Program Files (x86)\Maildelivery\Maildelivery.exe

Filesize
3.5MB

MD5
27afd644b9ee5bf5b70c6a7793842ffb

SHA1
9e6e7cfbd05127413f629e743f8b917d2827ca36

SHA256
e19cfb7de1b988ac75beb15b974d03bc1366c94daf8f65110243234147281e1c

SHA512
4c3efcbcbfe1b7e234362da27a3e9bd493cadb594a2590c72a7afcc2c92d47863d2d98ce11d7b3339cc67b5e2fb37f3d39397651eeb5c091fb3f162eccd1f9a1

Download Submit
C:\Program Files (x86)\Maildelivery\Maildelivery.exe

Filesize
3.5MB

MD5
27afd644b9ee5bf5b70c6a7793842ffb

SHA1
9e6e7cfbd05127413f629e743f8b917d2827ca36

SHA256
e19cfb7de1b988ac75beb15b974d03bc1366c94daf8f65110243234147281e1c

SHA512
4c3efcbcbfe1b7e234362da27a3e9bd493cadb594a2590c72a7afcc2c92d47863d2d98ce11d7b3339cc67b5e2fb37f3d39397651eeb5c091fb3f162eccd1f9a1

Download Submit
C:\ProgramData\SHelperTrack\SHelperTrack.exe

Filesize
3.6MB

MD5
b61d04b36b3ff147749a0ae3a8d1b20b

SHA1
9f39bb3fcd83aa60c764b1dd2167af8b3aa9568e

SHA256
f7fa558f4e75c0caf746c12ef06d44fd0a4b199e42b58ac675c66099504e79c1

SHA512
4ceec7398968394026dfa3e5a2bd7b8fb4cb0d430e02c6effdf13318565eeaed140d33579025eaa27219eccf7dbe27d54ed7bcf9898951693f4607d155bb9763

Download Submit
C:\ProgramData\resource.dat

Filesize
128B

MD5
785bb7f0b0cef59c39b9f5e21cd2fd04

SHA1
1e1ffdee1584a00bde18bd7bd19c02988301c250

SHA256
90b35ec0c6b41acec2c9bb51cddcb6339fb035c222766a4ca4cbb15b7a7d8853

SHA512
6d2449e111f7f059734960b83b0b090a7239ee2d93eb70f839ecddaa640658b90667f123cfb4fe8e0f5dc0a854a47b62aa2fcaf971d08b9118cac840dbf999eb

Download Submit
C:\ProgramData\ts.dat

Filesize
8B

MD5
e5b321d41389d41b320ab65f0c3a8ce6

SHA1
e9729f14f0cdbaeb17677617dc8419e756a9747a

SHA256
c89ab3cb8814d564cb8d3bbfd77bf437f9c5e73eb0ce0ce8ab89fa0796aa4df4

SHA512
f34513f830743aeec1eeede5a853bce98a7f2079a1fbdb7d076f4203a57c06d6341bc7e9b8921c4dcb05ba208721d97d6c1ffb998042ae9715cb70e89109d477

Download Submit
C:\Users\Admin\AppData\Local\Temp\19CD.exe

Filesize
238KB

MD5
93324054bb32be5c5a12aa31325be8dc

SHA1
b1b926a7adacadf911c7ce9db4c0ffff8fa8c091

SHA256
630cf18b4de45f817e9526ec0afe77ff2ac03c11967b5a87dfb8a6a122a74750

SHA512
ebd89223ca0fa03949bc898369d9d2e2b88ad7823335cadb42c570bc1cfee7b54f7000e14eefaf335bae49df198407ec3d96b5fb3c80e60cc449585ed801d2d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\19CD.exe

Filesize
238KB

MD5
93324054bb32be5c5a12aa31325be8dc

SHA1
b1b926a7adacadf911c7ce9db4c0ffff8fa8c091

SHA256
630cf18b4de45f817e9526ec0afe77ff2ac03c11967b5a87dfb8a6a122a74750

SHA512
ebd89223ca0fa03949bc898369d9d2e2b88ad7823335cadb42c570bc1cfee7b54f7000e14eefaf335bae49df198407ec3d96b5fb3c80e60cc449585ed801d2d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2170.exe

Filesize
4.1MB

MD5
ee5f4c1c141d634401208931991589f5

SHA1
f423fdd83d53ac3720c8b5e6020ae3773919c407

SHA256
7acc5964d0b0aa71e5a774249b42c7f5b03425b0a43c37d9b9d14184d9001f53

SHA512
d45eaa96e61ce7d9c14b4359c5ba3a50c6f6929acba0255329643ef26d5b4ea4221a74c499157a869261a26baa2b24ba2de11fcba96c625b67571d8db0cdf217

Download Submit
C:\Users\Admin\AppData\Local\Temp\2170.exe

Filesize
4.1MB

MD5
ee5f4c1c141d634401208931991589f5

SHA1
f423fdd83d53ac3720c8b5e6020ae3773919c407

SHA256
7acc5964d0b0aa71e5a774249b42c7f5b03425b0a43c37d9b9d14184d9001f53

SHA512
d45eaa96e61ce7d9c14b4359c5ba3a50c6f6929acba0255329643ef26d5b4ea4221a74c499157a869261a26baa2b24ba2de11fcba96c625b67571d8db0cdf217

Download Submit
C:\Users\Admin\AppData\Local\Temp\2170.exe

Filesize
4.1MB

MD5
ee5f4c1c141d634401208931991589f5

SHA1
f423fdd83d53ac3720c8b5e6020ae3773919c407

SHA256
7acc5964d0b0aa71e5a774249b42c7f5b03425b0a43c37d9b9d14184d9001f53

SHA512
d45eaa96e61ce7d9c14b4359c5ba3a50c6f6929acba0255329643ef26d5b4ea4221a74c499157a869261a26baa2b24ba2de11fcba96c625b67571d8db0cdf217

Download Submit
C:\Users\Admin\AppData\Local\Temp\317E.exe

Filesize
7.8MB

MD5
1a14ced66e8a331a0943db33efab7bfd

SHA1
1c4a40483b2d4e58b64349491e6f0b87cbeade02

SHA256
598ee8864c737c01b36651f2a61266688eb1d03c23e526f456ad0863da81bb73

SHA512
739ab2493daa5a4371ba2e75c990427052a98177b191a503bcec038b82d5103926367d2d2c7c7b986067e6328b7f004bbc712b1ec42e5027439653484e2bb14e

Download Submit
C:\Users\Admin\AppData\Local\Temp\317E.exe

Filesize
7.8MB

MD5
1a14ced66e8a331a0943db33efab7bfd

SHA1
1c4a40483b2d4e58b64349491e6f0b87cbeade02

SHA256
598ee8864c737c01b36651f2a61266688eb1d03c23e526f456ad0863da81bb73

SHA512
739ab2493daa5a4371ba2e75c990427052a98177b191a503bcec038b82d5103926367d2d2c7c7b986067e6328b7f004bbc712b1ec42e5027439653484e2bb14e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E8C.exe

Filesize
7.8MB

MD5
b215f3726cc4ad0ee51479c703226921

SHA1
4ba2b845ec53115b9e9d1553377782becd749430

SHA256
fc82ae779fe7fe22a71d9baca800a7318ee5bccc419b301916a24dcba9a93e70

SHA512
a9667cb046c0530f216bf2116f7f93087f8ae2745f22654a9a486dfed3510496a403d3443a26d142252ef2ac9177b81115fd24127faa6092dc6173e2c369b27e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E8C.exe

Filesize
7.8MB

MD5
b215f3726cc4ad0ee51479c703226921

SHA1
4ba2b845ec53115b9e9d1553377782becd749430

SHA256
fc82ae779fe7fe22a71d9baca800a7318ee5bccc419b301916a24dcba9a93e70

SHA512
a9667cb046c0530f216bf2116f7f93087f8ae2745f22654a9a486dfed3510496a403d3443a26d142252ef2ac9177b81115fd24127faa6092dc6173e2c369b27e

Download Submit
C:\Users\Admin\AppData\Local\Temp\57C5.exe

Filesize
5.1MB

MD5
7f4f98a26d4835578f46224112cc6a15

SHA1
c5cbaf07ef86ee77e7a079ece95e749e7b93a0f0

SHA256
c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276

SHA512
c2fe13271b35c799ea871b54f0d73a61a2ceed5b4f8fa7464bc758908f35185bfe1c43d38c54941c9fef18284334d61ddab506121d7d993ec87752a77eea8c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\57C5.exe

Filesize
5.1MB

MD5
7f4f98a26d4835578f46224112cc6a15

SHA1
c5cbaf07ef86ee77e7a079ece95e749e7b93a0f0

SHA256
c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276

SHA512
c2fe13271b35c799ea871b54f0d73a61a2ceed5b4f8fa7464bc758908f35185bfe1c43d38c54941c9fef18284334d61ddab506121d7d993ec87752a77eea8c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5AD3.exe

Filesize
237KB

MD5
22a51b329fa194d51f68705a25d7396d

SHA1
aada03d8b7f1e28dbf6d72c1503981ccc5bb94da

SHA256
82857c5bbab91ba9c66bcd07c9f25c1b140e94fa892e97cc97db82fe06439742

SHA512
0d9a8a6b1df054a84bea0c4d38fd3c702f95c7d372bf2255c29611aec38fca5c81b972a2d45135a6488ba313d5674cf5e60e5bc7bdc888bb3524739e473ff821

Download Submit
C:\Users\Admin\AppData\Local\Temp\5AD3.exe

Filesize
237KB

MD5
22a51b329fa194d51f68705a25d7396d

SHA1
aada03d8b7f1e28dbf6d72c1503981ccc5bb94da

SHA256
82857c5bbab91ba9c66bcd07c9f25c1b140e94fa892e97cc97db82fe06439742

SHA512
0d9a8a6b1df054a84bea0c4d38fd3c702f95c7d372bf2255c29611aec38fca5c81b972a2d45135a6488ba313d5674cf5e60e5bc7bdc888bb3524739e473ff821

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DB2.exe

Filesize
382KB

MD5
d8aff64273bcd3ef2208d6c4b0214d24

SHA1
593273f5f0e1bc79e15a18b5ca19a51ecdf1e9b1

SHA256
a9d74ae5f8e2319b1333b898747853bd0d39907eba2f4575db81156b67630283

SHA512
bebac874198ac8e006e2549086436e8f0fd71e7d4de21c81434b504d8cbf8000d2ff32f0e1757236df73399b0bfab2ea22ca7a5caeb4306bcaa617f14816649b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DB2.exe

Filesize
382KB

MD5
d8aff64273bcd3ef2208d6c4b0214d24

SHA1
593273f5f0e1bc79e15a18b5ca19a51ecdf1e9b1

SHA256
a9d74ae5f8e2319b1333b898747853bd0d39907eba2f4575db81156b67630283

SHA512
bebac874198ac8e006e2549086436e8f0fd71e7d4de21c81434b504d8cbf8000d2ff32f0e1757236df73399b0bfab2ea22ca7a5caeb4306bcaa617f14816649b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6506.dll

Filesize
4.1MB

MD5
184fc62aeb4c9d78891eb8d509c429e5

SHA1
4456d00e767b918a5118741985f2e1bc924b8e53

SHA256
6b2a111ace1e8469a99e2696a6313352cadf138f5b431d68fdb36a7268df1052

SHA512
100eb18ee1ef332862b668769fc64b37429df107873525b3ffcd5a8ccea8ad31fe57bba97cb103c2b444d62113a999a58f7743eb0b8266bb9ff8f116472d854b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6506.dll

Filesize
4.1MB

MD5
184fc62aeb4c9d78891eb8d509c429e5

SHA1
4456d00e767b918a5118741985f2e1bc924b8e53

SHA256
6b2a111ace1e8469a99e2696a6313352cadf138f5b431d68fdb36a7268df1052

SHA512
100eb18ee1ef332862b668769fc64b37429df107873525b3ffcd5a8ccea8ad31fe57bba97cb103c2b444d62113a999a58f7743eb0b8266bb9ff8f116472d854b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB7.exe

Filesize
4.6MB

MD5
18522f12bc42b23be611bd4d961d7bff

SHA1
6c37991adeb58df30b3476acddb97ac7152d2662

SHA256
ad68b573ce00db5608871f4a64c1f92bf77f63be5f149d7cbb176d24d63d12fd

SHA512
019df8189e2889fb500c849faee9984f2bb42ac74ffe843eb6f964febdea48a3ef8963f02d38f233a4abd8156dee543a14da786dfa5e6025e3ab34f0020dafb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB7.exe

Filesize
4.6MB

MD5
18522f12bc42b23be611bd4d961d7bff

SHA1
6c37991adeb58df30b3476acddb97ac7152d2662

SHA256
ad68b573ce00db5608871f4a64c1f92bf77f63be5f149d7cbb176d24d63d12fd

SHA512
019df8189e2889fb500c849faee9984f2bb42ac74ffe843eb6f964febdea48a3ef8963f02d38f233a4abd8156dee543a14da786dfa5e6025e3ab34f0020dafb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ge4ckyvn.wys.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7MQM4.tmp\DaisoLIB\DaisoLIB.exe

Filesize
3.6MB

MD5
b61d04b36b3ff147749a0ae3a8d1b20b

SHA1
9f39bb3fcd83aa60c764b1dd2167af8b3aa9568e

SHA256
f7fa558f4e75c0caf746c12ef06d44fd0a4b199e42b58ac675c66099504e79c1

SHA512
4ceec7398968394026dfa3e5a2bd7b8fb4cb0d430e02c6effdf13318565eeaed140d33579025eaa27219eccf7dbe27d54ed7bcf9898951693f4607d155bb9763

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7MQM4.tmp\DaisoLIB\DaisoLIB.exe

Filesize
3.6MB

MD5
b61d04b36b3ff147749a0ae3a8d1b20b

SHA1
9f39bb3fcd83aa60c764b1dd2167af8b3aa9568e

SHA256
f7fa558f4e75c0caf746c12ef06d44fd0a4b199e42b58ac675c66099504e79c1

SHA512
4ceec7398968394026dfa3e5a2bd7b8fb4cb0d430e02c6effdf13318565eeaed140d33579025eaa27219eccf7dbe27d54ed7bcf9898951693f4607d155bb9763

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7MQM4.tmp\DaisoLIB\DaisoLIB.exe

Filesize
3.6MB

MD5
b61d04b36b3ff147749a0ae3a8d1b20b

SHA1
9f39bb3fcd83aa60c764b1dd2167af8b3aa9568e

SHA256
f7fa558f4e75c0caf746c12ef06d44fd0a4b199e42b58ac675c66099504e79c1

SHA512
4ceec7398968394026dfa3e5a2bd7b8fb4cb0d430e02c6effdf13318565eeaed140d33579025eaa27219eccf7dbe27d54ed7bcf9898951693f4607d155bb9763

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7MQM4.tmp\DaisoLIB\bin\x86\is-U3ST5.tmp

Filesize
110KB

MD5
bdb65dce335ac29eccbc2ca7a7ad36b7

SHA1
ce7678dcf7af0dbf9649b660db63db87325e6f69

SHA256
7ec9ee07bfd67150d1bc26158000436b63ca8dbb2623095c049e06091fa374c3

SHA512
8aabca6be47a365acd28df8224f9b9b5e1654f67e825719286697fb9e1b75478dddf31671e3921f06632eed5bb3dda91d81e48d4550c2dcd8e2404d566f1bc29

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7MQM4.tmp\DaisoLIB\stuff\is-973L8.tmp

Filesize
1KB

MD5
257d1bf38fa7859ffc3717ef36577c04

SHA1
a9d2606cfc35e17108d7c079a355a4db54c7c2ee

SHA256
dfacc2f208ebf6d6180ee6e882117c31bb58e8b6a76a26fb07ac4f40e245a0cb

SHA512
e13a6f489c9c5ba840502f73acd152d366e0ccdd9d3d8e74b65ff89fdc70cd46f52e42eee0b4ba9f151323ec07c4168cf82446334564adaa8666624f7b8035f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7MQM4.tmp\DaisoLIB\stuff\is-DIA6S.tmp

Filesize
1KB

MD5
992c00beab194ce392117bb419f53051

SHA1
8f9114c95e2a2c9f9c65b9243d941dcb5cea40de

SHA256
9e35c8e29ca055ce344e4c206e7b8ff1736158d0b47bf7b3dbc362f7ec7e722c

SHA512
facdca78ae7d874300eacbe3014a9e39868c93493b9cd44aae1ab39afa4d2e0868e167bca34f8c445aa7ccc9ddb27e1b607d739af94aa4840789a3f01e7bed9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7MQM4.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7MQM4.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7MQM4.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7MQM4.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7MQM4.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7MQM4.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8NHKR.tmp\317E.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8NHKR.tmp\317E.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H7A71.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H7A71.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H7A71.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RHOQT.tmp\4E8C.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RHOQT.tmp\4E8C.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Roaming\eearrff

Filesize
238KB

MD5
93324054bb32be5c5a12aa31325be8dc

SHA1
b1b926a7adacadf911c7ce9db4c0ffff8fa8c091

SHA256
630cf18b4de45f817e9526ec0afe77ff2ac03c11967b5a87dfb8a6a122a74750

SHA512
ebd89223ca0fa03949bc898369d9d2e2b88ad7823335cadb42c570bc1cfee7b54f7000e14eefaf335bae49df198407ec3d96b5fb3c80e60cc449585ed801d2d3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
91ac706a6d9f1ea75832c5a1995da435

SHA1
e4dd09b20862d86b6c19574980dcbba59907a42a

SHA256
2fb8cfad3785671f4576e7109233f60a967076179f1ae91eaa836b5e019d4998

SHA512
b8324ca911b17b3882e177a367d855f5f248ff2d213ab94731c09fdd8c34478f9b4244c294492238397ff3082ccb6738119b4b1ff9b98ec6aaf1d1baad3c2a96

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
e5705b1d82560e4a83703c180d657139

SHA1
a5b3834ad4050224f3cc0f5bf88d25a828d7e6cb

SHA256
d74892b4bcfd757f0eed89f7b166d90f3f0a4ce5e79558ec5011d545f6b35986

SHA512
46d759eba4a9835e712ae66b44887cce29017414a1275527af5008f17b5b391c23f9d51c84b0625df5222264410cf319a81f0942c3d7583ecbe40624962e761f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
528a57c38fb6aa275373ce7a75642536

SHA1
cc076a57623caf1115c48bb0a88bd92cef951757

SHA256
fdc9f8e7dc5fcca2bd6be82d387040171d7af2aa5a2e702ea7c9f1e3eaae6f3f

SHA512
8660b31dc3bb0a42a9e00f5e4de50008e5044a7582ac1f4608d6635a50d470c0bdf9ba865798873c648b831914268830e211801a3ca640423fd7b5a568ac4eee

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
5ce20a084a56847c3a3a9cf68b727391

SHA1
a7fa28abfbc029da90b74165c4a030f0e2f6ac35

SHA256
8693e9122704fc738796c7cba4c1966a2a4a4a04c9f122416b882a2a565934eb

SHA512
a611efd12e0955f3c767329ac44db37b7693708fbe3d1cf640e02ef39362db8fc6f3130477701a7c423ffab9d82f9a3bc82683be07efc076650dc74df0887376

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
5c3f688d0026121190bf184382933f75

SHA1
d379165941b46528dec51d61f88e267d09c8b573

SHA256
61c2744116c2c96f065116bf3bd8e4c81cb2236da27388cdb0eee66af951683d

SHA512
948845985542a92ff9fa6a031c29b9a3358e0bb35ffbdcdf1a06bddc84a0fe16cb10b4665d49a48a4a003428cde9638c1b78659c8b7f08866fd073a8279356e4

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
ee5f4c1c141d634401208931991589f5

SHA1
f423fdd83d53ac3720c8b5e6020ae3773919c407

SHA256
7acc5964d0b0aa71e5a774249b42c7f5b03425b0a43c37d9b9d14184d9001f53

SHA512
d45eaa96e61ce7d9c14b4359c5ba3a50c6f6929acba0255329643ef26d5b4ea4221a74c499157a869261a26baa2b24ba2de11fcba96c625b67571d8db0cdf217

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
ee5f4c1c141d634401208931991589f5

SHA1
f423fdd83d53ac3720c8b5e6020ae3773919c407

SHA256
7acc5964d0b0aa71e5a774249b42c7f5b03425b0a43c37d9b9d14184d9001f53

SHA512
d45eaa96e61ce7d9c14b4359c5ba3a50c6f6929acba0255329643ef26d5b4ea4221a74c499157a869261a26baa2b24ba2de11fcba96c625b67571d8db0cdf217

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/384-40-0x0000000008560000-0x000000000859C000-memory.dmp

Filesize
240KB

Download
memory/384-25-0x0000000077D24000-0x0000000077D26000-memory.dmp

Filesize
8KB

Download
memory/384-18-0x0000000000DE0000-0x0000000001920000-memory.dmp

Filesize
11.2MB

Download
memory/384-19-0x0000000077300000-0x00000000773F0000-memory.dmp

Filesize
960KB

Download
memory/384-20-0x0000000077300000-0x00000000773F0000-memory.dmp

Filesize
960KB

Download
memory/384-21-0x0000000077300000-0x00000000773F0000-memory.dmp

Filesize
960KB

Download
memory/384-22-0x0000000077300000-0x00000000773F0000-memory.dmp

Filesize
960KB

Download
memory/384-23-0x0000000077300000-0x00000000773F0000-memory.dmp

Filesize
960KB

Download
memory/384-24-0x0000000077300000-0x00000000773F0000-memory.dmp

Filesize
960KB

Download
memory/384-82-0x0000000077300000-0x00000000773F0000-memory.dmp

Filesize
960KB

Download
memory/384-235-0x0000000077300000-0x00000000773F0000-memory.dmp

Filesize
960KB

Download
memory/384-29-0x0000000000DE0000-0x0000000001920000-memory.dmp

Filesize
11.2MB

Download
memory/384-30-0x0000000008690000-0x0000000008C34000-memory.dmp

Filesize
5.6MB

Download
memory/384-31-0x0000000008180000-0x0000000008212000-memory.dmp

Filesize
584KB

Download
memory/384-32-0x0000000008320000-0x000000000832A000-memory.dmp

Filesize
40KB

Download
memory/384-59-0x0000000077300000-0x00000000773F0000-memory.dmp

Filesize
960KB

Download
memory/384-57-0x0000000000DE0000-0x0000000001920000-memory.dmp

Filesize
11.2MB

Download
memory/384-33-0x0000000009260000-0x0000000009878000-memory.dmp

Filesize
6.1MB

Download
memory/384-38-0x0000000008C40000-0x0000000008D4A000-memory.dmp

Filesize
1.0MB

Download
memory/384-41-0x00000000085A0000-0x00000000085EC000-memory.dmp

Filesize
304KB

Download
memory/384-39-0x0000000008400000-0x0000000008412000-memory.dmp

Filesize
72KB

Download
memory/700-599-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/700-593-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/700-596-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/756-659-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/756-626-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1528-581-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/1532-271-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/1532-578-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1792-246-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/1792-772-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/1792-483-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/1792-243-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/1792-625-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/1792-727-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/1900-481-0x0000000000E00000-0x0000000000E6B000-memory.dmp

Filesize
428KB

Download
memory/1960-780-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2132-260-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/2132-250-0x0000000007530000-0x00000000075A6000-memory.dmp

Filesize
472KB

Download
memory/2132-420-0x0000000007960000-0x000000000797E000-memory.dmp

Filesize
120KB

Download
memory/2132-422-0x00000000079C0000-0x0000000007A63000-memory.dmp

Filesize
652KB

Download
memory/2132-408-0x000000006DCD0000-0x000000006E024000-memory.dmp

Filesize
3.3MB

Download
memory/2132-56-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/2132-58-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

Filesize
64KB

Download
memory/2132-407-0x000000006EC60000-0x000000006ECAC000-memory.dmp

Filesize
304KB

Download
memory/2132-385-0x000000007F750000-0x000000007F760000-memory.dmp

Filesize
64KB

Download
memory/2132-368-0x0000000007980000-0x00000000079B2000-memory.dmp

Filesize
200KB

Download
memory/2132-366-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

Filesize
64KB

Download
memory/2132-60-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

Filesize
64KB

Download
memory/2132-55-0x00000000056D0000-0x0000000005CF8000-memory.dmp

Filesize
6.2MB

Download
memory/2132-192-0x00000000063F0000-0x000000000640E000-memory.dmp

Filesize
120KB

Download
memory/2132-54-0x0000000002AB0000-0x0000000002AE6000-memory.dmp

Filesize
216KB

Download
memory/2132-61-0x0000000005510000-0x0000000005532000-memory.dmp

Filesize
136KB

Download
memory/2132-252-0x00000000077D0000-0x00000000077EA000-memory.dmp

Filesize
104KB

Download
memory/2132-367-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

Filesize
64KB

Download
memory/2132-251-0x0000000007E30000-0x00000000084AA000-memory.dmp

Filesize
6.5MB

Download
memory/2132-84-0x0000000005F50000-0x00000000062A4000-memory.dmp

Filesize
3.3MB

Download
memory/2132-249-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

Filesize
64KB

Download
memory/2132-72-0x0000000005D00000-0x0000000005D66000-memory.dmp

Filesize
408KB

Download
memory/2132-247-0x0000000006970000-0x00000000069B4000-memory.dmp

Filesize
272KB

Download
memory/2132-76-0x0000000005DE0000-0x0000000005E46000-memory.dmp

Filesize
408KB

Download
memory/2808-761-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2808-779-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3184-4-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/3184-62-0x00000000029F0000-0x0000000002A06000-memory.dmp

Filesize
88KB

Download
memory/3444-3-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/3444-2-0x0000000000B00000-0x0000000000B0B000-memory.dmp

Filesize
44KB

Download
memory/3444-1-0x0000000000B10000-0x0000000000C10000-memory.dmp

Filesize
1024KB

Download
memory/3444-5-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/3532-426-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3532-81-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3972-566-0x0000000002B10000-0x0000000002C37000-memory.dmp

Filesize
1.2MB

Download
memory/3972-565-0x0000000002B10000-0x0000000002C37000-memory.dmp

Filesize
1.2MB

Download
memory/3972-562-0x0000000002B10000-0x0000000002C37000-memory.dmp

Filesize
1.2MB

Download
memory/3972-558-0x00000000029C0000-0x0000000002B03000-memory.dmp

Filesize
1.3MB

Download
memory/3972-484-0x0000000010000000-0x0000000010418000-memory.dmp

Filesize
4.1MB

Download
memory/4020-494-0x0000000000790000-0x000000000079C000-memory.dmp

Filesize
48KB

Download
memory/4072-429-0x0000000000400000-0x0000000000798000-memory.dmp

Filesize
3.6MB

Download
memory/4108-64-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/4108-43-0x0000000000A00000-0x0000000000B00000-memory.dmp

Filesize
1024KB

Download
memory/4108-45-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/4108-44-0x00000000009C0000-0x00000000009CB000-memory.dmp

Filesize
44KB

Download
memory/4252-580-0x0000000000400000-0x0000000000798000-memory.dmp

Filesize
3.6MB

Download
memory/4252-769-0x0000000000400000-0x0000000000798000-memory.dmp

Filesize
3.6MB

Download
memory/4252-694-0x0000000000400000-0x0000000000798000-memory.dmp

Filesize
3.6MB

Download
memory/4428-461-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4460-261-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4460-257-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4548-239-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/4548-236-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/4656-244-0x0000000002A60000-0x0000000002E61000-memory.dmp

Filesize
4.0MB

Download
memory/4656-51-0x0000000002A60000-0x0000000002E61000-memory.dmp

Filesize
4.0MB

Download
memory/4656-245-0x0000000002E70000-0x000000000375B000-memory.dmp

Filesize
8.9MB

Download
memory/4656-479-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4656-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4656-52-0x0000000002E70000-0x000000000375B000-memory.dmp

Filesize
8.9MB

Download
memory/4656-259-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4656-53-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4716-201-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/4716-447-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download