glupteba | d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278

Resubmissions

19/03/2024, 10:46

240319-mvcmcsah4t 10

18/03/2024, 12:09

240318-pbenqagc97 10

17/03/2024, 13:27

240317-qqh55afc93 10

17/03/2024, 02:17

240317-cqtd7scf2x 10

Analysis

max time kernel
148s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/03/2024, 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278.exe
Size

209KB
MD5

2cb4d9235c8edfaeeedf9258177cec57
SHA1

401520c963a302e4df292c032416febec06e5666
SHA256

d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278
SHA512

5d1059c1618e8cf1645a7775da743b02ef387d249c6b263e20ade68362ee06e43548293c1bb224719014618458b6bb6b00c7664fbea97b2414976ce980a8d950
SSDEEP

3072:M4GZjvkqp4C/Khv97mrvw1F0Dz1yL9w1RBeg8+/yGYV:nGlvkqp4RSTwQwkRBeA

Score

10^/10

glupteba smokeloader stealc pub1 backdoor bootkit discovery dropper evasion loader persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

http://nidoe.org/tmp/index.php

http://sodez.ru/tmp/index.php

http://uama.com.ua/tmp/index.php

http://talesofpirates.net/tmp/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

stealc

http://185.172.128.145

Attributes

url_path
/3cd2b41cbde8fc9c.php

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 10 IoCs

resource	yara_rule
behavioral1/memory/640-108-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/640-111-0x0000000002B00000-0x00000000033EB000-memory.dmp	family_glupteba
behavioral1/memory/640-127-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/640-214-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/640-218-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/640-245-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/752-263-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/752-273-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2020-294-0x0000000002BC0000-0x00000000034AB000-memory.dmp	family_glupteba
behavioral1/memory/2020-305-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	288c47bbc1871b439df19ff4df68f076.exe

Detect binaries embedding considerable number of MFA browser extension IDs. 2 IoCs

resource	yara_rule
behavioral1/memory/1856-229-0x0000000000400000-0x000000000063B000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
behavioral1/memory/1856-304-0x0000000000400000-0x000000000063B000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 2 IoCs

resource	yara_rule
behavioral1/memory/1856-229-0x0000000000400000-0x000000000063B000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral1/memory/1856-304-0x0000000000400000-0x000000000063B000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 3 IoCs

resource	yara_rule
behavioral1/memory/2936-206-0x0000000000400000-0x0000000001A77000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2936-210-0x0000000000400000-0x0000000001A77000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2936-261-0x0000000000400000-0x0000000001A77000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Detects Windows executables referencing non-Windows User-Agents 8 IoCs

resource	yara_rule
behavioral1/memory/640-108-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/640-127-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/640-214-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/640-218-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/640-245-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/752-263-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/752-273-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2020-305-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs

resource	yara_rule
behavioral1/memory/1856-229-0x0000000000400000-0x000000000063B000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1856-304-0x0000000000400000-0x000000000063B000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables Discord URL observed in first stage droppers 8 IoCs

resource	yara_rule
behavioral1/memory/640-108-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/640-127-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/640-214-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/640-218-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/640-245-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/752-263-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/752-273-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2020-305-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL

Detects executables containing URLs to raw contents of a Github gist 8 IoCs

resource	yara_rule
behavioral1/memory/640-108-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/640-127-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/640-214-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/640-218-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/640-245-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/752-263-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/752-273-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2020-305-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

Detects executables containing artifacts associated with disabling Widnows Defender 8 IoCs

resource	yara_rule
behavioral1/memory/640-108-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/640-127-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/640-214-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/640-218-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/640-245-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/752-263-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/752-273-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2020-305-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender

Detects executables packed with VMProtect. 7 IoCs

resource	yara_rule
behavioral1/memory/828-123-0x0000000000400000-0x00000000005AA000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/828-125-0x0000000000400000-0x00000000005AA000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/828-157-0x0000000000400000-0x00000000005AA000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2056-195-0x0000000000400000-0x00000000005AA000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2056-254-0x0000000000400000-0x00000000005AA000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2056-289-0x0000000000400000-0x00000000005AA000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2056-293-0x0000000000400000-0x00000000005AA000-memory.dmp	INDICATOR_EXE_Packed_VMProtect

Detects executables packed with unregistered version of .NET Reactor 5 IoCs

resource	yara_rule
behavioral1/files/0x000a00000000f6f2-14.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1644-16-0x0000000000CE0000-0x00000000011B6000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x000a00000000f6f2-162.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x000a00000000f6f2-161.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x000a00000000f6f2-215.dat	INDICATOR_EXE_Packed_DotNetReactor

Detects executables referencing many varying, potentially fake Windows User-Agents 8 IoCs

resource	yara_rule
behavioral1/memory/640-108-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/640-127-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/640-214-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/640-218-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/640-245-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/752-263-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/752-273-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2020-305-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1300	netsh.exe

Deletes itself 1 IoCs

pid	Process
1192	Process not Found

Executes dropped EXE 15 IoCs

pid	Process
1644	7E35.exe
1672	EC35.exe
1968	InstallSetup_four.exe
640	288c47bbc1871b439df19ff4df68f076.exe
1824	april.exe
1732	april.tmp
828	textultraedit.exe
2024	DC9.exe
1856	u1io.0.exe
2128	22FF.exe
2056	textultraedit.exe
2080	22FF.tmp
2936	38A2.exe
752	288c47bbc1871b439df19ff4df68f076.exe
2020	csrss.exe

Loads dropped DLL 26 IoCs

pid	Process
2356	regsvr32.exe
1672	EC35.exe
1672	EC35.exe
1672	EC35.exe
1672	EC35.exe
1824	april.exe
1732	april.tmp
1732	april.tmp
1732	april.tmp
1732	april.tmp
1968	InstallSetup_four.exe
1968	InstallSetup_four.exe
1968	InstallSetup_four.exe
1968	InstallSetup_four.exe
1968	InstallSetup_four.exe
1668	WerFault.exe
1668	WerFault.exe
1668	WerFault.exe
1668	WerFault.exe
2128	22FF.exe
2080	22FF.tmp
2080	22FF.tmp
2080	22FF.tmp
1668	WerFault.exe
752	288c47bbc1871b439df19ff4df68f076.exe
752	288c47bbc1871b439df19ff4df68f076.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	288c47bbc1871b439df19ff4df68f076.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	288c47bbc1871b439df19ff4df68f076.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	38A2.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	288c47bbc1871b439df19ff4df68f076.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	288c47bbc1871b439df19ff4df68f076.exe
File created	C:\Windows\rss\csrss.exe	288c47bbc1871b439df19ff4df68f076.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1668	1644	WerFault.exe	30

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DC9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DC9.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DC9.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u1io.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u1io.0.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2820	d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278.exe
2820	d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278.exe
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2820	d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278.exe
2024	DC9.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1192	Process not Found
Token: SeShutdownPrivilege	1192	Process not Found
Token: SeShutdownPrivilege	1192	Process not Found
Token: SeShutdownPrivilege	1192	Process not Found
Token: SeShutdownPrivilege	1192	Process not Found
Token: SeDebugPrivilege	640	288c47bbc1871b439df19ff4df68f076.exe
Token: SeImpersonatePrivilege	640	288c47bbc1871b439df19ff4df68f076.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 1644	1192	Process not Found	30
PID 1192 wrote to memory of 1644	1192	Process not Found	30
PID 1192 wrote to memory of 1644	1192	Process not Found	30
PID 1192 wrote to memory of 1644	1192	Process not Found	30
PID 1192 wrote to memory of 1752	1192	Process not Found	31
PID 1192 wrote to memory of 1752	1192	Process not Found	31
PID 1192 wrote to memory of 1752	1192	Process not Found	31
PID 1192 wrote to memory of 1752	1192	Process not Found	31
PID 1192 wrote to memory of 1752	1192	Process not Found	31
PID 1752 wrote to memory of 2356	1752	regsvr32.exe	32
PID 1752 wrote to memory of 2356	1752	regsvr32.exe	32
PID 1752 wrote to memory of 2356	1752	regsvr32.exe	32
PID 1752 wrote to memory of 2356	1752	regsvr32.exe	32
PID 1752 wrote to memory of 2356	1752	regsvr32.exe	32
PID 1752 wrote to memory of 2356	1752	regsvr32.exe	32
PID 1752 wrote to memory of 2356	1752	regsvr32.exe	32
PID 1192 wrote to memory of 1672	1192	Process not Found	33
PID 1192 wrote to memory of 1672	1192	Process not Found	33
PID 1192 wrote to memory of 1672	1192	Process not Found	33
PID 1192 wrote to memory of 1672	1192	Process not Found	33
PID 1672 wrote to memory of 1968	1672	EC35.exe	34
PID 1672 wrote to memory of 1968	1672	EC35.exe	34
PID 1672 wrote to memory of 1968	1672	EC35.exe	34
PID 1672 wrote to memory of 1968	1672	EC35.exe	34
PID 1672 wrote to memory of 1968	1672	EC35.exe	34
PID 1672 wrote to memory of 1968	1672	EC35.exe	34
PID 1672 wrote to memory of 1968	1672	EC35.exe	34
PID 1672 wrote to memory of 640	1672	EC35.exe	35
PID 1672 wrote to memory of 640	1672	EC35.exe	35
PID 1672 wrote to memory of 640	1672	EC35.exe	35
PID 1672 wrote to memory of 640	1672	EC35.exe	35
PID 1672 wrote to memory of 1824	1672	EC35.exe	36
PID 1672 wrote to memory of 1824	1672	EC35.exe	36
PID 1672 wrote to memory of 1824	1672	EC35.exe	36
PID 1672 wrote to memory of 1824	1672	EC35.exe	36
PID 1672 wrote to memory of 1824	1672	EC35.exe	36
PID 1672 wrote to memory of 1824	1672	EC35.exe	36
PID 1672 wrote to memory of 1824	1672	EC35.exe	36
PID 1824 wrote to memory of 1732	1824	april.exe	37
PID 1824 wrote to memory of 1732	1824	april.exe	37
PID 1824 wrote to memory of 1732	1824	april.exe	37
PID 1824 wrote to memory of 1732	1824	april.exe	37
PID 1824 wrote to memory of 1732	1824	april.exe	37
PID 1824 wrote to memory of 1732	1824	april.exe	37
PID 1824 wrote to memory of 1732	1824	april.exe	37
PID 1732 wrote to memory of 828	1732	april.tmp	38
PID 1732 wrote to memory of 828	1732	april.tmp	38
PID 1732 wrote to memory of 828	1732	april.tmp	38
PID 1732 wrote to memory of 828	1732	april.tmp	38
PID 1192 wrote to memory of 2024	1192	Process not Found	39
PID 1192 wrote to memory of 2024	1192	Process not Found	39
PID 1192 wrote to memory of 2024	1192	Process not Found	39
PID 1192 wrote to memory of 2024	1192	Process not Found	39
PID 1644 wrote to memory of 1668	1644	7E35.exe	40
PID 1644 wrote to memory of 1668	1644	7E35.exe	40
PID 1644 wrote to memory of 1668	1644	7E35.exe	40
PID 1644 wrote to memory of 1668	1644	7E35.exe	40
PID 1968 wrote to memory of 1856	1968	InstallSetup_four.exe	41
PID 1968 wrote to memory of 1856	1968	InstallSetup_four.exe	41
PID 1968 wrote to memory of 1856	1968	InstallSetup_four.exe	41
PID 1968 wrote to memory of 1856	1968	InstallSetup_four.exe	41
PID 1192 wrote to memory of 2128	1192	Process not Found	42
PID 1192 wrote to memory of 2128	1192	Process not Found	42
PID 1192 wrote to memory of 2128	1192	Process not Found	42

C:\Users\Admin\AppData\Local\Temp\d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278.exe
"C:\Users\Admin\AppData\Local\Temp\d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2820

C:\Users\Admin\AppData\Local\Temp\7E35.exe
C:\Users\Admin\AppData\Local\Temp\7E35.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 560
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:1668

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9F9A.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\9F9A.dll
  2⤵
  - Loads dropped DLL
  PID:2356

C:\Users\Admin\AppData\Local\Temp\EC35.exe
C:\Users\Admin\AppData\Local\Temp\EC35.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\u1io.0.exe
    "C:\Users\Admin\AppData\Local\Temp\u1io.0.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:1856
- C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
  "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:640
- - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
    "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
    3⤵
    - Windows security bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Adds Run key to start application
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    PID:752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:2132
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:1300
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      Executes dropped EXE
      Modifies data under HKEY_USERS
      PID:2020
- C:\Users\Admin\AppData\Local\Temp\april.exe
  "C:\Users\Admin\AppData\Local\Temp\april.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Users\Admin\AppData\Local\Temp\is-CA6BS.tmp\april.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-CA6BS.tmp\april.tmp" /SL5="$8014E,1478464,54272,C:\Users\Admin\AppData\Local\Temp\april.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe
      "C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe" -i
      4⤵
      Executes dropped EXE
      PID:828
  - - C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe
      "C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe" -s
      4⤵
      Executes dropped EXE
      PID:2056

C:\Users\Admin\AppData\Local\Temp\DC9.exe
C:\Users\Admin\AppData\Local\Temp\DC9.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2024

C:\Users\Admin\AppData\Local\Temp\22FF.exe
C:\Users\Admin\AppData\Local\Temp\22FF.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128
- C:\Users\Admin\AppData\Local\Temp\is-LI28F.tmp\22FF.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-LI28F.tmp\22FF.tmp" /SL5="$3018E,2096861,54272,C:\Users\Admin\AppData\Local\Temp\22FF.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2080

C:\Users\Admin\AppData\Local\Temp\38A2.exe
C:\Users\Admin\AppData\Local\Temp\38A2.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2936

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240317021927.log C:\Windows\Logs\CBS\CbsPersist_20240317021927.cab
1⤵
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Kimoto IDE Plus\is-9I5NL.tmp

Filesize
122KB

MD5
6231b452e676ade27ca0ceb3a3cf874a

SHA1
f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1

SHA256
9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf

SHA512
f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\22FF.exe

Filesize
1.3MB

MD5
276165b1ecb60fef440db72781a4a5e3

SHA1
f7e965656c254abccc80fe92a730210eed1fbd33

SHA256
67a8062d9dc3469458a9ed0140874983cb66f50a07cccb3669daad5cb1531b51

SHA512
0a613134a6fa5271535340f1f30c5fcb389d07b3458ccd86041baf6c101dbef809d5d9419e9837c8e3974f00f74d48328a817008cb46e0b8310649a3c157c112

Download Submit
C:\Users\Admin\AppData\Local\Temp\22FF.exe

Filesize
2.3MB

MD5
f0088fc98e0841dd03e65aa8c0987029

SHA1
8c6e82224688efae6836710cdeefee150e2c33a9

SHA256
c5202b25d0bb54269c0275f979f395cce5feda5eaf8d25eb9f7acdecee736d3e

SHA512
845faec011d68f371c2bf7b11a4ca9217a68b1a178cb22ab474549a41f70e43c49dcf9565d597bee2f3e09da58e0df30e65ff0d87131b3718d7592561939c062

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
2.0MB

MD5
de268acbe6faeb43a5f1033d97a335c5

SHA1
c0571c7801bbd25e34cc7bd2faf8b69696385b52

SHA256
50483aad75739366e1768e53fdd54d72bc2eaf96050b276d03643ae140e2877c

SHA512
16ca34d6f99b7a4b499d4d83f0ef414c7fe99f8eff01b61a255446849ee9bc2bdfc3a9d3bbf8d9ecfae494a5f856fa06ab72ebe9728d9bf554084d724c18f465

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
3.6MB

MD5
e7a9d23f002ffa2467bb8685330939bf

SHA1
97770109e139fd08f93681a597a6e6782e8b8ac4

SHA256
b382f85877ddff53961f0f85dc6383f093be309706b5d94345726edd47fd9b1a

SHA512
a885eab43934ea182aa4bc324089fa2ad7dedd725f113f9c6a291798e7fc5775d614e0554680e8d4c3f3a8c69132bf816e10e114473aaece36a86462b4c664e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
1.4MB

MD5
4b368ded83e9801722b1d48b830cd211

SHA1
380304ede18c05bdfc220a29f882788390cd363f

SHA256
0c13370e84b43799b13a32c9c89fafb4988a7252c2da5fc037c78d25eb63a03e

SHA512
9873c67e711fdf4dba55ceb060a5d5cae8f8003138a410cb2d63626778a51b292ab675e47fcbd5a0ae8d0f56142366fe4d0d22a1089427de9983b6f31ee6deae

Download Submit
C:\Users\Admin\AppData\Local\Temp\38A2.exe

Filesize
554KB

MD5
a1b5ee1b9649ab629a7ac257e2392f8d

SHA1
dc1b14b6d57589440fb3021c9e06a3e3191968dc

SHA256
2bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65

SHA512
50ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E35.exe

Filesize
4.8MB

MD5
0de49b7358184b13c717ea9a823f12bb

SHA1
a764efe549b694c7ce05773c55b7d582b6f4ba2d

SHA256
48c26d758ee7acee07033f1583de83451a9e1f07facf958b786c654786f7f18f

SHA512
d10361e573912aad2dd49791c14cb6eec6d271eb5353b9c500e2824eb229e96799ecc982e96abb3fbd610eef6cb55487873bbac9dfbf0a68872beac746e9044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9F9A.dll

Filesize
2.9MB

MD5
441e0b373665cbb5c31b83046144c19f

SHA1
d8df44336a6933c8bbc8ef3e7417771a04bdf72c

SHA256
cf5db7b441e8c5c899f808436d53848b2d37ba3167776902e3ad94a2629f7b30

SHA512
e9afa8a09a5b9b32562c10c28348cac3bb25da25dff6bb638f2c1460ceb8ec517a1a291fbd2066de938adbce5787e068bf1454cd63f2113942bdca160aca2d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC9.exe

Filesize
209KB

MD5
2140e3dafb1a4310c2a726e8fac6e85f

SHA1
d6e71d853dc8abdcadef40b236cfa62bd98ef1b9

SHA256
c7ba585f91ca2de06cbdc8c67044d0ded3925e6ce6bc260e674abb88f11adba9

SHA512
f4b9b6a07fac77320f1d320224be490e0d9a6809de1da9d856016d280c74d0287b2f739143dab4c272c4d5ea961055cfbff6ee5a0645a9f3d82b64a32c74d5e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC35.exe

Filesize
3.6MB

MD5
f383e21b7c7f886a053f0fedfd6c37e6

SHA1
93caaf75d8ae1ec8fabde7f39358c7fb7f4f8781

SHA256
55816d1e0f09bb0db89762692698d31069aea8d44796960a8a1a1d936533bc0f

SHA512
bd3ae26d232288058f8480f6d0e204cd797f72cbbaff19cb3768509317e3b26df3ae59c5ecf9b82a85acd8f6094da5f8632164da2f88f188328c661e95b3aac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC35.exe

Filesize
3.7MB

MD5
fb4844eabc12bf4586ad51b50cf02813

SHA1
e1cddb63304d50e944186611a6566ec70096df1c

SHA256
0d04a8f1752d581a0a5f45b739a16d5967d5d4816bca37aa92f4feb8498b55ca

SHA512
d2ac365a51ff50210470c7e4d5b19db5be4905f2d56bccfc39557a16e9ca234207b913ed582861c6e4c47cc670b391807a795eeea6b562e38a9e7806b4f41571

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CA6BS.tmp\april.tmp

Filesize
677KB

MD5
33da9dc521f467c0405d3ef5377ce04b

SHA1
5249d7ce5dfabe5ee6d2fc7d3f3eba1e866b7d1f

SHA256
dbab8a7b2b45fc7001d5e34d3d45ccbe93a7591f12910281acf2c32f8c4e631c

SHA512
a3093637e1d731eab58080e10706db1afbf6e79fbac6593733b61033f97875ecbe230311e9741d349625ec3a66a6435318846d35290db8cd00af76d692699a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LI28F.tmp\22FF.tmp

Filesize
677KB

MD5
d20d1fe001f3ac8063a9ee93110c7bef

SHA1
ebe566a075449a0448531e994d34883b782601ef

SHA256
f89d62a78858fc027813134d8f4f2dfbaeed3dd6ae21be332b9d9b32da159798

SHA512
ae30786bade29aa769269ce27b70f4325d55eb47ab2075aacefec7fde23d92bcb011ccc869437b59cb29137ab4e7249c35dce51da9fceb35928fed4d1366adf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1io.0.exe

Filesize
239KB

MD5
ee3d5fa75c268e717b8df03009be4f69

SHA1
fdf703643290ccedd7bf109e4b0c96a16905f519

SHA256
8b4538c01edbaebd49c98ada499705f0bc79c238d83ae193e6347b2f811abdf9

SHA512
651c3369b64c49d26e8b82e86b3fb97fffd5a16813c27374788aaa1f28d5df3ae9492fe27d6a711b722b073d63200b32bbdf395990c980b8f7a814773daeeff5

Download Submit
C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe

Filesize
1.2MB

MD5
52cfcf6ecc0956f729d4e49b4999f132

SHA1
59097148820a2a20ec7aace89d5f3ebd94769163

SHA256
67ec624b3a77b8b0a1300772a100343a805490f9744bb1df29571a8f1172a43e

SHA512
5f037b9dae95716cb17f0494e99a605c658ad23d55a2d2a32f29558af5a36257390af5d0a11a711188453247112ae20a71050293d7a8fd40ab9da641cab1341d

Download Submit
C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe

Filesize
1.7MB

MD5
b5dcb054d3bca133164fc56da4a12199

SHA1
a52ba6046b758a27baa73b1177ed2f49dd2293c5

SHA256
bf3f16c6113d28fb110ad2e16d59c1dad8a3b9db579a117f3b449efbc3dcd950

SHA512
dae9c4ff715854c9079f238384710aec354dd8653844a35b5c5bbec08765af12dbcc4507cb7a0a89335203985af776a0d60a43b6df2e5a41576490ec97de373b

Download Submit
C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe

Filesize
704KB

MD5
271e99699fc19e730b1c034a0224888d

SHA1
39a2a5639d0d1d1b75bd4d3aea7a3f35002e7818

SHA256
067b6d775d9f38c7557904ba6e31aa9f7d8716312c1f9eb49ceaae1bfdff847d

SHA512
7cf1a0ea2960ed03eb486882936c6ed27d1b59b68217f60044eb6f94834633cd5f37e457aa0fd55bcd724476beb46aa3eedaabed920a277458a12829a0cfb501

Download Submit
\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
1.4MB

MD5
b927af3067428e94f273436724f19598

SHA1
00d5284e9404d3ae19bb7d5fa46909db892b7fd5

SHA256
0863cb3753ec2c53e5a6df486a7f6d1eaa38253aa1a5969201335cecfab0e1ff

SHA512
f23fcac392e1c9beaa75fedf787213eda4a609713cd08fba6f90a6f1022fb4c48bcfab79a16c36ddb1f174ed866d03575c4752ab991ad5710bb2924f97e59004

Download Submit
\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
1.5MB

MD5
6ff1a902a9a211117cebcfc38e679cb5

SHA1
226ca1b6cde92fe87afe4e1f3d00b0183657daff

SHA256
2f909d0f061a32418a5a4ccf38912c2b901425d907347af365281f00eb0af8fc

SHA512
ecd59ec16f2a9e4eb99baa0cfa97def1423da5cea57db6ee0e238b685426228368f56329daac87c3949bea2e267357a9ad0aa0866201ce6d5bbd5b4360883ae5

Download Submit
\Users\Admin\AppData\Local\Temp\7E35.exe

Filesize
768KB

MD5
2fc73b83b2e8160593410d5e3b3239a4

SHA1
f8c4265a4c80c14c1abbfb821a95b88fa5d05c62

SHA256
253856e6daa64cd2f3d7b13d033c70253f729422649cdc8d4bde91d8f62bafda

SHA512
2b76868b81c326abae3188459fe3b98633ea70b5e9a1fe79a769d3707b398ea24117777fe4f434208a3e7714029b8e9a78d3deb76494c92f52af39be828edd94

Download Submit
\Users\Admin\AppData\Local\Temp\7E35.exe

Filesize
718KB

MD5
5effa597e4e42a091dad673cdd7265b1

SHA1
151463d7476fc5194873c9ad20f62e177ad2091d

SHA256
143389e7d77b385db2e79b758b034b8c16ce70b67807fe0307673a462fc70976

SHA512
f8559111d02ef83f41562be92c1e83fee2bd84b44f20a572361d2c231ea144b41faa0dfda853a2e77af42a6af7f4dc9de669a0feeb1df8709327991739a00a59

Download Submit
\Users\Admin\AppData\Local\Temp\7E35.exe

Filesize
2.4MB

MD5
df87eb628a5f583b05a2dd490d1008b0

SHA1
5733fc234162541ac3dc8cac0e8b7b7a8225cdb8

SHA256
759ed5a051024e5151f5162bd6ec168c0307ef1bff6678a3d78fda33af7a68d8

SHA512
0b6bf3964c86505149cba99de73bdb26feaea27a9cfb41c3fc18cda7413f5511b980efaf71ad1559afe12520ae9307f055316ccdf7674718883f836ca5732132

Download Submit
\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe

Filesize
366KB

MD5
f98c75a2502a2f5251b262e4aeaf1c16

SHA1
0edb55ec7e7768a39f1bf37dc27aecd04507f63c

SHA256
392ff6fc0a544611919098a630cebfd47ecd210cdc34c97081bfe31c938ba67c

SHA512
b05969d381c66f06b3ec8af2a76312e3bf6cef34e84ef062685a16062ee50f0aa198a8d2d7641939ec2c66f08e3439357f15087eb51a7ef1b63a6683a129bd58

Download Submit
\Users\Admin\AppData\Local\Temp\april.exe

Filesize
1.8MB

MD5
a84541841e8d381cefe71b9467c439c3

SHA1
4e45c5d8ec17818e67a9d1b65183be203d54b7bd

SHA256
c4529e757bce9a52ff52cecff2b89344d33acc4cc3a23577b4f560396ab3beda

SHA512
43b28773d2d5529577c21a82d520e01716625a90b734f750722ee97abd92a9845267ce02b41cf75f0f50d165020b278f76386efbe8106979c429047b4f54dd49

Download Submit
\Users\Admin\AppData\Local\Temp\is-AO7JK.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-AO7JK.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\u1io.0.exe

Filesize
109KB

MD5
b56b7107d481fa126acd472cd6145c60

SHA1
f2b0aa72aef6e6eec2d4cc5fd85cce442cfa4722

SHA256
d97d29e02474a39fbdee61dfbd80fcbbf7639a0dac1b07531859eb50f86c3b5c

SHA512
a320f96b72f1356928b5521beedc20048fc083636c693d29a0168bd83b79a16a9b1f4be412c638b71157c4b01b04fbd4e032f986adc9c171e32ea96015107145

Download Submit
\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe

Filesize
1.3MB

MD5
f7aa49db067e548550ed1322de15bf53

SHA1
b2e0cc9964e7f08fa3862579f0cc4c6e6aa81b83

SHA256
94aa651e3e1891eb73a438c122ed81ae7234fb789d8efaf3b8d476de0ade60d5

SHA512
0ba3bb95af7295b2343685350e70e657e637e48b429b5861827474e4027387a611f32769e43bfc6defa7c4e9a2c323a9a1df5e261093e906290ef75689ba6d69

Download Submit
\Windows\rss\csrss.exe

Filesize
1.3MB

MD5
1594a7e0eeedef87c6c66e116e1e2c65

SHA1
941fd5e6498fc0c0b3c2f14452095d7f98880aa1

SHA256
fc67b81ee5e8320fc7350405a93aa9b168a7883a6b05945d0b0e5afc2aa2e535

SHA512
4985de06d4e92f904f4d036000d245782907db0f3f9d6ce820d3ae5829f1a0aa594c0c7190a0911f0e88a427d20961850548bee36cfa07fe6e26e52877267f99

Download Submit
\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
abc868cf6f8183990f8d476dbe1224ba

SHA1
b9226909d1c0472af5eabd6949232d509ecf38cb

SHA256
17573c321796456afc4e0fdf9eb00326636410dbbcd2c4c92495ef39a2f48924

SHA512
d1c1e5c11cb58430b8f9455fbbdb094fc51cdb75382b1e7d1b03c08936f553cfb73c71c9869428e8a77ad3e9de8cde15bbd733b4843cb9ed9dc394d1a160ba01

Download Submit
memory/640-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/640-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/640-105-0x0000000002700000-0x0000000002AF8000-memory.dmp

Filesize
4.0MB

Download
memory/640-111-0x0000000002B00000-0x00000000033EB000-memory.dmp

Filesize
8.9MB

Download
memory/640-127-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/640-107-0x0000000002700000-0x0000000002AF8000-memory.dmp

Filesize
4.0MB

Download
memory/640-108-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/640-207-0x0000000002700000-0x0000000002AF8000-memory.dmp

Filesize
4.0MB

Download
memory/640-214-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/752-262-0x00000000025B0000-0x00000000029A8000-memory.dmp

Filesize
4.0MB

Download
memory/752-263-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/752-257-0x00000000025B0000-0x00000000029A8000-memory.dmp

Filesize
4.0MB

Download
memory/752-273-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/828-123-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/828-109-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/828-125-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/828-157-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/1192-170-0x0000000002D00000-0x0000000002D16000-memory.dmp

Filesize
88KB

Download
memory/1192-4-0x0000000002A20000-0x0000000002A36000-memory.dmp

Filesize
88KB

Download
memory/1644-17-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/1644-16-0x0000000000CE0000-0x00000000011B6000-memory.dmp

Filesize
4.8MB

Download
memory/1644-31-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/1672-59-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/1672-37-0x0000000000FE0000-0x0000000001624000-memory.dmp

Filesize
6.3MB

Download
memory/1672-38-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/1732-150-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1732-74-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1732-205-0x0000000003380000-0x000000000352A000-memory.dmp

Filesize
1.7MB

Download
memory/1732-106-0x0000000003380000-0x000000000352A000-memory.dmp

Filesize
1.7MB

Download
memory/1732-204-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1824-62-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1824-149-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1856-304-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1856-219-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1856-213-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/1856-211-0x0000000000640000-0x0000000000667000-memory.dmp

Filesize
156KB

Download
memory/1856-229-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1856-212-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1968-124-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1968-256-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1968-278-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1968-112-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1968-113-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1968-279-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1968-217-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1968-114-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2020-292-0x00000000027C0000-0x0000000002BB8000-memory.dmp

Filesize
4.0MB

Download
memory/2020-294-0x0000000002BC0000-0x00000000034AB000-memory.dmp

Filesize
8.9MB

Download
memory/2020-305-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2024-172-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2024-130-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2024-128-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/2024-126-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/2056-254-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2056-293-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2056-289-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2056-164-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2056-195-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2080-173-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2080-291-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2080-255-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2128-155-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2128-253-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2356-26-0x0000000002720000-0x0000000002842000-memory.dmp

Filesize
1.1MB

Download
memory/2356-29-0x0000000002720000-0x0000000002842000-memory.dmp

Filesize
1.1MB

Download
memory/2356-21-0x0000000010000000-0x00000000102F2000-memory.dmp

Filesize
2.9MB

Download
memory/2356-22-0x0000000000110000-0x0000000000116000-memory.dmp

Filesize
24KB

Download
memory/2356-24-0x00000000025E0000-0x0000000002720000-memory.dmp

Filesize
1.2MB

Download
memory/2356-25-0x0000000010000000-0x00000000102F2000-memory.dmp

Filesize
2.9MB

Download
memory/2356-30-0x0000000002720000-0x0000000002842000-memory.dmp

Filesize
1.1MB

Download
memory/2820-5-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2820-3-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2820-1-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2820-2-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2936-210-0x0000000000400000-0x0000000001A77000-memory.dmp

Filesize
22.5MB

Download
memory/2936-208-0x0000000001BE0000-0x0000000001CE0000-memory.dmp

Filesize
1024KB

Download
memory/2936-209-0x0000000000220000-0x000000000028B000-memory.dmp

Filesize
428KB

Download
memory/2936-303-0x0000000001BE0000-0x0000000001CE0000-memory.dmp

Filesize
1024KB

Download
memory/2936-261-0x0000000000400000-0x0000000001A77000-memory.dmp

Filesize
22.5MB

Download
memory/2936-206-0x0000000000400000-0x0000000001A77000-memory.dmp

Filesize
22.5MB

Download