amadey | c0d54d85b76b2605a960a7ba3d91542534f2a07f20b17ac58d01e0dc910f28b0

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2024 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0d54d85b76b2605a960a7ba3d91542534f2a07f20b17ac58d01e0dc910f28b0.exe
Size

1.9MB
MD5

3ea6ee6a82cb6f39f487ea4c1e623aa2
SHA1

1a9d7924ec93e0f9131284d4872c74596168c2cd
SHA256

c0d54d85b76b2605a960a7ba3d91542534f2a07f20b17ac58d01e0dc910f28b0
SHA512

064e02cbf4bce446f93a808f43b4d4fe721b9e609dcc8e72ced5aa1c908b94f30f967d830524646e4fd42238b98d96199e75cd076d2fdaf02d5096f5d3e9c76b
SSDEEP

49152:OZ8D0Rgea+i1LzF6IrJaJG4NtwzwGAHJgEu4U:ZD08Jwt4dAHfn

Score

10^/10

amadey glupteba lumma risepro discovery dropper evasion loader persistence rootkit spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

lumma

https://associationokeo.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3232-342-0x0000000000400000-0x0000000000ED5000-memory.dmp	family_glupteba
behavioral1/memory/2832-476-0x0000000000400000-0x0000000000ED5000-memory.dmp	family_glupteba
behavioral1/memory/3512-588-0x0000000000400000-0x0000000000ED5000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorha.exec0d54d85b76b2605a960a7ba3d91542534f2a07f20b17ac58d01e0dc910f28b0.exeexplorha.exec5fca7a473.exeexplorha.exeexplorha.exeexplorha.exerandom.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c0d54d85b76b2605a960a7ba3d91542534f2a07f20b17ac58d01e0dc910f28b0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c5fca7a473.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

flow pid process

71 880 rundll32.exe
97 3768 rundll32.exe
237 1628 rundll32.exe
258 748 rundll32.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3928 netsh.exe

flow	pid	process
71	880	rundll32.exe
97	3768	rundll32.exe
237	1628	rundll32.exe
258	748	rundll32.exe

pid	process
3928	netsh.exe

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorha.exerandom.exeexplorha.exec0d54d85b76b2605a960a7ba3d91542534f2a07f20b17ac58d01e0dc910f28b0.exeexplorha.exec5fca7a473.exeexplorha.exeexplorha.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c0d54d85b76b2605a960a7ba3d91542534f2a07f20b17ac58d01e0dc910f28b0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c0d54d85b76b2605a960a7ba3d91542534f2a07f20b17ac58d01e0dc910f28b0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c5fca7a473.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c5fca7a473.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c0d54d85b76b2605a960a7ba3d91542534f2a07f20b17ac58d01e0dc910f28b0.exeexplorha.exechrosha.exeboom8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c0d54d85b76b2605a960a7ba3d91542534f2a07f20b17ac58d01e0dc910f28b0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	explorha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	chrosha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	boom8.exe

Executes dropped EXE 18 IoCs

Processes:

explorha.exec5fca7a473.exeexplorha.exelumma21.exeexplorha.exeexplorha.exechrosha.exerandom.exelummalg.exeboom8.exe4767d2e713f2021e8fe856e3ea638b58.exe4767d2e713f2021e8fe856e3ea638b58.execsrss.exeinjector.exewindefender.exewindefender.exeexplorha.exeboom8.exe

pid	process
2944	explorha.exe
388	c5fca7a473.exe
2308	explorha.exe
2348	lumma21.exe
2276	explorha.exe
4916	explorha.exe
1060	chrosha.exe
220	random.exe
4336	lummalg.exe
4976	boom8.exe
3232	4767d2e713f2021e8fe856e3ea638b58.exe
2832	4767d2e713f2021e8fe856e3ea638b58.exe
3512	csrss.exe
3376	injector.exe
4072	windefender.exe
4068	windefender.exe
3900	explorha.exe
1192	boom8.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorha.exec0d54d85b76b2605a960a7ba3d91542534f2a07f20b17ac58d01e0dc910f28b0.exeexplorha.exec5fca7a473.exeexplorha.exeexplorha.exeexplorha.exerandom.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Wine	c0d54d85b76b2605a960a7ba3d91542534f2a07f20b17ac58d01e0dc910f28b0.exe
Key opened	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Wine	c5fca7a473.exe
Key opened	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Wine	random.exe

Loads dropped DLL 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid process

396 rundll32.exe
880 rundll32.exe
3768 rundll32.exe
3716 rundll32.exe
1628 rundll32.exe
748 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
396	rundll32.exe
880	rundll32.exe
3768	rundll32.exe
3716	rundll32.exe
1628	rundll32.exe
748	rundll32.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4767d2e713f2021e8fe856e3ea638b58.execsrss.exeexplorha.exechrosha.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c5fca7a473.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000022001\\c5fca7a473.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\random.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000053001\\random.exe"	chrosha.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

c0d54d85b76b2605a960a7ba3d91542534f2a07f20b17ac58d01e0dc910f28b0.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exe

pid process

4952 c0d54d85b76b2605a960a7ba3d91542534f2a07f20b17ac58d01e0dc910f28b0.exe
2944 explorha.exe
2276 explorha.exe
4916 explorha.exe
3900 explorha.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

explorha.exelummalg.exe

description	pid	process	target process
PID 2944 set thread context of 2308	2944	explorha.exe	explorha.exe
PID 4336 set thread context of 4656	4336	lummalg.exe	RegAsm.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

4767d2e713f2021e8fe856e3ea638b58.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 4767d2e713f2021e8fe856e3ea638b58.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	4767d2e713f2021e8fe856e3ea638b58.exe

Drops file in Windows directory 6 IoCs

Processes:

csrss.exec0d54d85b76b2605a960a7ba3d91542534f2a07f20b17ac58d01e0dc910f28b0.exelumma21.exe4767d2e713f2021e8fe856e3ea638b58.exe

description	ioc	process
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Tasks\explorha.job	c0d54d85b76b2605a960a7ba3d91542534f2a07f20b17ac58d01e0dc910f28b0.exe
File created	C:\Windows\Tasks\chrosha.job	lumma21.exe
File opened for modification	C:\Windows\rss	4767d2e713f2021e8fe856e3ea638b58.exe
File created	C:\Windows\rss\csrss.exe	4767d2e713f2021e8fe856e3ea638b58.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4836 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4836	sc.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4544	4656	WerFault.exe	RegAsm.exe
2456	4656	WerFault.exe	RegAsm.exe
4336	3232	WerFault.exe	4767d2e713f2021e8fe856e3ea638b58.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

5008 schtasks.exe
3716 schtasks.exe
4056 schtasks.exe

pid	process
5008	schtasks.exe
3716	schtasks.exe
4056	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

4767d2e713f2021e8fe856e3ea638b58.exepowershell.exepowershell.exepowershell.exewindefender.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c0d54d85b76b2605a960a7ba3d91542534f2a07f20b17ac58d01e0dc910f28b0.exeexplorha.exerundll32.exeexplorha.exepowershell.exeexplorha.exepowershell.exe4767d2e713f2021e8fe856e3ea638b58.exepowershell.exerundll32.exe4767d2e713f2021e8fe856e3ea638b58.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4952	c0d54d85b76b2605a960a7ba3d91542534f2a07f20b17ac58d01e0dc910f28b0.exe
4952	c0d54d85b76b2605a960a7ba3d91542534f2a07f20b17ac58d01e0dc910f28b0.exe
2944	explorha.exe
2944	explorha.exe
880	rundll32.exe
880	rundll32.exe
880	rundll32.exe
880	rundll32.exe
880	rundll32.exe
880	rundll32.exe
880	rundll32.exe
880	rundll32.exe
880	rundll32.exe
880	rundll32.exe
2276	explorha.exe
2276	explorha.exe
1792	powershell.exe
1792	powershell.exe
1792	powershell.exe
4916	explorha.exe
4916	explorha.exe
4156	powershell.exe
4156	powershell.exe
4156	powershell.exe
3232	4767d2e713f2021e8fe856e3ea638b58.exe
3232	4767d2e713f2021e8fe856e3ea638b58.exe
1596	powershell.exe
1596	powershell.exe
1596	powershell.exe
1628	rundll32.exe
1628	rundll32.exe
1628	rundll32.exe
1628	rundll32.exe
1628	rundll32.exe
1628	rundll32.exe
2832	4767d2e713f2021e8fe856e3ea638b58.exe
2832	4767d2e713f2021e8fe856e3ea638b58.exe
2832	4767d2e713f2021e8fe856e3ea638b58.exe
2832	4767d2e713f2021e8fe856e3ea638b58.exe
2832	4767d2e713f2021e8fe856e3ea638b58.exe
2832	4767d2e713f2021e8fe856e3ea638b58.exe
2832	4767d2e713f2021e8fe856e3ea638b58.exe
2832	4767d2e713f2021e8fe856e3ea638b58.exe
2832	4767d2e713f2021e8fe856e3ea638b58.exe
2832	4767d2e713f2021e8fe856e3ea638b58.exe
1628	rundll32.exe
1628	rundll32.exe
1628	rundll32.exe
1628	rundll32.exe
3692	powershell.exe
3692	powershell.exe
2492	powershell.exe
2492	powershell.exe
3692	powershell.exe
2492	powershell.exe
2708	powershell.exe
2708	powershell.exe
2708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
4068	powershell.exe
4068	powershell.exe
4068	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

powershell.exepowershell.exe4767d2e713f2021e8fe856e3ea638b58.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exesc.exe

description	pid	process
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	3232	4767d2e713f2021e8fe856e3ea638b58.exe
Token: SeImpersonatePrivilege	3232	4767d2e713f2021e8fe856e3ea638b58.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeSystemEnvironmentPrivilege	3512	csrss.exe
Token: SeSecurityPrivilege	4836	sc.exe
Token: SeSecurityPrivilege	4836	sc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

lumma21.exe

pid process

2348 lumma21.exe

pid	process
2348	lumma21.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c0d54d85b76b2605a960a7ba3d91542534f2a07f20b17ac58d01e0dc910f28b0.exeexplorha.exerundll32.exerundll32.exechrosha.exelummalg.exeboom8.exe4767d2e713f2021e8fe856e3ea638b58.exe4767d2e713f2021e8fe856e3ea638b58.exe

description	pid	process	target process
PID 4952 wrote to memory of 2944	4952	c0d54d85b76b2605a960a7ba3d91542534f2a07f20b17ac58d01e0dc910f28b0.exe	explorha.exe
PID 4952 wrote to memory of 2944	4952	c0d54d85b76b2605a960a7ba3d91542534f2a07f20b17ac58d01e0dc910f28b0.exe	explorha.exe
PID 4952 wrote to memory of 2944	4952	c0d54d85b76b2605a960a7ba3d91542534f2a07f20b17ac58d01e0dc910f28b0.exe	explorha.exe
PID 2944 wrote to memory of 388	2944	explorha.exe	c5fca7a473.exe
PID 2944 wrote to memory of 388	2944	explorha.exe	c5fca7a473.exe
PID 2944 wrote to memory of 388	2944	explorha.exe	c5fca7a473.exe
PID 2944 wrote to memory of 2308	2944	explorha.exe	explorha.exe
PID 2944 wrote to memory of 2308	2944	explorha.exe	explorha.exe
PID 2944 wrote to memory of 2308	2944	explorha.exe	explorha.exe
PID 2944 wrote to memory of 2308	2944	explorha.exe	explorha.exe
PID 2944 wrote to memory of 2308	2944	explorha.exe	explorha.exe
PID 2944 wrote to memory of 2308	2944	explorha.exe	explorha.exe
PID 2944 wrote to memory of 2308	2944	explorha.exe	explorha.exe
PID 2944 wrote to memory of 2308	2944	explorha.exe	explorha.exe
PID 2944 wrote to memory of 2308	2944	explorha.exe	explorha.exe
PID 2944 wrote to memory of 2308	2944	explorha.exe	explorha.exe
PID 2944 wrote to memory of 2308	2944	explorha.exe	explorha.exe
PID 2944 wrote to memory of 2308	2944	explorha.exe	explorha.exe
PID 2944 wrote to memory of 396	2944	explorha.exe	rundll32.exe
PID 2944 wrote to memory of 396	2944	explorha.exe	rundll32.exe
PID 2944 wrote to memory of 396	2944	explorha.exe	rundll32.exe
PID 396 wrote to memory of 880	396	rundll32.exe	rundll32.exe
PID 396 wrote to memory of 880	396	rundll32.exe	rundll32.exe
PID 880 wrote to memory of 3940	880	rundll32.exe	netsh.exe
PID 880 wrote to memory of 3940	880	rundll32.exe	netsh.exe
PID 2944 wrote to memory of 2348	2944	explorha.exe	lumma21.exe
PID 2944 wrote to memory of 2348	2944	explorha.exe	lumma21.exe
PID 2944 wrote to memory of 2348	2944	explorha.exe	lumma21.exe
PID 880 wrote to memory of 1792	880	rundll32.exe	powershell.exe
PID 880 wrote to memory of 1792	880	rundll32.exe	powershell.exe
PID 2944 wrote to memory of 3768	2944	explorha.exe	rundll32.exe
PID 2944 wrote to memory of 3768	2944	explorha.exe	rundll32.exe
PID 2944 wrote to memory of 3768	2944	explorha.exe	rundll32.exe
PID 1060 wrote to memory of 220	1060	chrosha.exe	random.exe
PID 1060 wrote to memory of 220	1060	chrosha.exe	random.exe
PID 1060 wrote to memory of 220	1060	chrosha.exe	random.exe
PID 1060 wrote to memory of 4336	1060	chrosha.exe	lummalg.exe
PID 1060 wrote to memory of 4336	1060	chrosha.exe	lummalg.exe
PID 1060 wrote to memory of 4336	1060	chrosha.exe	lummalg.exe
PID 4336 wrote to memory of 4656	4336	lummalg.exe	RegAsm.exe
PID 4336 wrote to memory of 4656	4336	lummalg.exe	RegAsm.exe
PID 4336 wrote to memory of 4656	4336	lummalg.exe	RegAsm.exe
PID 4336 wrote to memory of 4656	4336	lummalg.exe	RegAsm.exe
PID 4336 wrote to memory of 4656	4336	lummalg.exe	RegAsm.exe
PID 4336 wrote to memory of 4656	4336	lummalg.exe	RegAsm.exe
PID 4336 wrote to memory of 4656	4336	lummalg.exe	RegAsm.exe
PID 4336 wrote to memory of 4656	4336	lummalg.exe	RegAsm.exe
PID 4336 wrote to memory of 4656	4336	lummalg.exe	RegAsm.exe
PID 1060 wrote to memory of 4976	1060	chrosha.exe	boom8.exe
PID 1060 wrote to memory of 4976	1060	chrosha.exe	boom8.exe
PID 1060 wrote to memory of 4976	1060	chrosha.exe	boom8.exe
PID 4976 wrote to memory of 5008	4976	boom8.exe	schtasks.exe
PID 4976 wrote to memory of 5008	4976	boom8.exe	schtasks.exe
PID 4976 wrote to memory of 5008	4976	boom8.exe	schtasks.exe
PID 4976 wrote to memory of 3232	4976	boom8.exe	4767d2e713f2021e8fe856e3ea638b58.exe
PID 4976 wrote to memory of 3232	4976	boom8.exe	4767d2e713f2021e8fe856e3ea638b58.exe
PID 4976 wrote to memory of 3232	4976	boom8.exe	4767d2e713f2021e8fe856e3ea638b58.exe
PID 3232 wrote to memory of 4156	3232	4767d2e713f2021e8fe856e3ea638b58.exe	powershell.exe
PID 3232 wrote to memory of 4156	3232	4767d2e713f2021e8fe856e3ea638b58.exe	powershell.exe
PID 3232 wrote to memory of 4156	3232	4767d2e713f2021e8fe856e3ea638b58.exe	powershell.exe
PID 2832 wrote to memory of 1596	2832	4767d2e713f2021e8fe856e3ea638b58.exe	powershell.exe
PID 2832 wrote to memory of 1596	2832	4767d2e713f2021e8fe856e3ea638b58.exe	powershell.exe
PID 2832 wrote to memory of 1596	2832	4767d2e713f2021e8fe856e3ea638b58.exe	powershell.exe
PID 1060 wrote to memory of 3716	1060	chrosha.exe	rundll32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c0d54d85b76b2605a960a7ba3d91542534f2a07f20b17ac58d01e0dc910f28b0.exe
"C:\Users\Admin\AppData\Local\Temp\c0d54d85b76b2605a960a7ba3d91542534f2a07f20b17ac58d01e0dc910f28b0.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\1000022001\c5fca7a473.exe
    "C:\Users\Admin\AppData\Local\Temp\1000022001\c5fca7a473.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    PID:388
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    PID:2308
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:880
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:3940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\999976163400_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
- - C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe
    "C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of FindShellTrayWindow
    PID:2348
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:3768

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2276

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4916

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Users\Admin\AppData\Local\Temp\1000053001\random.exe
  "C:\Users\Admin\AppData\Local\Temp\1000053001\random.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  PID:220
- C:\Users\Admin\AppData\Local\Temp\1000063001\lummalg.exe
  "C:\Users\Admin\AppData\Local\Temp\1000063001\lummalg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1232
      4⤵
      Program crash
      PID:4544
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1232
      4⤵
      Program crash
      PID:2456
- C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe
  "C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN boom8.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:5008
- - C:\Users\Admin\AppData\Local\Temp\1000174001\4767d2e713f2021e8fe856e3ea638b58.exe
    "C:\Users\Admin\AppData\Local\Temp\1000174001\4767d2e713f2021e8fe856e3ea638b58.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3232
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4156
  - - C:\Users\Admin\AppData\Local\Temp\1000174001\4767d2e713f2021e8fe856e3ea638b58.exe
      "C:\Users\Admin\AppData\Local\Temp\1000174001\4767d2e713f2021e8fe856e3ea638b58.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:1888
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:3928
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3692
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3512
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3708
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:3716
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:1636
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4068
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:3848
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Executes dropped EXE
        
        PID:3376
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:4056
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        Executes dropped EXE
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:4836
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 624
      4⤵
      Program crash
      PID:4336
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  PID:3716
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1628
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:3232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\999976163400_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2492
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4656 -ip 4656
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4656 -ip 4656
1⤵
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3232 -ip 3232
1⤵
PID:3960

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4068

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3900

C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe
C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe
1⤵
- Executes dropped EXE
PID:1192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
fe3aab3ae544a134b68e881b82b70169

SHA1
926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6

SHA256
bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b

SHA512
3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
74cd4674166ac8f1bea0a81b6bb8eabc

SHA1
0e7e9faee65e22e86a0f47664f3489c12e710d90

SHA256
430d083ba64e6ecf668e892360b5a4a3423ff492e84f01f14aa69957de2e1e44

SHA512
ce07207402aefa1503da21c5cc29e55f777abd5a04b2b41061c6d6a37da7ec3a2df0388c7481bf0c71e4f656cb703ca19c6ecde9cbe5ae21d2948321ee7d7391

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
1.1MB

MD5
7296564133961b8b7f7d5f54680bf618

SHA1
2a4686899d8777bebbf2ec849b5f9ed592bc2f15

SHA256
76624537a2fbef9af4b647ab547986f37c2bc18e9877acfe5ef37c97716e03dd

SHA512
e920308500340dc5336766b3e701963354b9a97d309a0f1dc0dae3355689e4544a53580acaba49e7f7c959d0a5f532bdf8bb797aac786c009481cdf482d9287c

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
1.9MB

MD5
3ea6ee6a82cb6f39f487ea4c1e623aa2

SHA1
1a9d7924ec93e0f9131284d4872c74596168c2cd

SHA256
c0d54d85b76b2605a960a7ba3d91542534f2a07f20b17ac58d01e0dc910f28b0

SHA512
064e02cbf4bce446f93a808f43b4d4fe721b9e609dcc8e72ced5aa1c908b94f30f967d830524646e4fd42238b98d96199e75cd076d2fdaf02d5096f5d3e9c76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000022001\c5fca7a473.exe

Filesize
3.0MB

MD5
11901aa29f74ae89bb0810adf7d2808f

SHA1
fc044f40ab31c9430a29315c6911334fe9de5959

SHA256
22e5293a211722517cdafd32c27fe87b868459053f8215f1f2e6a58a1b259d42

SHA512
cc447a6a5ee34eb5366e0fac64a3ca1b57477f7732a2a467acbda7077fd5d7bc0a762f313efb623edf56c78918eac5a7cf760b86bdf9bb99f4a515369d19fe71

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe

Filesize
413KB

MD5
d467222c3bd563cb72fa49302f80b079

SHA1
9335e2a36abb8309d8a2075faf78d66b968b2a91

SHA256
fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e

SHA512
484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000063001\lummalg.exe

Filesize
350KB

MD5
04df085b57814d1a1accead4e153909e

SHA1
6d277da314ef185ba9072a9b677b599b1f46c35b

SHA256
91a36d137ebfa812b055728807e11338d15d3a5d869cb4babdf779266688e4dd

SHA512
f37678424e46e4f28e1047161db60ad737515558c8c8905ed598ca96b198304da7356e49e7bb9d1e77fe75372f0b5a7f670a353d093749c37bb85c40ec7fdafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000174001\4767d2e713f2021e8fe856e3ea638b58.exe

Filesize
477KB

MD5
9f7ed403646b8a8cc73baad4c9ed6456

SHA1
0513308756cef75b9f3167b13b7bcad1203592f8

SHA256
8d747f3e499c8e62018eb103d947eb0b88a1e971d0e60c07cf4c650c611b0d7a

SHA512
01195b0d3d3ab85d3a70f19885dbbd6f8cd017877ac86fbaf54f1692d141292450e3638eb030d87a90f0d1bca28706cfcfc09f30c8555b874b967016e99994dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000174001\4767d2e713f2021e8fe856e3ea638b58.exe

Filesize
4.2MB

MD5
e926ae91ecbd102730b5d3a9967cb3e5

SHA1
42704a90ebb5cac4eb340ad7f1a153788ecca2aa

SHA256
e60ede5c74d07d9c334311256c5da96f69a4d943b994e7e8f8baed9510d8f9ab

SHA512
83a2587329aff50b894d0198efd1ba2bd64cc2f394b7c62162e0ed4ce8fc6bbb0dde99d32f3bac4e451b386754b6f3483d84b5db4b765ed19e5a0ccf6d8611b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kn5geisn.gtp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
109KB

MD5
154c3f1334dd435f562672f2664fea6b

SHA1
51dd25e2ba98b8546de163b8f26e2972a90c2c79

SHA256
5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

SHA512
1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

Filesize
1.2MB

MD5
f35b671fda2603ec30ace10946f11a90

SHA1
059ad6b06559d4db581b1879e709f32f80850872

SHA256
83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7

SHA512
b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
2b95a5e37ce72717b4dfee11cb2ed8a0

SHA1
081d3ab2c7972894151cc216837ee894837ea7cf

SHA256
513936a4a491e666f42251b4c821ca82982467622bff48ae060f2bc2a07d00a2

SHA512
a24dc80b8d7e949ff982cb13a726252319391ba0757f47f30ab70c50e751581d3351910215d8b3933b09e8a3ec57c81eace62751542fb74d033d403febeffa4b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
dfefc74da0502e841496bcbd9aa02dea

SHA1
03c5c8e6dead4c1bdd0247fbfb4979404fc4f38e

SHA256
b397cf5d042a7399f1073ee332322e53ade7083835bf3104f03010904a6e166a

SHA512
a7a36187466548a476905bfb2b06e88c1a94a94a31d3fb8c5804129bd60895ed0e6780d5c001522b1944d14fdc84557c7cf608c1911078cd62b1aca092ee9e63

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
a39d092ceb9759ba00bdf51c6cf1f126

SHA1
98b1b36276fa4354693120610788d79360b42f86

SHA256
d284769b0bb6f8666ddb2a04095656773de2677f815dac2f21d9a6513a80149b

SHA512
c9732843734eeba49c996e758c03d41367b3ba8a25fac3f6159111afef16c63f9034bd5abb0d7bcd0ffc20fa6241250dd2c666b42d0642afec2e1a0f3d0f2522

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
5f368bda719b14539081c9d5a818f200

SHA1
9489a4dd6eb27da03b19280d400a042e5ec030af

SHA256
a86ddef10d7c98442c1c0f9a63fcec815df8d87551b4b76d4254a9b5636c373a

SHA512
24ca5cc2deeefee21411f1028a3976288f865baab28cbb0fb0ca53c6dfa347e41796e4477b4f1eb2927c6b3c703f60a4c646f3e00673e9b45a9eb8286a45fad8

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
ce1e45a88d2ec0b1fb67573d1dcc650b

SHA1
778d9c6ad1b1bb8d96e1fa0cf464b04255dd3816

SHA256
9aa2e12171ffce33b8b03bd2c0c5caf9d976ddca2b51f2eb75a02b7246cf3037

SHA512
28632e1119b2c375c79f7ff627e133e38cbc9bbc0c97d96989977a0bd0f764245f08fce7d24d47f396e2e48801bbb384e8967cabdd78237a1cacbf5058e70f51

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/220-213-0x0000000000860000-0x0000000000C16000-memory.dmp

Filesize
3.7MB

Download
memory/220-592-0x0000000000860000-0x0000000000C16000-memory.dmp

Filesize
3.7MB

Download
memory/220-360-0x0000000000860000-0x0000000000C16000-memory.dmp

Filesize
3.7MB

Download
memory/220-538-0x0000000000860000-0x0000000000C16000-memory.dmp

Filesize
3.7MB

Download
memory/220-212-0x0000000000860000-0x0000000000C16000-memory.dmp

Filesize
3.7MB

Download
memory/388-51-0x0000000000280000-0x0000000000636000-memory.dmp

Filesize
3.7MB

Download
memory/388-56-0x0000000000280000-0x0000000000636000-memory.dmp

Filesize
3.7MB

Download
memory/388-178-0x0000000000280000-0x0000000000636000-memory.dmp

Filesize
3.7MB

Download
memory/388-176-0x0000000000280000-0x0000000000636000-memory.dmp

Filesize
3.7MB

Download
memory/388-52-0x0000000000280000-0x0000000000636000-memory.dmp

Filesize
3.7MB

Download
memory/388-174-0x0000000000280000-0x0000000000636000-memory.dmp

Filesize
3.7MB

Download
memory/388-172-0x0000000000280000-0x0000000000636000-memory.dmp

Filesize
3.7MB

Download
memory/388-170-0x0000000000280000-0x0000000000636000-memory.dmp

Filesize
3.7MB

Download
memory/388-586-0x0000000000280000-0x0000000000636000-memory.dmp

Filesize
3.7MB

Download
memory/388-157-0x0000000000280000-0x0000000000636000-memory.dmp

Filesize
3.7MB

Download
memory/388-269-0x0000000000280000-0x0000000000636000-memory.dmp

Filesize
3.7MB

Download
memory/388-393-0x0000000000280000-0x0000000000636000-memory.dmp

Filesize
3.7MB

Download
memory/388-126-0x0000000000280000-0x0000000000636000-memory.dmp

Filesize
3.7MB

Download
memory/1792-135-0x000002A786340000-0x000002A786350000-memory.dmp

Filesize
64KB

Download
memory/1792-145-0x00007FFBC99A0000-0x00007FFBCA461000-memory.dmp

Filesize
10.8MB

Download
memory/1792-156-0x00007FFBC99A0000-0x00007FFBCA461000-memory.dmp

Filesize
10.8MB

Download
memory/1792-134-0x000002A786310000-0x000002A786332000-memory.dmp

Filesize
136KB

Download
memory/1792-148-0x000002A79EBD0000-0x000002A79EBE2000-memory.dmp

Filesize
72KB

Download
memory/1792-149-0x000002A79EBC0000-0x000002A79EBCA000-memory.dmp

Filesize
40KB

Download
memory/1792-147-0x000002A786340000-0x000002A786350000-memory.dmp

Filesize
64KB

Download
memory/1792-146-0x000002A786340000-0x000002A786350000-memory.dmp

Filesize
64KB

Download
memory/2276-127-0x0000000000C70000-0x000000000114D000-memory.dmp

Filesize
4.9MB

Download
memory/2276-121-0x0000000000C70000-0x000000000114D000-memory.dmp

Filesize
4.9MB

Download
memory/2276-128-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/2276-155-0x0000000000C70000-0x000000000114D000-memory.dmp

Filesize
4.9MB

Download
memory/2276-132-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/2276-133-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/2276-129-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/2276-130-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/2276-131-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/2308-71-0x0000000000C70000-0x000000000114D000-memory.dmp

Filesize
4.9MB

Download
memory/2308-107-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-115-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-70-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-119-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-114-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-122-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-120-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-117-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-88-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-113-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-112-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-109-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-111-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-108-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-79-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-89-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-75-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-100-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-106-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-105-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-102-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-104-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-103-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-101-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-97-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-91-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-78-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-77-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-58-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-169-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-76-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2308-90-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/2832-476-0x0000000000400000-0x0000000000ED5000-memory.dmp

Filesize
10.8MB

Download
memory/2944-290-0x0000000000C70000-0x000000000114D000-memory.dmp

Filesize
4.9MB

Download
memory/2944-168-0x0000000000C70000-0x000000000114D000-memory.dmp

Filesize
4.9MB

Download
memory/2944-175-0x0000000000C70000-0x000000000114D000-memory.dmp

Filesize
4.9MB

Download
memory/2944-171-0x0000000000C70000-0x000000000114D000-memory.dmp

Filesize
4.9MB

Download
memory/2944-177-0x0000000000C70000-0x000000000114D000-memory.dmp

Filesize
4.9MB

Download
memory/2944-61-0x0000000000C70000-0x000000000114D000-memory.dmp

Filesize
4.9MB

Download
memory/2944-179-0x0000000000C70000-0x000000000114D000-memory.dmp

Filesize
4.9MB

Download
memory/2944-28-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/2944-587-0x0000000000C70000-0x000000000114D000-memory.dmp

Filesize
4.9MB

Download
memory/2944-118-0x0000000000C70000-0x000000000114D000-memory.dmp

Filesize
4.9MB

Download
memory/2944-468-0x0000000000C70000-0x000000000114D000-memory.dmp

Filesize
4.9MB

Download
memory/2944-23-0x0000000000C70000-0x000000000114D000-memory.dmp

Filesize
4.9MB

Download
memory/2944-24-0x0000000000C70000-0x000000000114D000-memory.dmp

Filesize
4.9MB

Download
memory/2944-25-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/2944-26-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/2944-173-0x0000000000C70000-0x000000000114D000-memory.dmp

Filesize
4.9MB

Download
memory/2944-27-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/2944-29-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/2944-57-0x0000000000C70000-0x000000000114D000-memory.dmp

Filesize
4.9MB

Download
memory/2944-53-0x0000000000C70000-0x000000000114D000-memory.dmp

Filesize
4.9MB

Download
memory/2944-30-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/2944-31-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/2944-32-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/3232-342-0x0000000000400000-0x0000000000ED5000-memory.dmp

Filesize
10.8MB

Download
memory/3232-287-0x0000000002B30000-0x0000000002F2A000-memory.dmp

Filesize
4.0MB

Download
memory/3512-588-0x0000000000400000-0x0000000000ED5000-memory.dmp

Filesize
10.8MB

Download
memory/4336-242-0x00000000033D0000-0x00000000053D0000-memory.dmp

Filesize
32.0MB

Download
memory/4336-243-0x00000000732A0000-0x0000000073A50000-memory.dmp

Filesize
7.7MB

Download
memory/4336-234-0x00000000732A0000-0x0000000073A50000-memory.dmp

Filesize
7.7MB

Download
memory/4336-233-0x0000000000F10000-0x0000000000F6E000-memory.dmp

Filesize
376KB

Download
memory/4656-240-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4656-244-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/4656-245-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/4656-246-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4656-237-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4916-191-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/4916-186-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/4916-201-0x0000000000C70000-0x000000000114D000-memory.dmp

Filesize
4.9MB

Download
memory/4916-190-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/4916-189-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/4916-188-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/4916-185-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/4916-183-0x0000000000C70000-0x000000000114D000-memory.dmp

Filesize
4.9MB

Download
memory/4916-184-0x0000000000C70000-0x000000000114D000-memory.dmp

Filesize
4.9MB

Download
memory/4916-187-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/4952-9-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/4952-0-0x0000000000630000-0x0000000000B0D000-memory.dmp

Filesize
4.9MB

Download
memory/4952-8-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4952-7-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/4952-6-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/4952-5-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/4952-3-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/4952-4-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4952-10-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/4952-21-0x0000000000630000-0x0000000000B0D000-memory.dmp

Filesize
4.9MB

Download
memory/4952-2-0x0000000000630000-0x0000000000B0D000-memory.dmp

Filesize
4.9MB

Download
memory/4952-1-0x0000000077C84000-0x0000000077C86000-memory.dmp

Filesize
8KB

Download