cryptbot | ba15a8b7d1ecc6348ee4806b0903afdf5917a595a909ce529e85cacd197c6e77

Resubmissions

10-04-2024 04:40

240410-fa2mesgd4v 10

09-04-2024 17:09

240409-vpkd1sdb73 10

Analysis

max time kernel
300s
max time network
301s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_installer.exe
Size

3.9MB
MD5

7ae4349cc7e8c98084c05e2085b56645
SHA1

db7a339d5731471435450be094ba711ca7194685
SHA256

b89fdf606986324fa9260f434dc1561d716985d0886fba180b88f3afb9dec729
SHA512

5196ac4aa9ca69c342fa5a391f011881db608600cbfbfb4ae1391477ec59aa83846c955ed73573a09828b7b574a5a0b07e19871245ac19518c03480b9fc8ec3d
SSDEEP

98304:xaCvLUBsgxkKH8DBAPbT7J7go2i2JjQCQ+gHhjPrLi:x7LUCgSKH84zGo2i2Jc1BHi

Malware Config

Extracted

Family

nullmixer

http://marisana.xyz/

Extracted

Family

privateloader

http://37.0.10.214/proxies.txt

http://37.0.10.171/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.185

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

vidar

Version

Botnet

706

https://lenak513.tumblr.com/

Attributes

profile_id
706

Extracted

Family

redline

Botnet

pab3

185.215.113.15:61506

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

cryptbot

knurxh28.top

moraku02.top

Attributes

payload_url
http://sargym03.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 6 IoCs

Processes:

resource	yara_rule
behavioral3/memory/1472-388-0x0000000003D40000-0x0000000003DE3000-memory.dmp	family_cryptbot
behavioral3/memory/1472-389-0x0000000003D40000-0x0000000003DE3000-memory.dmp	family_cryptbot
behavioral3/memory/1472-390-0x0000000003D40000-0x0000000003DE3000-memory.dmp	family_cryptbot
behavioral3/memory/1472-391-0x0000000003D40000-0x0000000003DE3000-memory.dmp	family_cryptbot
behavioral3/memory/1472-407-0x0000000003D40000-0x0000000003DE3000-memory.dmp	family_cryptbot
behavioral3/memory/1472-642-0x0000000003D40000-0x0000000003DE3000-memory.dmp	family_cryptbot

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer

PrivateLoader 1 IoCs

PrivateLoader.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS06BFFA26\Tue195f40779b28e9814.exe	win_privateloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral3/memory/1152-152-0x0000000004B20000-0x0000000004B42000-memory.dmp	family_redline
behavioral3/memory/1152-157-0x0000000004D40000-0x0000000004D60000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral3/memory/1152-152-0x0000000004B20000-0x0000000004B42000-memory.dmp	family_sectoprat
behavioral3/memory/1152-157-0x0000000004D40000-0x0000000004D60000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral3/memory/884-149-0x0000000002D20000-0x0000000002DBD000-memory.dmp	family_vidar
behavioral3/memory/884-153-0x0000000000400000-0x0000000002D1A000-memory.dmp	family_vidar
behavioral3/memory/884-375-0x0000000000400000-0x0000000002D1A000-memory.dmp	family_vidar

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\7zS06BFFA26\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS06BFFA26\libstdc++-6.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS06BFFA26\libcurlpp.dll	aspack_v212_v242

Executes dropped EXE 13 IoCs

Processes:

setup_install.exeTue19301d0ee47f9.exeTue19167b39532817c6.exeTue19519844d595cb.exeTue1928d87039b3a61.exeTue19638bb08519f.exeTue1911a97ae09.exeTue195f40779b28e9814.exeTue1931cb6307cc71e4.exeTue190a6b23f5160050.exeTue19301d0ee47f9.exeVolevo.exe.comVolevo.exe.com

pid	process
2660	setup_install.exe
2004	Tue19301d0ee47f9.exe
2340	Tue19167b39532817c6.exe
2708	Tue19519844d595cb.exe
2492	Tue1928d87039b3a61.exe
884	Tue19638bb08519f.exe
1152	Tue1911a97ae09.exe
1436	Tue195f40779b28e9814.exe
332	Tue1931cb6307cc71e4.exe
2412	Tue190a6b23f5160050.exe
308	Tue19301d0ee47f9.exe
1848	Volevo.exe.com
1472	Volevo.exe.com

Loads dropped DLL 52 IoCs

Processes:

setup_installer.exesetup_install.execmd.execmd.execmd.exeTue19301d0ee47f9.execmd.execmd.execmd.execmd.execmd.exeTue19638bb08519f.exeTue1911a97ae09.exeTue1931cb6307cc71e4.execmd.exeTue195f40779b28e9814.exeTue190a6b23f5160050.exeTue19301d0ee47f9.execmd.exeVolevo.exe.comWerFault.exeWerFault.exe

pid	process
2912	setup_installer.exe
2912	setup_installer.exe
2912	setup_installer.exe
2660	setup_install.exe
2660	setup_install.exe
2660	setup_install.exe
2660	setup_install.exe
2660	setup_install.exe
2660	setup_install.exe
2660	setup_install.exe
2660	setup_install.exe
2628	cmd.exe
1316	cmd.exe
2932	cmd.exe
2628	cmd.exe
2004	Tue19301d0ee47f9.exe
2004	Tue19301d0ee47f9.exe
2472	cmd.exe
2516	cmd.exe
2200	cmd.exe
2516	cmd.exe
2200	cmd.exe
2448	cmd.exe
2448	cmd.exe
2192	cmd.exe
884	Tue19638bb08519f.exe
884	Tue19638bb08519f.exe
1152	Tue1911a97ae09.exe
1152	Tue1911a97ae09.exe
332	Tue1931cb6307cc71e4.exe
332	Tue1931cb6307cc71e4.exe
2128	cmd.exe
2004	Tue19301d0ee47f9.exe
1436	Tue195f40779b28e9814.exe
1436	Tue195f40779b28e9814.exe
2412	Tue190a6b23f5160050.exe
2412	Tue190a6b23f5160050.exe
308	Tue19301d0ee47f9.exe
308	Tue19301d0ee47f9.exe
984	cmd.exe
1848	Volevo.exe.com
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe
1688	WerFault.exe
1688	WerFault.exe
1688	WerFault.exe
1688	WerFault.exe
1688	WerFault.exe
1688	WerFault.exe
1688	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Tue190a6b23f5160050.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Tue190a6b23f5160050.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

24 iplogger.org
26 iplogger.org
37 iplogger.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3000 2660 WerFault.exe setup_install.exe
1688 884 WerFault.exe Tue19638bb08519f.exe

flow	ioc
24	iplogger.org
26	iplogger.org
37	iplogger.org

pid	pid_target	process	target process
3000	2660	WerFault.exe	setup_install.exe
1688	884	WerFault.exe	Tue19638bb08519f.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Tue1931cb6307cc71e4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue1931cb6307cc71e4.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue1931cb6307cc71e4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue1931cb6307cc71e4.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Volevo.exe.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Volevo.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Volevo.exe.com

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Tue19519844d595cb.exeTue19167b39532817c6.exeTue19638bb08519f.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Tue19519844d595cb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Tue19167b39532817c6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Tue19167b39532817c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Tue19519844d595cb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Tue19519844d595cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	Tue19638bb08519f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Tue19638bb08519f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Tue19167b39532817c6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Tue19638bb08519f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Tue19519844d595cb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Tue19519844d595cb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Tue19519844d595cb.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2552 PING.EXE

pid	process
2552	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Tue1931cb6307cc71e4.exepowershell.exe

pid	process
332	Tue1931cb6307cc71e4.exe
332	Tue1931cb6307cc71e4.exe
2556	powershell.exe
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Tue1931cb6307cc71e4.exe

pid process

332 Tue1931cb6307cc71e4.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Tue19167b39532817c6.exeTue19519844d595cb.exepowershell.exeTue1911a97ae09.exe

description	pid	process
Token: SeDebugPrivilege	2340	Tue19167b39532817c6.exe
Token: SeDebugPrivilege	2708	Tue19519844d595cb.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	1152	Tue1911a97ae09.exe
Token: SeShutdownPrivilege	1176

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

Volevo.exe.comVolevo.exe.com

pid	process
1848	Volevo.exe.com
1848	Volevo.exe.com
1848	Volevo.exe.com
1472	Volevo.exe.com
1472	Volevo.exe.com
1472	Volevo.exe.com
1472	Volevo.exe.com
1472	Volevo.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Volevo.exe.comVolevo.exe.com

pid process

1848 Volevo.exe.com
1848 Volevo.exe.com
1848 Volevo.exe.com
1472 Volevo.exe.com
1472 Volevo.exe.com
1472 Volevo.exe.com

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_installer.exesetup_install.exe

description	pid	process	target process
PID 2912 wrote to memory of 2660	2912	setup_installer.exe	setup_install.exe
PID 2912 wrote to memory of 2660	2912	setup_installer.exe	setup_install.exe
PID 2912 wrote to memory of 2660	2912	setup_installer.exe	setup_install.exe
PID 2912 wrote to memory of 2660	2912	setup_installer.exe	setup_install.exe
PID 2912 wrote to memory of 2660	2912	setup_installer.exe	setup_install.exe
PID 2912 wrote to memory of 2660	2912	setup_installer.exe	setup_install.exe
PID 2912 wrote to memory of 2660	2912	setup_installer.exe	setup_install.exe
PID 2660 wrote to memory of 300	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 300	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 300	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 300	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 300	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 300	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 300	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2628	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2628	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2628	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2628	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2628	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2628	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2628	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2448	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2448	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2448	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2448	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2448	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2448	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2448	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2472	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2472	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2472	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2472	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2472	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2472	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2472	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2516	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2516	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2516	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2516	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2516	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2516	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2516	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2200	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2200	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2200	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2200	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2200	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2200	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2200	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2192	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2192	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2192	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2192	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2192	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2192	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2192	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2932	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2932	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2932	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2932	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2932	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2932	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2932	2660	setup_install.exe	cmd.exe
PID 2660 wrote to memory of 2128	2660	setup_install.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912

C:\Users\Admin\AppData\Local\Temp\7zS06BFFA26\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS06BFFA26\setup_install.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
3⤵
PID:300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19301d0ee47f9.exe
3⤵
- Loads dropped DLL
PID:2628

C:\Users\Admin\AppData\Local\Temp\7zS06BFFA26\Tue19301d0ee47f9.exe
Tue19301d0ee47f9.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004

C:\Users\Admin\AppData\Local\Temp\7zS06BFFA26\Tue19301d0ee47f9.exe
"C:\Users\Admin\AppData\Local\Temp\7zS06BFFA26\Tue19301d0ee47f9.exe" -a
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1931cb6307cc71e4.exe
3⤵
- Loads dropped DLL
PID:2448

C:\Users\Admin\AppData\Local\Temp\7zS06BFFA26\Tue1931cb6307cc71e4.exe
Tue1931cb6307cc71e4.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1928d87039b3a61.exe
3⤵
- Loads dropped DLL
PID:2472

C:\Users\Admin\AppData\Local\Temp\7zS06BFFA26\Tue1928d87039b3a61.exe
Tue1928d87039b3a61.exe
4⤵
- Executes dropped EXE
PID:2492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19638bb08519f.exe
3⤵
- Loads dropped DLL
PID:2516

C:\Users\Admin\AppData\Local\Temp\7zS06BFFA26\Tue19638bb08519f.exe
Tue19638bb08519f.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 956
5⤵
- Loads dropped DLL
- Program crash
PID:1688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1911a97ae09.exe
3⤵
- Loads dropped DLL
PID:2200

C:\Users\Admin\AppData\Local\Temp\7zS06BFFA26\Tue1911a97ae09.exe
Tue1911a97ae09.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue195f40779b28e9814.exe
3⤵
- Loads dropped DLL
PID:2192

C:\Users\Admin\AppData\Local\Temp\7zS06BFFA26\Tue195f40779b28e9814.exe
Tue195f40779b28e9814.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19519844d595cb.exe
3⤵
- Loads dropped DLL
PID:2932

C:\Users\Admin\AppData\Local\Temp\7zS06BFFA26\Tue19519844d595cb.exe
Tue19519844d595cb.exe
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue190a6b23f5160050.exe
3⤵
- Loads dropped DLL
PID:2128

C:\Users\Admin\AppData\Local\Temp\7zS06BFFA26\Tue190a6b23f5160050.exe
Tue190a6b23f5160050.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2412

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
5⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Vai.pdf
5⤵
PID:608

C:\Windows\SysWOW64\cmd.exe
cmd
6⤵
- Loads dropped DLL
PID:984

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^mtHoKMPFYDHibgXoaLvAaWsXCpDWIDAtGvzDsjSTgLhRLduwJPppYNJDMJFBoSWxeCBqVxQuTCkHIAkke$" Dal.pdf
7⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com
Volevo.exe.com H
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1848

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com H
8⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1472

C:\Windows\SysWOW64\PING.EXE
ping QGTQZTRE -n 30
7⤵
- Runs ping.exe
PID:2552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19167b39532817c6.exe
3⤵
- Loads dropped DLL
PID:1316

C:\Users\Admin\AppData\Local\Temp\7zS06BFFA26\Tue19167b39532817c6.exe
Tue19167b39532817c6.exe
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 432
3⤵
- Loads dropped DLL
- Program crash
PID:3000

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
41aed147c4e45db176d82a01c2094e9f

SHA1
84a45f4f89931ff6d77eaa94252492c679673a5f

SHA256
676a652b0d7867ec11dea56a818cc0281fed1b79470dfc5483d67e35012534c6

SHA512
2a6c037944580fc6c453640872bb18998fcd26d7704eec6de4a738e72b12316a897265b1b65898db04bcee955374158671188c4fd0b01fbdb41a5be504778f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\2jrVpU6yXS\_Files\_Information.txt
Filesize
1KB

MD5
42a612ae0ac85d19ce76dfd6952d7ca1

SHA1
be793e38aa7b16ebe8eaad49fbcc3bafaee28c58

SHA256
73d8e56221d2fc9197aaa30f9f4a9a7bcd3f8ffd17f9c5f20f653b1be410c517

SHA512
67d1cdd6ddcb8627bc24f9d916318c1568a22d1c28b2a759f32b75be74e47e15f0a1b22de5da8eae5f47d9800a010cd0053c0e1d1620c735f0da18389a4faf84

Download Submit
C:\Users\Admin\AppData\Local\Temp\2jrVpU6yXS\_Files\_Information.txt
Filesize
8KB

MD5
3792eaa23135914b752000c9de8d662d

SHA1
24936ad53f5e3f84f7cefdf57d8f4e24212a0b10

SHA256
89a3aedf02643548adb07b5779c58a1873be98dbb04875dd537d5e901ad00dc4

SHA512
becf4eaa5791488f7d38001affa7fa55dfd2abaa24530f55d009227226b9fe735fa7e298e90fbf953d1887d67cb994ca217ae199ad7a7144aa1059a69f4c59ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\2jrVpU6yXS\_Files\_Screen_Desktop.jpeg
Filesize
51KB

MD5
fd9dc61bd63adf50af51c979fb52cc7e

SHA1
b0178ae1b0aefe4f7711573d6590b45db9538ee5

SHA256
95151dbeab8e4c109188e3fae42a5af51a73df5a789f8d102ab32f8fcf802401

SHA512
1b551ecb77fa652b215495b9d158a1a19e7c6fadea2b534b2697176f48609b12cc89728d4c9c409e477285c0fbd2248eddf9deb037462f38d6cc12583fc5bb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\2jrVpU6yXS\files_\system_info.txt
Filesize
1KB

MD5
9133caa8b2763c598ef696fe6c48887c

SHA1
ad8ad2d4c16facafa54d524fb299de2c48a5a808

SHA256
04754c53cd5446d044f24eaed2e92a553f67ab1831ad756ed6397e57a494d108

SHA512
7aef9f80160148203c79b439d22a43108d8c6ee35d81b00dfa17668b851ebc59f3968b4606600b02b7b4b70ade9d5bf19ffc6c8bba633866e353ce9f5fac0cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2jrVpU6yXS\files_\system_info.txt
Filesize
8KB

MD5
62298f19495b2aa98d62d19887851b69

SHA1
d1ae51816e417848f8aaa55d6292ab65c3466cc2

SHA256
9e41abd7a472452685b0820cc00edb47a08040da8502849c7cf47c1a519dc427

SHA512
c0f7c5ee3d2e280e38828eabb50540c090cef948d93b2b1f05f6027659f84d4eb1e9503452509fcb401ef03be0e22982ab5ccb9797cb12e6cc953c7705f94382

Download Submit
C:\Users\Admin\AppData\Local\Temp\2jrVpU6yXS\ptAf023WzUIqC.zip
Filesize
42KB

MD5
2090db6287d86bc59675e94dd69e6c99

SHA1
60b7055308fa74831610268f4b7797b2c430bf82

SHA256
d057bcdf82341e75ebcf5be24e8bda61c5b45391641784d42204e177e9649347

SHA512
db72857bf1ea8873dcf53c528ecf4268b7baff150127297c7431b3386c0feebc7a243cd9d7bb51e4648c1568cd244be985956a40d3d78c69752c3c44a14f29a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2jrVpU6yXS\sWZfaX2YdU43.zip
Filesize
42KB

MD5
2f45f9ae2ead82e1309bdae7c2f17188

SHA1
b68df39ac8c4e47fcda3af26e0080673e851c2d1

SHA256
778a419e278d92e51dbc87334b419598b2897d76aaa324dbdabe5c1de900e3b9

SHA512
5fc348d96289836f656cef165d3c9c68ee5d23d79c682e2ddad99094fd4f8ee35fbb79c42e928c03ed6d02f35bd6db80f63fbfc02f14bf4cf76d3790e45f65b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS06BFFA26\Tue190a6b23f5160050.exe
Filesize
1.4MB

MD5
0191b0583174ce0d1d8dc75601e4d056

SHA1
ec3cbf979a5df64903cb7a825aa640d82075d839

SHA256
01d11314c2c047a01b4159aa32b9afa3f3b7e3fc3b3ea46476c85346f3887949

SHA512
d24f647615a63291854de256e210c6e02f12619f85e694a9027e1969d708c415cf6234a43fae9376bf5788a5f27973ccf159e89b32fc54ab313ba0d720740e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS06BFFA26\Tue1911a97ae09.exe
Filesize
279KB

MD5
af23965c3e2673940b70f436bb45f766

SHA1
ccc8b03ea8c568f1b333458cff3f156898fc29f7

SHA256
e6271d738fc78602abc8916fb4742638b2b4c4205882f6db24eb361694c67503

SHA512
f0202e3ed32b9e69785bb50551b5143fe69298dead3c9a3d539cc6c6768f70f8263f074f912d1de5decb122bc365b7645428c0d10040f6f15a41f3a5ac0a4611

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS06BFFA26\Tue19167b39532817c6.exe
Filesize
8KB

MD5
45a47d815f2291bc7fc0112d36aaad83

SHA1
db1dc02b2d64c4c3db89b5df3124dd87d43059d5

SHA256
416e63fb614101d5644592d5f589f358f8d5a41dd6812a717cbf05470864ac6f

SHA512
a7d98145cf949a42ace2da725a22847ad814a28137d32b0b220430b91c89aabed7144b85f20c2fd9a1a02f5b92520bf5f0afbe8202028f9832cbc29c2a9e776e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS06BFFA26\Tue1928d87039b3a61.exe
Filesize
241KB

MD5
5866ab1fae31526ed81bfbdf95220190

SHA1
75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f

SHA256
9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e

SHA512
8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS06BFFA26\Tue19301d0ee47f9.exe
Filesize
56KB

MD5
3263859df4866bf393d46f06f331a08f

SHA1
5b4665de13c9727a502f4d11afb800b075929d6c

SHA256
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2

SHA512
58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS06BFFA26\Tue1931cb6307cc71e4.exe
Filesize
263KB

MD5
52ef6f18788d94f657a2fb0616772897

SHA1
e7f2ff804f52e832ab3fb191f6c747be8334396e

SHA256
1cc598746610d27a557ab0d1abd9286b7f85fb4249f817eb49b8ba8ffbd0273f

SHA512
be264cb76f728396694197883aa8bbb43674601977e595a7cfe9ad9de53e0e328a022e5f67869498f913b4eafeaa3c4c416aa3c0c132bca180455928fb026e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS06BFFA26\Tue19519844d595cb.exe
Filesize
109KB

MD5
34aa457fed673b5c3cec68d05df16473

SHA1
f31f729d3bb5e0e205e0fb80abc33800d4d92d96

SHA256
e764cf9d6834ab39436de3fffb0c3b023e3f05051b84b35689ab61a6705e0bdd

SHA512
7ce8aa80dabd75ddf45a72c5c178bdc9346c31fc7bd4a12fc9b72674ae98a6b02d9d37a61dc2bbffd6966470c8af9af4342f0fcce4e33e6dfae3ad01e5642684

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS06BFFA26\Tue195f40779b28e9814.exe
Filesize
627KB

MD5
d06aa46e65c291cbf7d4c8ae047c18c5

SHA1
d7ef87b50307c40ffb46460b737ac5157f5829f0

SHA256
1cd9a6908f8a5d58487e6cfea76a388a927f1569ba2b2459f25fffaf8180230f

SHA512
8d5f6605a38e7c45a44127438bf7d6bf6a54aacb0b67b3669eb9609fc1084145f827a8341ce6b1a544198b5633d9f92561bd9f9cc82b52473db0926787a06ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS06BFFA26\Tue19638bb08519f.exe
Filesize
557KB

MD5
e8dd2c2b42ddc701b1e2c34cc1fe99b1

SHA1
c3751581986d6cada60747843792d286fd671657

SHA256
835443a1038ad5e0a4dde2451baa95b529f049362955d57daf0b5921729a4f17

SHA512
e179b3b4c2f24d089566630c6ee0421418fe17aa4195dc9b04f471665094ce3a4b3ed29da7b6829b7484fa3e785abd343a1cf7abc556f6f5b5403a92b16a970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS06BFFA26\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1BF1.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\7zS06BFFA26\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zS06BFFA26\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
\Users\Admin\AppData\Local\Temp\7zS06BFFA26\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS06BFFA26\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\Users\Admin\AppData\Local\Temp\7zS06BFFA26\setup_install.exe
Filesize
2.1MB

MD5
edb875a62ee893ddcff68ab842b06889

SHA1
1db014be7d248bfad1b791e2b5799b146c51491a

SHA256
e7070a58f07b641bd9927b68b21364e9ba8fb2836564636ebca265f430e8e050

SHA512
2629e3a4012ad7cc4249f78c454aeb77ac4b386015e461c6d4c7aafd192b7849348d3cdfd9b5cf806780cd8ec9766b467a01e190cb95d8ddf8a4a1e777b98632

Download Submit
memory/332-128-0x00000000003D0000-0x00000000003D9000-memory.dmp

Filesize
36KB

Download
memory/332-366-0x0000000000400000-0x00000000023AC000-memory.dmp

Filesize
31.7MB

Download
memory/332-131-0x0000000002440000-0x0000000002540000-memory.dmp

Filesize
1024KB

Download
memory/332-129-0x0000000000400000-0x00000000023AC000-memory.dmp

Filesize
31.7MB

Download
memory/884-156-0x0000000002E30000-0x0000000002F30000-memory.dmp

Filesize
1024KB

Download
memory/884-153-0x0000000000400000-0x0000000002D1A000-memory.dmp

Filesize
41.1MB

Download
memory/884-149-0x0000000002D20000-0x0000000002DBD000-memory.dmp

Filesize
628KB

Download
memory/884-375-0x0000000000400000-0x0000000002D1A000-memory.dmp

Filesize
41.1MB

Download
memory/884-398-0x0000000002E30000-0x0000000002F30000-memory.dmp

Filesize
1024KB

Download
memory/1152-146-0x0000000000400000-0x0000000002CD3000-memory.dmp

Filesize
40.8MB

Download
memory/1152-152-0x0000000004B20000-0x0000000004B42000-memory.dmp

Filesize
136KB

Download
memory/1152-397-0x0000000000260000-0x0000000000360000-memory.dmp

Filesize
1024KB

Download
memory/1152-158-0x0000000007630000-0x0000000007670000-memory.dmp

Filesize
256KB

Download
memory/1152-157-0x0000000004D40000-0x0000000004D60000-memory.dmp

Filesize
128KB

Download
memory/1152-154-0x0000000000260000-0x0000000000360000-memory.dmp

Filesize
1024KB

Download
memory/1152-143-0x0000000002CE0000-0x0000000002D0F000-memory.dmp

Filesize
188KB

Download
memory/1176-365-0x0000000003A80000-0x0000000003A96000-memory.dmp

Filesize
88KB

Download
memory/1472-390-0x0000000003D40000-0x0000000003DE3000-memory.dmp

Filesize
652KB

Download
memory/1472-407-0x0000000003D40000-0x0000000003DE3000-memory.dmp

Filesize
652KB

Download
memory/1472-388-0x0000000003D40000-0x0000000003DE3000-memory.dmp

Filesize
652KB

Download
memory/1472-642-0x0000000003D40000-0x0000000003DE3000-memory.dmp

Filesize
652KB

Download
memory/1472-389-0x0000000003D40000-0x0000000003DE3000-memory.dmp

Filesize
652KB

Download
memory/1472-386-0x0000000003D40000-0x0000000003DE3000-memory.dmp

Filesize
652KB

Download
memory/1472-385-0x0000000003D40000-0x0000000003DE3000-memory.dmp

Filesize
652KB

Download
memory/1472-387-0x0000000003D40000-0x0000000003DE3000-memory.dmp

Filesize
652KB

Download
memory/1472-391-0x0000000003D40000-0x0000000003DE3000-memory.dmp

Filesize
652KB

Download
memory/2340-130-0x000000001B1A0000-0x000000001B220000-memory.dmp

Filesize
512KB

Download
memory/2340-378-0x000000001B1A0000-0x000000001B220000-memory.dmp

Filesize
512KB

Download
memory/2340-125-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/2340-121-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/2340-377-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/2556-159-0x00000000736C0000-0x0000000073C6B000-memory.dmp

Filesize
5.7MB

Download
memory/2556-155-0x00000000027C0000-0x0000000002800000-memory.dmp

Filesize
256KB

Download
memory/2556-142-0x00000000736C0000-0x0000000073C6B000-memory.dmp

Filesize
5.7MB

Download
memory/2660-68-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2660-69-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2660-373-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2660-372-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2660-371-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2660-370-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2660-369-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/2660-53-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2660-59-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2660-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2660-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2660-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2660-51-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2660-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2660-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2660-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2660-64-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2660-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2660-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2660-374-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2660-70-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2660-72-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2708-122-0x0000000000200000-0x0000000000220000-memory.dmp

Filesize
128KB

Download
memory/2708-127-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/2708-126-0x00000000001D0000-0x00000000001EA000-memory.dmp

Filesize
104KB

Download
memory/2708-132-0x000000001A760000-0x000000001A7E0000-memory.dmp

Filesize
512KB

Download
memory/2708-364-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download