nullmixer | bb7dead4d3da28e16ef45d0019cd42bbd3c4e3454c3042867e7f64aee2439912

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_installer.exe
Size

2.8MB
MD5

02c6277e504d9a866d5231ccd1a9a9a3
SHA1

4983d4cd846092f1ad74d0487ac43344fad2b871
SHA256

ed4731a5db70262bddf7f3bff36baef176a14762244e30c5de463075d30a88a3
SHA512

77770c937b0a1671e342a2c272afe30034dfe9008517baac0243d8b761a347d462df78e0bc99d9ba06afc1150e51dd625d0b340140c9a23c5f07318aef6d435b
SSDEEP

49152:xcBevQts9l77feLIO0dHNVzul9juajV4HyN9KFDdYD2nz4LEwJ84vLRaBtIl9mT7:xjQknfeLIO0rVz+a0eHyN0q2znCvLUB9

Score

10^/10

nullmixer privateloader risepro smokeloader vidar 706 pub5 aspackv2 backdoor dropper evasion loader stealer trojan

Malware Config

Extracted

Family

nullmixer

http://watira.xyz/

Extracted

Family

vidar

Version

39.7

Botnet

706

https://shpak125.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

smokeloader

Version

2020

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	sahiba_6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	sahiba_6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	sahiba_6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	sahiba_6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	sahiba_6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	sahiba_6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	sahiba_6.exe

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral3/memory/1552-154-0x00000000004C0000-0x000000000055D000-memory.dmp	family_vidar
behavioral3/memory/1552-158-0x0000000000400000-0x00000000004C0000-memory.dmp	family_vidar
behavioral3/memory/1552-357-0x0000000000400000-0x00000000004C0000-memory.dmp	family_vidar
behavioral3/memory/1552-372-0x00000000004C0000-0x000000000055D000-memory.dmp	family_vidar

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral3/files/0x0006000000018d07-29.dat	aspack_v212_v242
behavioral3/files/0x0006000000018b6f-44.dat	aspack_v212_v242
behavioral3/files/0x0006000000018b4d-46.dat	aspack_v212_v242
behavioral3/files/0x0006000000018b9c-51.dat	aspack_v212_v242
behavioral3/files/0x0006000000018d07-143.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\International\Geo\Nation	sahiba_6.exe

Executes dropped EXE 14 IoCs

pid	Process
2784	setup_install.exe
660	sahiba_1.exe
1552	sahiba_3.exe
1704	sahiba_8.exe
1632	sahiba_4.exe
1288	sahiba_7.exe
2492	sahiba_1.exe
2232	sahiba_2.exe
1968	sahiba_5.exe
312	sahiba_6.exe
1676	Triste.exe.com
2752	Triste.exe.com
1488	RegAsm.exe
2812	hwahdcb

Loads dropped DLL 49 IoCs

pid	Process
1124	setup_installer.exe
1124	setup_installer.exe
1124	setup_installer.exe
2784	setup_install.exe
2784	setup_install.exe
2784	setup_install.exe
2784	setup_install.exe
2784	setup_install.exe
2784	setup_install.exe
2784	setup_install.exe
2784	setup_install.exe
1280	cmd.exe
1280	cmd.exe
560	cmd.exe
560	cmd.exe
1252	cmd.exe
1552	sahiba_3.exe
1552	sahiba_3.exe
660	sahiba_1.exe
660	sahiba_1.exe
584	cmd.exe
660	sahiba_1.exe
1160	cmd.exe
2172	cmd.exe
2172	cmd.exe
1288	sahiba_7.exe
1288	sahiba_7.exe
436	cmd.exe
2232	sahiba_2.exe
2232	sahiba_2.exe
268	cmd.exe
312	sahiba_6.exe
312	sahiba_6.exe
2492	sahiba_1.exe
2492	sahiba_1.exe
516	cmd.exe
1804	WerFault.exe
1804	WerFault.exe
1804	WerFault.exe
1676	Triste.exe.com
2232	sahiba_2.exe
1804	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe
2752	Triste.exe.com
1488	RegAsm.exe
2812	hwahdcb

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
25	iplogger.org
27	iplogger.org
38	iplogger.org
112	pastebin.com
113	pastebin.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	api.db-ip.com
5	ipinfo.io
7	ipinfo.io
26	api.db-ip.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2752 set thread context of 1488	2752	Triste.exe.com	59

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1804	2784	WerFault.exe	28
1712	1552	WerFault.exe	52

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hwahdcb
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hwahdcb
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hwahdcb

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sahiba_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	sahiba_4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	sahiba_4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	sahiba_5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	sahiba_5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	sahiba_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sahiba_3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	sahiba_4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	sahiba_4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	sahiba_5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	sahiba_5.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3028	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2232	sahiba_2.exe
2232	sahiba_2.exe
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2232	sahiba_2.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	sahiba_4.exe
Token: SeDebugPrivilege	1968	sahiba_5.exe
Token: SeDebugPrivilege	1488	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 2784	1124	setup_installer.exe	28
PID 1124 wrote to memory of 2784	1124	setup_installer.exe	28
PID 1124 wrote to memory of 2784	1124	setup_installer.exe	28
PID 1124 wrote to memory of 2784	1124	setup_installer.exe	28
PID 1124 wrote to memory of 2784	1124	setup_installer.exe	28
PID 1124 wrote to memory of 2784	1124	setup_installer.exe	28
PID 1124 wrote to memory of 2784	1124	setup_installer.exe	28
PID 2784 wrote to memory of 1280	2784	setup_install.exe	30
PID 2784 wrote to memory of 1280	2784	setup_install.exe	30
PID 2784 wrote to memory of 1280	2784	setup_install.exe	30
PID 2784 wrote to memory of 1280	2784	setup_install.exe	30
PID 2784 wrote to memory of 1280	2784	setup_install.exe	30
PID 2784 wrote to memory of 1280	2784	setup_install.exe	30
PID 2784 wrote to memory of 1280	2784	setup_install.exe	30
PID 2784 wrote to memory of 2172	2784	setup_install.exe	56
PID 2784 wrote to memory of 2172	2784	setup_install.exe	56
PID 2784 wrote to memory of 2172	2784	setup_install.exe	56
PID 2784 wrote to memory of 2172	2784	setup_install.exe	56
PID 2784 wrote to memory of 2172	2784	setup_install.exe	56
PID 2784 wrote to memory of 2172	2784	setup_install.exe	56
PID 2784 wrote to memory of 2172	2784	setup_install.exe	56
PID 2784 wrote to memory of 560	2784	setup_install.exe	55
PID 2784 wrote to memory of 560	2784	setup_install.exe	55
PID 2784 wrote to memory of 560	2784	setup_install.exe	55
PID 2784 wrote to memory of 560	2784	setup_install.exe	55
PID 2784 wrote to memory of 560	2784	setup_install.exe	55
PID 2784 wrote to memory of 560	2784	setup_install.exe	55
PID 2784 wrote to memory of 560	2784	setup_install.exe	55
PID 2784 wrote to memory of 584	2784	setup_install.exe	54
PID 2784 wrote to memory of 584	2784	setup_install.exe	54
PID 2784 wrote to memory of 584	2784	setup_install.exe	54
PID 2784 wrote to memory of 584	2784	setup_install.exe	54
PID 2784 wrote to memory of 584	2784	setup_install.exe	54
PID 2784 wrote to memory of 584	2784	setup_install.exe	54
PID 2784 wrote to memory of 584	2784	setup_install.exe	54
PID 2784 wrote to memory of 268	2784	setup_install.exe	31
PID 2784 wrote to memory of 268	2784	setup_install.exe	31
PID 2784 wrote to memory of 268	2784	setup_install.exe	31
PID 2784 wrote to memory of 268	2784	setup_install.exe	31
PID 2784 wrote to memory of 268	2784	setup_install.exe	31
PID 2784 wrote to memory of 268	2784	setup_install.exe	31
PID 2784 wrote to memory of 268	2784	setup_install.exe	31
PID 2784 wrote to memory of 436	2784	setup_install.exe	53
PID 2784 wrote to memory of 436	2784	setup_install.exe	53
PID 2784 wrote to memory of 436	2784	setup_install.exe	53
PID 2784 wrote to memory of 436	2784	setup_install.exe	53
PID 2784 wrote to memory of 436	2784	setup_install.exe	53
PID 2784 wrote to memory of 436	2784	setup_install.exe	53
PID 2784 wrote to memory of 436	2784	setup_install.exe	53
PID 2784 wrote to memory of 1160	2784	setup_install.exe	33
PID 2784 wrote to memory of 1160	2784	setup_install.exe	33
PID 2784 wrote to memory of 1160	2784	setup_install.exe	33
PID 2784 wrote to memory of 1160	2784	setup_install.exe	33
PID 2784 wrote to memory of 1160	2784	setup_install.exe	33
PID 2784 wrote to memory of 1160	2784	setup_install.exe	33
PID 2784 wrote to memory of 1160	2784	setup_install.exe	33
PID 2784 wrote to memory of 1252	2784	setup_install.exe	32
PID 2784 wrote to memory of 1252	2784	setup_install.exe	32
PID 2784 wrote to memory of 1252	2784	setup_install.exe	32
PID 2784 wrote to memory of 1252	2784	setup_install.exe	32
PID 2784 wrote to memory of 1252	2784	setup_install.exe	32
PID 2784 wrote to memory of 1252	2784	setup_install.exe	32
PID 2784 wrote to memory of 1252	2784	setup_install.exe	32
PID 1280 wrote to memory of 660	1280	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Users\Admin\AppData\Local\Temp\7zS4646FE76\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS4646FE76\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_1.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_1.exe
      sahiba_1.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:660
    - - C:\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_1.exe" -a
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_5.exe
    3⤵
    - Loads dropped DLL
    PID:268
  - - C:\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_5.exe
      sahiba_5.exe
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_8.exe
    3⤵
    - Loads dropped DLL
    PID:1252
  - - C:\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_8.exe
      sahiba_8.exe
      4⤵
      Executes dropped EXE
      PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_7.exe
    3⤵
    - Loads dropped DLL
    PID:1160
  - - C:\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_7.exe
      sahiba_7.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1288
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 420
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_6.exe
    3⤵
    - Loads dropped DLL
    PID:436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_4.exe
    3⤵
    - Loads dropped DLL
    PID:584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_3.exe
    3⤵
    - Loads dropped DLL
    PID:560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_2.exe
    3⤵
    - Loads dropped DLL
    PID:2172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Compatto.rtf
1⤵
PID:1520
- C:\Windows\SysWOW64\cmd.exe
  cmd
  2⤵
  - Loads dropped DLL
  PID:516
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V /R "^jvMDwkwydQdmnxGPmMOjYlbIlopECWXOZojRKCmISYgoKPYfXOyLKoMeYraSevCxTCAdoOyWjyxqVfYxlTHNQkrRvpTHpGGccUgofIipJpnFNMuJyYIpPPDHnITYVnMGn$" Oggi.rtf
    3⤵
    PID:2656
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com
    Triste.exe.com n
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1676
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com
      C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com n
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      PID:2752
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 30
    3⤵
    - Runs ping.exe
    PID:3028

C:\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_6.exe
sahiba_6.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:312

C:\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_2.exe
sahiba_2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2232

C:\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_4.exe
sahiba_4.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_3.exe
sahiba_3.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 964
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:1712

C:\Windows\system32\taskeng.exe
taskeng.exe {5B42D103-1772-43A4-8FE2-CF2ED17ED540} S-1-5-21-1658372521-4246568289-2509113762-1000:PIRBKNPS\Admin:Interactive:[1]
1⤵
PID:2652
- C:\Users\Admin\AppData\Roaming\hwahdcb
  C:\Users\Admin\AppData\Roaming\hwahdcb
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Compatto.rtf

Filesize
478B

MD5
b96b1288ce038869fb15d4353f760613

SHA1
5a6f01cb0546a6dd4ae1e90279aaa82bdd672b60

SHA256
2c1458ecd2cc31a6d798a1c6396926cb99a66481832f774dbdbc19594ff9bd40

SHA512
36a72a5cac8b1aaa395d9efc2fc79b4525e408c57cebaaf2f00c1ba5b51bc08ee22e5676055cdcc961197c05e41d020c8d74b0d95426095d1a5b04fb14d3b04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.rtf

Filesize
92KB

MD5
d602612a5dfe00610dc42a84adb5bcd7

SHA1
fc41c419c238ce8ae487e6fadfe1a442fb3f1268

SHA256
4bd7e5c028372e6cfd568498f627ca8ea18928463e60c839b303bdd0b9266465

SHA512
bd4de6c927357d69cf9fc1012f9d3abb899081e484055178f1549169ef3995e94626757be692428d789bfd79ae610d2f51ef5ad1e4467545b9b1a58a5bcbe62e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Troverai.rtf

Filesize
81KB

MD5
396e92b7e0e1168d7cb0089ad959d4b1

SHA1
392875b79ab727ec2317b6e72f3fd1ddcc764e7e

SHA256
93a7bef1ea0fd429b91500381d814e65ba0326ffb60849f1eba41e9b74e1891d

SHA512
56459cbccfa74c294e4683c5d04dce16ac78d37e21546dfb1366f58791e886db88683b2a541fcc14df5e32690e102dcee7b53ce3ffe0f1ea12de12f57de43cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4646FE76\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4646FE76\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4646FE76\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4646FE76\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_3.exe

Filesize
662KB

MD5
e6db96c4838923c2f5014f83cf86b69c

SHA1
ab6c7c1436ee177715e83d61340ca4c2b3090eb0

SHA256
18e20e4fa69af3a4ca8cfdc86037dc87113c9d98ade86a2f50003caac5d3ef7e

SHA512
5ebb5e07c9c92cb19f63187b162277a463dca2c0cc499be7acd5f7f1813ecbb64fef3a9463f03ea43403de4e85e66ac7d12bedffc2f0dfb9ca0e8f9bf008646d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_4.exe

Filesize
8KB

MD5
6b143d8c4bf42fbb7e3fcbbc07c77056

SHA1
de516772cdfe8634537350a098abdcd5d93fc6f4

SHA256
7b8be831bf781741f6945f4eba81055c5c66bb0c37ea29f10dafd7002bc49946

SHA512
29628b124e753c8f8ac1ca55f41b877cbca93991cfc3f0189a11ed59a941db46c34fa4959e7bdbab2d372cd83f98a6c0a05c75f9bfcfcbb399f82c7907d5aa5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_5.exe

Filesize
117KB

MD5
7dd2640ec31132a5496cad4094d5077f

SHA1
76aa4cdafa07236e3869192d3a253d29e77644ba

SHA256
62a55fe169c776651d2c4061597373cc19a9fd89660eb1c6d0a17c0231cb7e18

SHA512
83b35f90d02055c738670c7216ef68d6a2abbcb767be034a52df789063eb8771babd1720e47963be05d4b099f73696a5ebda2b170acfa386ed402160d8685095

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_6.exe

Filesize
393KB

MD5
2e26836f1280438cf4bacdaac3715b82

SHA1
cf89f539fdde55de2c446d16ed327ec9d6d29075

SHA256
1ac46ae3d3bd1abc1ece68ec228bd4ad8920dab747993ae3b27b86a19768ae86

SHA512
7145b447fe2521335db390e4b46de3a42990ad93ef49bffc70d0e999b2b822aa72a3c69f3280b03ffca2b0b20096a6f051bcca98387e5d83ee075bee50253f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_6.txt

Filesize
696KB

MD5
6335d8bf224b0b4d9cfd4f10f49c4134

SHA1
4b5935a8fcef8682403d40528abb0a8ae18dd458

SHA256
4fb91a9feedafaceb8cd859cb329c936fc1574dc1c14315d44e107e88c670086

SHA512
b94db4057de8c3ce434edbf20d45cb89bee325c53addc21be700d94f83cc7bfb16386fca48235505ccfc562e19221eff5f7dd59adeee737937b0b736983fcfbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_7.exe

Filesize
306KB

MD5
7fcd565f97756f45310415ec6aae98e9

SHA1
b8a10e560af47308b56cea42bd9451bff92cbc1c

SHA256
934300430d482e2a35ff292a70b9dbc62a2e756a3c47e59c0d8da681e195112b

SHA512
578421938f4957ebc7239af1cb3e435deb236cb2cad2666e6fa96852779dd951e9f70d87ed9d8f9f6b81e5b1e0c3dfae358eba5fa62a66b9f55d64c7dea01240

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_7.txt

Filesize
337KB

MD5
15a1b80b4b8aa386a34a5ab98753c6e1

SHA1
d0a7f2850b7c68215583bacf1d2d8074a96c9c41

SHA256
7154c3a7e073355ddbc6b598a8321bc72de9815825a0fb9d3e48f6876760fbb6

SHA512
9868d5ffd3daf673c01af3b30c2fdd2f2c756c1565f26cceeb0edce86033315c263b1184e182d31f25b61037ca262aa2cc9716a22f1e0d6de742355754f6e17b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_8.exe

Filesize
65KB

MD5
ca6cf7fc3b270e85153853e04077d2b6

SHA1
44bc3d902abfe9504d035116ab02fdc664d355c9

SHA256
06c379608d8a632dac8be0c4fb72d20250010232d05756fb38250083dbc464d0

SHA512
7f869b6e955b029e9a6c80656139233a80b1036f113cb80a1721052978ef01d69c0878e292e325ac6ce91cee47277463afead99d8431cafa6bd093229ececff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_8.txt

Filesize
239KB

MD5
4b22d93b15716c78574359822631a650

SHA1
2e5ad91cd4de7b91a21beaebb1b138a0e302433a

SHA256
a14fbc80257bbb603ac8cb0694f2587e60e2be4c4e79d39e7945d986b02c37b8

SHA512
85703a351512f040194225b069b803a6d266a08c956ec7ccb544833f82a661eaf0cb2d37696c97e4a79f2f7242ed68b2166f8c105bb476f6cecdc1df1818eb29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7918.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7979.tmp

Filesize
31KB

MD5
4b16aee85c008f4df1d4a9e6dc33a32d

SHA1
945be6cf0cbee5ed66ada895378a9e67299dc5df

SHA256
049c5f40081f6eba823219d9b602f9880cc6e009c22777404b1f2975f4173b7d

SHA512
1cbdbf92fe0ee141403bcb6596738f4e3508bb14221cf39ca5bc68854bbe2a07d496cdf08cc75cf6e7ad48f4d23b3b656c342ce000f12e29bab399654e673dca

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com

Filesize
258KB

MD5
885347539dffc5ac82217270ded19852

SHA1
8438d91a0ad77f1c8d7feb1d0d92ecaae7009758

SHA256
0a9897a1bda9c8aa95f0ffa7241ac02dff05e41c7acfdb8b19169dfd3e9b9af1

SHA512
69466d6d816937f628edff98f0297d1148a04f618659c81c23bc09bff65ed6fbe9c40bf9652e31685fba41fb1f5f2ed23017b76ca6f8c056af002db7236fed3a

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4646FE76\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_1.exe

Filesize
56KB

MD5
a30209d1cbb79a6af44aaa3f0240bfac

SHA1
34a71c0dc1a837ba78aa86f9dc3dde6fa8570eda

SHA256
c3759b2ce602b3575af5ba376446815a132f77e4b05c48f12ef0b512f9025bc4

SHA512
0e217d0d587ea85422f8b4f36e6bba9dbef7f6a4f2fdac8aa106fb9150848fbaf6a6cd1c864c282eb0a386c3e26ba158747bd099e9f5eb3ed6e689a56814fe34

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_2.exe

Filesize
238KB

MD5
bfb7856f2fd7775b9cbafc3e8605e99a

SHA1
130d61ad56993178abf36e44ffb10671e3545202

SHA256
34bc565cc947940e985a0863aee2c2ffee340f771a7603a2175d2ec9f376e0ba

SHA512
2ba9a0c2b74c3b0b5319266a28eec504b6c0fe537187c31fc8b3ca225cf5077f69f8b83b78019563697177b4a8cd0098731260d4e7a3efbf15865115aac48adc

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_2.exe

Filesize
323KB

MD5
2410259398283811f24b851d0326ff36

SHA1
7e79ded5ad8f5621a43c9c1b1cba69f4c5778e73

SHA256
1cb0e328bcf8626fe17a9a15dbb78d5d33a27078328444a2b41e4313b96177e7

SHA512
ff8d8e7bf80ba91c73f3868fecd2efa26f796ee91d50ac14c748b3d59705ddea1b37ad82c0995ae867c932ea9314bff6e978c337ebd873586de8fd8cb048e211

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_2.exe

Filesize
200KB

MD5
a4af6af7a393884b41a9746b0dc06f7d

SHA1
e36cabe090e476387b72eadaded835341efe1e8e

SHA256
0762e4529ccddaa1ea13a70e9b637adc8f72975b822252bacd8e9db1ad765d69

SHA512
babf17acb086884748e5e919dcfcdaf47a10fed7116399e0006d531d9ec4179109a66264c84799247cec5c08b1fbc1a72137a72a45e40fd8fb700297c929eac4

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_2.exe

Filesize
325KB

MD5
7154363f6af0bfafe02f1ed75d45ba1e

SHA1
4da75746e4f21e312430c6b455ec30f6888e342b

SHA256
f08faa7ff270d4dd074c9fd8966674580e1e545ba72414b07942fe3b01f28296

SHA512
e130e1303a40efe7c0b31d0c098bafe970c0150a49cd3fe1f35629b78901eac95832568afc4e685620a9c4bbc4606cb04bf27d915f52291063cd178626b80529

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_3.exe

Filesize
550KB

MD5
729aa074cfbdcd3dd888a145a769dcf9

SHA1
ca288e7d9f899e9e763c15d4d588ba5536cd1fbb

SHA256
6ba34f07a7adb88228aa9392dcc1548e043cf0c643fe2941289a9176a132d37e

SHA512
3d5208be34ab80faf3a5595390c999ba666793694a4b7365524380529bf70b9f8e869531d3295542ae3f5fd427f71aa2953b2f6623aa04ef6b7a86690b367c64

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_3.exe

Filesize
70KB

MD5
8c989c4be9fef933dfd76d329d174eef

SHA1
c7bf5a0455f400b410d95449952481c781f5e9b2

SHA256
1aadfa3a8d3f251ac07c89f4942babcc488426b8fffba30401ae2f2ba6a61675

SHA512
9a1a2034f336426458b6774b439e61f4a9f31c4290f9b9e83485942bebb5f42b6884d6c878b88f0dc49a72b359f5402d1f7f7e875267c236584bc8d22ef2d833

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_3.exe

Filesize
167KB

MD5
c04a5635d3505e4176f9fcc3a0a4a1c7

SHA1
ef964e4d11d2dfd41df4a2a38bc3e444b9dbf301

SHA256
14924975d9edabc37e2d3f2fe1574cfc4391e0418e7ed3473faf9f3a32db305c

SHA512
93e363dfd01f0f04f8ea877f24fc844c9dd1be2efc89e656fba6b949eff2765af000e9fd1c13e6a358ce18789d7fa2508a6e406c6759b7d6e81aa53d603b5704

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_5.exe

Filesize
2KB

MD5
c1fceed2635c1cda91bb74d36023be7c

SHA1
d73ce758d476e1eec62e126f46b08124676cea9d

SHA256
497df92b5bb0d58ed4a8d065f60f257c3cf2cadcc04a87b0d344a3a96a0b6a75

SHA512
e38afaa3ba482b578c2100e70083bbc982fa7715c7480f711377b149e0ed48ffe5ad6148a152d2c355076a07f66a28f655716acca6f4d0e6b0e1285542ca2456

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_6.exe

Filesize
297KB

MD5
cda636f32572cecda4b845eba2794178

SHA1
b490e9f782cdd95c11918834718d96ecb4967ff6

SHA256
f1850c21d1838b167217fa30847385e8a920e0bdaa5342338e0625d4fa3e8a1a

SHA512
75afdddedbf9e67670a767be9b5570e11b2e79fd13d5a3c782f3b82514661fc5fda703ffed1d401ef858f7eeaeaa9f1fa7ccac9831c229aca57ae6f1919e0d73

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_6.exe

Filesize
294KB

MD5
b07486727cd6e8aea2b4df9649d36976

SHA1
600d05e2b4912811eed80955de2ac2be496d0962

SHA256
39308105ebc99b9ea72f176396c0833ba9bb0a1f17d37f2e80d1f36ef1413df8

SHA512
9ff0c67fd2a26a7358f73fe90c09f0cb9d28f895f955185aaea68af712cdc8733b6b16e9d36aa68c06ba74b9c8ce47e76b0bc40f54c3642de776f2f29f17c2a2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_6.exe

Filesize
422KB

MD5
131c63875420ad52ff2837f0e60de497

SHA1
aeccf2a59b2c6123253b25ca5154a7b800253b8b

SHA256
80eaf4f61ed2029237bea13c1cc18eff6af2a10a12ca8699177a74939a4eedce

SHA512
cd5c9bb401a3e2797cf920dbbf2b157da9e2d1fa2e49db9ae63f9846143158692e52f80af096d33e50c34c1f0e8315fa9637872cf1dbfa622bb8997b697510a8

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_7.exe

Filesize
45KB

MD5
fd6a38e40303aa869f0b837c753b02ee

SHA1
7540158583f5a406555a2f2cd13d09c7cb884059

SHA256
0994bc598a2f5e3c037db48e9f157bddfd78729bc25714c7478d251b0f257f18

SHA512
b1e5c625d2c8eaca80fba34269874da5aada47cae3daa10437bcdf2cc25cc57be3d5cc660decdbd6f4f7b44d9d55edbfc506b97732943f5a3f1be0e350f22157

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_7.exe

Filesize
456KB

MD5
de6e063e9a87efe585de8e2bc54623ad

SHA1
f92a6792be75b0dabcbde41a0665976fc4f9fe6c

SHA256
0105d4090ef5a911651a00b8bc681605cc76f009d030785c460ebd926b75fa9e

SHA512
ac13d933e454d16c3f8d557c82402f50cd34a6b2fdf3c87e8852655753666cb0553041f1c23f7a2aa0642e78bc1214fcb4408f008f1fea4a91f5c581278aae8d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4646FE76\sahiba_7.exe

Filesize
330KB

MD5
37f860d5e18a3c79eb4fe5911e1d4827

SHA1
6fffa282917b69715f84b79fc639614ff9b916c2

SHA256
1330f93f0aeb4bb614c9c58d2e6711ad06db81852ff28f208d4a86618654e128

SHA512
60dc952e7da5f85bdbdac2452fff7dbd5de930e17b252979cd94201a32304035766aca84f0861e6edd06e189f79f30587742179ba076100bfc658b8a32e445af

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4646FE76\setup_install.exe

Filesize
276KB

MD5
bceb1c4778e16ac0a4ddeac14a08b8b5

SHA1
4128e2f8fdf919b7e2b3269008be14143a1f284d

SHA256
347bc54951dbf36be6395937e74d70026892260bd600c9f017f28baed85d7254

SHA512
daacc92b1f6d5deeb36fe620877970bdb972d71290e2d475d338b38b0fa24811afdd318727f6ff93a2815aafb9b39b5efc7a4d7164fa660c86b52e5f1435c6ed

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4646FE76\setup_install.exe

Filesize
287KB

MD5
2374477610c8c4f47a83a5ba028abb59

SHA1
ac155fea47dfaa9f6e8a8e8f20c9b5442e0683b9

SHA256
5fa7c251a656ab30e3814be14132bfa4a7320c405d6b632f24240b91e6ecb8ea

SHA512
ee38567e57f7ada3117831ee416a2bc6395cf75032f0592ffe29db246a73d144b4c1419bb666d8e1950d0e0a79236dbc2c2e2109bca8d3f15496498934dea990

Download Submit
memory/1124-39-0x00000000027F0000-0x000000000290E000-memory.dmp

Filesize
1.1MB

Download
memory/1124-32-0x00000000027F0000-0x000000000290E000-memory.dmp

Filesize
1.1MB

Download
memory/1204-353-0x0000000002A40000-0x0000000002A55000-memory.dmp

Filesize
84KB

Download
memory/1488-379-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/1488-377-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/1488-373-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1488-374-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/1488-361-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/1552-371-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1552-158-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1552-357-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1552-154-0x00000000004C0000-0x000000000055D000-memory.dmp

Filesize
628KB

Download
memory/1552-153-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1552-372-0x00000000004C0000-0x000000000055D000-memory.dmp

Filesize
628KB

Download
memory/1632-152-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/1632-369-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/1632-380-0x000000001B160000-0x000000001B1E0000-memory.dmp

Filesize
512KB

Download
memory/1632-157-0x000000001B160000-0x000000001B1E0000-memory.dmp

Filesize
512KB

Download
memory/1632-135-0x0000000000200000-0x0000000000208000-memory.dmp

Filesize
32KB

Download
memory/1968-156-0x0000000000150000-0x000000000016E000-memory.dmp

Filesize
120KB

Download
memory/1968-176-0x000000001AEC0000-0x000000001AF40000-memory.dmp

Filesize
512KB

Download
memory/1968-134-0x0000000001150000-0x0000000001176000-memory.dmp

Filesize
152KB

Download
memory/1968-155-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/1968-299-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2232-191-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2232-190-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/2232-189-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/2232-354-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2784-62-0x0000000000DB0000-0x0000000000ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2784-351-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2784-59-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2784-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2784-47-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2784-67-0x0000000000DB0000-0x0000000000ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2784-41-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2784-66-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2784-187-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2784-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2784-64-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2784-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2784-80-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2784-61-0x0000000000DB0000-0x0000000000ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2784-333-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2784-347-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2784-349-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2784-52-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2784-352-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2784-60-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2784-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2784-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2784-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2784-72-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2784-71-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2784-76-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2784-74-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2784-73-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2784-78-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2784-79-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2784-77-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2812-471-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2812-472-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download