81c0eba8044668a9ec0bfd99c5085f9244dbf323475cf532a97dd10a7d6e2326

Analysis

max time kernel
111s
max time network
18s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b86806f049f767e729081754e9c66f40N.exe
Size

91KB
MD5

b86806f049f767e729081754e9c66f40
SHA1

74ccd2b455ec4ab92ec4779e3de7ee34308b35ed
SHA256

81c0eba8044668a9ec0bfd99c5085f9244dbf323475cf532a97dd10a7d6e2326
SHA512

0dbb813399cbf74453374cbef4b2501fb410958d8bcb6937d6818ce6e56033502c161a4696b182096d17b83f8af0816153eef13f062f1fcbe93aebee522d5195
SSDEEP

1536:FAwEmBGz1lNNqDaG0PoxhlzmOAwEmBGz1lNNqDaG0Poxhlzm/:FGmUXNQDaG0A8OGmUXNQDaG0A8/

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	b86806f049f767e729081754e9c66f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	b86806f049f767e729081754e9c66f40N.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	b86806f049f767e729081754e9c66f40N.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	b86806f049f767e729081754e9c66f40N.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	b86806f049f767e729081754e9c66f40N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	b86806f049f767e729081754e9c66f40N.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 11 IoCs

pid	Process
1160	xk.exe
2352	IExplorer.exe
2892	WINLOGON.EXE
1860	CSRSS.EXE
2220	xk.exe
2036	IExplorer.exe
2500	WINLOGON.EXE
1036	CSRSS.EXE
532	SERVICES.EXE
1344	LSASS.EXE
540	SMSS.EXE

Loads dropped DLL 18 IoCs

pid	Process
1720	b86806f049f767e729081754e9c66f40N.exe
1720	b86806f049f767e729081754e9c66f40N.exe
1720	b86806f049f767e729081754e9c66f40N.exe
1720	b86806f049f767e729081754e9c66f40N.exe
1720	b86806f049f767e729081754e9c66f40N.exe
1720	b86806f049f767e729081754e9c66f40N.exe
1720	b86806f049f767e729081754e9c66f40N.exe
1720	b86806f049f767e729081754e9c66f40N.exe
1720	b86806f049f767e729081754e9c66f40N.exe
1720	b86806f049f767e729081754e9c66f40N.exe
1720	b86806f049f767e729081754e9c66f40N.exe
1720	b86806f049f767e729081754e9c66f40N.exe
1720	b86806f049f767e729081754e9c66f40N.exe
1720	b86806f049f767e729081754e9c66f40N.exe
1720	b86806f049f767e729081754e9c66f40N.exe
1720	b86806f049f767e729081754e9c66f40N.exe
1720	b86806f049f767e729081754e9c66f40N.exe
1720	b86806f049f767e729081754e9c66f40N.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	b86806f049f767e729081754e9c66f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	b86806f049f767e729081754e9c66f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	b86806f049f767e729081754e9c66f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	b86806f049f767e729081754e9c66f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	b86806f049f767e729081754e9c66f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	b86806f049f767e729081754e9c66f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	b86806f049f767e729081754e9c66f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	b86806f049f767e729081754e9c66f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	b86806f049f767e729081754e9c66f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	b86806f049f767e729081754e9c66f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	b86806f049f767e729081754e9c66f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	b86806f049f767e729081754e9c66f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	b86806f049f767e729081754e9c66f40N.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	b86806f049f767e729081754e9c66f40N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	b86806f049f767e729081754e9c66f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	b86806f049f767e729081754e9c66f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	b86806f049f767e729081754e9c66f40N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	b86806f049f767e729081754e9c66f40N.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	b86806f049f767e729081754e9c66f40N.exe
File created	C:\desktop.ini	b86806f049f767e729081754e9c66f40N.exe
File opened for modification	F:\desktop.ini	b86806f049f767e729081754e9c66f40N.exe
File created	F:\desktop.ini	b86806f049f767e729081754e9c66f40N.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	b86806f049f767e729081754e9c66f40N.exe
File opened (read-only)	\??\B:	b86806f049f767e729081754e9c66f40N.exe
File opened (read-only)	\??\H:	b86806f049f767e729081754e9c66f40N.exe
File opened (read-only)	\??\I:	b86806f049f767e729081754e9c66f40N.exe
File opened (read-only)	\??\M:	b86806f049f767e729081754e9c66f40N.exe
File opened (read-only)	\??\P:	b86806f049f767e729081754e9c66f40N.exe
File opened (read-only)	\??\Q:	b86806f049f767e729081754e9c66f40N.exe
File opened (read-only)	\??\W:	b86806f049f767e729081754e9c66f40N.exe
File opened (read-only)	\??\Y:	b86806f049f767e729081754e9c66f40N.exe
File opened (read-only)	\??\E:	b86806f049f767e729081754e9c66f40N.exe
File opened (read-only)	\??\G:	b86806f049f767e729081754e9c66f40N.exe
File opened (read-only)	\??\O:	b86806f049f767e729081754e9c66f40N.exe
File opened (read-only)	\??\R:	b86806f049f767e729081754e9c66f40N.exe
File opened (read-only)	\??\T:	b86806f049f767e729081754e9c66f40N.exe
File opened (read-only)	\??\U:	b86806f049f767e729081754e9c66f40N.exe
File opened (read-only)	\??\J:	b86806f049f767e729081754e9c66f40N.exe
File opened (read-only)	\??\K:	b86806f049f767e729081754e9c66f40N.exe
File opened (read-only)	\??\Z:	b86806f049f767e729081754e9c66f40N.exe
File opened (read-only)	\??\L:	b86806f049f767e729081754e9c66f40N.exe
File opened (read-only)	\??\N:	b86806f049f767e729081754e9c66f40N.exe
File opened (read-only)	\??\V:	b86806f049f767e729081754e9c66f40N.exe
File opened (read-only)	\??\X:	b86806f049f767e729081754e9c66f40N.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	b86806f049f767e729081754e9c66f40N.exe
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	b86806f049f767e729081754e9c66f40N.exe
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	b86806f049f767e729081754e9c66f40N.exe
File created	C:\Windows\SysWOW64\Mig2.scr	b86806f049f767e729081754e9c66f40N.exe
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\shell.exe	b86806f049f767e729081754e9c66f40N.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	b86806f049f767e729081754e9c66f40N.exe
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	b86806f049f767e729081754e9c66f40N.exe
File created	C:\Windows\xk.exe	b86806f049f767e729081754e9c66f40N.exe
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b86806f049f767e729081754e9c66f40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OUTLOOK.EXE

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\	b86806f049f767e729081754e9c66f40N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	b86806f049f767e729081754e9c66f40N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	b86806f049f767e729081754e9c66f40N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	b86806f049f767e729081754e9c66f40N.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	b86806f049f767e729081754e9c66f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	b86806f049f767e729081754e9c66f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672ED-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F9-0000-0000-C000-000000000046}\ = "OlkPageControlEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C2-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063080-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DA-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EE-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303E-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302F-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302A-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EF-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063006-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D1-0000-0000-C000-000000000046}\ = "_SendRuleAction"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A8-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063039-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067353-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303D-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CA-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063078-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063074-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630ED-0000-0000-C000-000000000046}\ = "_JournalModule"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F4-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FA-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D5-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302F-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063036-0000-0000-C000-000000000046}\ = "_TaskRequestItem"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063038-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308A-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063083-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300D-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063107-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D8-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063076-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063107-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DF-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063034-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063008-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063044-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063020-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F3-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067355-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067356-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063003-0000-0000-C000-000000000046}\ = "_Explorer"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E7-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D4-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067367-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063033-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303F-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063038-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D0-0000-0000-C000-000000000046}\ = "_MoveOrCopyRuleAction"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300F-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303F-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063096-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50BB9B50-811D-11CE-B565-00AA00608FAA}\ = "_DDocSiteControlEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063042-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E0-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2312	OUTLOOK.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1720	b86806f049f767e729081754e9c66f40N.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2312	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2312	OUTLOOK.EXE
2312	OUTLOOK.EXE
2312	OUTLOOK.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2312	OUTLOOK.EXE
2312	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1720	b86806f049f767e729081754e9c66f40N.exe
1160	xk.exe
2352	IExplorer.exe
2892	WINLOGON.EXE
1860	CSRSS.EXE
2220	xk.exe
2036	IExplorer.exe
2500	WINLOGON.EXE
1036	CSRSS.EXE
532	SERVICES.EXE
1344	LSASS.EXE
540	SMSS.EXE
2312	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1160	1720	b86806f049f767e729081754e9c66f40N.exe	30
PID 1720 wrote to memory of 1160	1720	b86806f049f767e729081754e9c66f40N.exe	30
PID 1720 wrote to memory of 1160	1720	b86806f049f767e729081754e9c66f40N.exe	30
PID 1720 wrote to memory of 1160	1720	b86806f049f767e729081754e9c66f40N.exe	30
PID 1720 wrote to memory of 2352	1720	b86806f049f767e729081754e9c66f40N.exe	31
PID 1720 wrote to memory of 2352	1720	b86806f049f767e729081754e9c66f40N.exe	31
PID 1720 wrote to memory of 2352	1720	b86806f049f767e729081754e9c66f40N.exe	31
PID 1720 wrote to memory of 2352	1720	b86806f049f767e729081754e9c66f40N.exe	31
PID 1720 wrote to memory of 2892	1720	b86806f049f767e729081754e9c66f40N.exe	32
PID 1720 wrote to memory of 2892	1720	b86806f049f767e729081754e9c66f40N.exe	32
PID 1720 wrote to memory of 2892	1720	b86806f049f767e729081754e9c66f40N.exe	32
PID 1720 wrote to memory of 2892	1720	b86806f049f767e729081754e9c66f40N.exe	32
PID 1720 wrote to memory of 1860	1720	b86806f049f767e729081754e9c66f40N.exe	33
PID 1720 wrote to memory of 1860	1720	b86806f049f767e729081754e9c66f40N.exe	33
PID 1720 wrote to memory of 1860	1720	b86806f049f767e729081754e9c66f40N.exe	33
PID 1720 wrote to memory of 1860	1720	b86806f049f767e729081754e9c66f40N.exe	33
PID 1720 wrote to memory of 2220	1720	b86806f049f767e729081754e9c66f40N.exe	34
PID 1720 wrote to memory of 2220	1720	b86806f049f767e729081754e9c66f40N.exe	34
PID 1720 wrote to memory of 2220	1720	b86806f049f767e729081754e9c66f40N.exe	34
PID 1720 wrote to memory of 2220	1720	b86806f049f767e729081754e9c66f40N.exe	34
PID 1720 wrote to memory of 2036	1720	b86806f049f767e729081754e9c66f40N.exe	35
PID 1720 wrote to memory of 2036	1720	b86806f049f767e729081754e9c66f40N.exe	35
PID 1720 wrote to memory of 2036	1720	b86806f049f767e729081754e9c66f40N.exe	35
PID 1720 wrote to memory of 2036	1720	b86806f049f767e729081754e9c66f40N.exe	35
PID 1720 wrote to memory of 2500	1720	b86806f049f767e729081754e9c66f40N.exe	36
PID 1720 wrote to memory of 2500	1720	b86806f049f767e729081754e9c66f40N.exe	36
PID 1720 wrote to memory of 2500	1720	b86806f049f767e729081754e9c66f40N.exe	36
PID 1720 wrote to memory of 2500	1720	b86806f049f767e729081754e9c66f40N.exe	36
PID 1720 wrote to memory of 1036	1720	b86806f049f767e729081754e9c66f40N.exe	37
PID 1720 wrote to memory of 1036	1720	b86806f049f767e729081754e9c66f40N.exe	37
PID 1720 wrote to memory of 1036	1720	b86806f049f767e729081754e9c66f40N.exe	37
PID 1720 wrote to memory of 1036	1720	b86806f049f767e729081754e9c66f40N.exe	37
PID 1720 wrote to memory of 532	1720	b86806f049f767e729081754e9c66f40N.exe	38
PID 1720 wrote to memory of 532	1720	b86806f049f767e729081754e9c66f40N.exe	38
PID 1720 wrote to memory of 532	1720	b86806f049f767e729081754e9c66f40N.exe	38
PID 1720 wrote to memory of 532	1720	b86806f049f767e729081754e9c66f40N.exe	38
PID 1720 wrote to memory of 1344	1720	b86806f049f767e729081754e9c66f40N.exe	39
PID 1720 wrote to memory of 1344	1720	b86806f049f767e729081754e9c66f40N.exe	39
PID 1720 wrote to memory of 1344	1720	b86806f049f767e729081754e9c66f40N.exe	39
PID 1720 wrote to memory of 1344	1720	b86806f049f767e729081754e9c66f40N.exe	39
PID 1720 wrote to memory of 540	1720	b86806f049f767e729081754e9c66f40N.exe	40
PID 1720 wrote to memory of 540	1720	b86806f049f767e729081754e9c66f40N.exe	40
PID 1720 wrote to memory of 540	1720	b86806f049f767e729081754e9c66f40N.exe	40
PID 1720 wrote to memory of 540	1720	b86806f049f767e729081754e9c66f40N.exe	40

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	b86806f049f767e729081754e9c66f40N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	b86806f049f767e729081754e9c66f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	b86806f049f767e729081754e9c66f40N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	b86806f049f767e729081754e9c66f40N.exe

C:\Users\Admin\AppData\Local\Temp\b86806f049f767e729081754e9c66f40N.exe
"C:\Users\Admin\AppData\Local\Temp\b86806f049f767e729081754e9c66f40N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1720
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1160
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2352
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2892
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1860
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2220
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2036
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2500
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1036
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:532
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1344
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:540

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
d44849c57382256ba2dfc5479180d9a1

SHA1
15a1e52ae0fd56df4ec81cd16c74b0c42f585668

SHA256
f6dfdca6c9f117d428e076277fc9d1b168a36a11fbb5dc6b7660820892bd3a87

SHA512
e589c7e312bcf87e9666e0c91095a386297a49feeffa2be80ff551a6014116b15847cd1d28ced5b517ff4572fe263b60c67365c4d9ba21dcdc95219fc61df7a8

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
b86806f049f767e729081754e9c66f40

SHA1
74ccd2b455ec4ab92ec4779e3de7ee34308b35ed

SHA256
81c0eba8044668a9ec0bfd99c5085f9244dbf323475cf532a97dd10a7d6e2326

SHA512
0dbb813399cbf74453374cbef4b2501fb410958d8bcb6937d6818ce6e56033502c161a4696b182096d17b83f8af0816153eef13f062f1fcbe93aebee522d5195

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
b54da3f14c7d80cb720984ecc6b3a576

SHA1
bc795680754d9621ec300107320a029150c69ab0

SHA256
216f55095d1cc1270c4b566a9215670946bbca1deee5b43381e76a9d0d34e4ad

SHA512
99b9620c0fb7a215893a7bc000d52379fc2691253583eb52b9493de26ca9b2ee1586c0fca6cb9a278ab1620e1df205b8b24a975b59cf392fcc274065880d4c53

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
b3ad5619bd7cf31c21e9d9a34c4385fc

SHA1
44675b43012ea6b668a50a82bcc894fc75cae7e2

SHA256
b4402ab20888c5f4bde969fa8b8894d1663eef7ff1f5749aac694b5495ca12b6

SHA512
483c065f48a3dd92f37da87e1b23e5a15e5774bb2b5c1a4328e7363d0839bb03a13777359b5221d93687d0c70f4245ce8a00fe2418b8b17de363d59229fce952

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
65e70c44820da3f89721f0910405c001

SHA1
57a1764950daba41e4d888440f9262850de3a9df

SHA256
5c0cf4e2e8c7ef60e5709960c209eee8d7def4751f365974f539f80c012c2259

SHA512
a9c51e8df956b9bf9b44493ee43fdd22ad92d130da0fc89e6ebb608c29376dbd15dd4b0fcde12581834ed65ddc9c947faccd7ffadc09a22cf72d34dd26b20274

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
98ce5a96a9edc23ded2b84a82666524e

SHA1
a35505090de7bbb1a667504fe98ddf898a6e2239

SHA256
a7d48b19fa3d2402e39b0d7ec2016d09a19e4d4e6fba55e1ffb734e5e5602288

SHA512
f1fc210847187998024ea23f079418cd71150db292fad4b364c2da8ac7d3269efab0d7fe37b070377bc15ed94a57fdd05e23fcabaf07160ca6006cdd5bf7bd51

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
eb6ddd77b7747fff82ee3ebeaff31477

SHA1
072cdd514d1024076816de6566520eb000509947

SHA256
cfa63c1dbd0d38a835601164812e9aeb96672f1a042883ad0d63bc50443eee76

SHA512
1209915ed2087adeabe0dcf23afe8159b0a91191c755954ed18be669cc3bd119ee4578bc4b5b9cd600011cdc69589f6d0534970447ad1ea532cfe3cc39c8788c

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
f0662a8237e41d6f99d39be488c0ee4f

SHA1
1169756a11625837fb46b073b06a533912127954

SHA256
f9c2c243caf2228640b657221067483e3e06220d921ab4af719f18f5c12f30a1

SHA512
19e4097c9a003bd75fdee70cc0e78039725d6e31fedbda71ed24ad36cb49b06b9697c09807a038f72440071dbf2a0eb4d49fa4c34c5d27a1edb024476662c37a

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
f2a68df914c6b78d249bf6eaf357ea8e

SHA1
7366a921e33e4a5ecc137acd396f67fb67d1322c

SHA256
56765193e73f613b11d96c6c96eb044a8d57d3f4e558e308fef44179281d7f59

SHA512
6344c30e60fbb86476463f952d221a43b55f165700f29d20f55f17bd439d6216df0f743a36250e1c606bca7319171e8e9089c03709f04565f444e50edb6d576d

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
d103348daaf10bee3c65746c55b2d73b

SHA1
3c8a5a7cda8d1cef2b8a29b2a84eb8e7165c2924

SHA256
edf5eb786791fe2fff20dfb13b10bd4a59282f9fded8e890844d43b9fca7d7fc

SHA512
b5c9bd6adeac349928f4818ac162b2c150cd6dea273730d0c93e0d33b8616f07e940aa5c56f6fd30eff17a9782015d91766bfdcc3fd640646c13ea2eba74a7dc

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
95e6bee1087b8d8772e2ef8873abeadb

SHA1
08fe6e23bf5bf2bcfb99af74818271bf7e43c92a

SHA256
7febd21f30a0883272186ba25a3a2aea2e24ffae3ad482e7ead82ba74beed822

SHA512
7abb525d035fd879677cd8c12cb981914399f47426f0dff5e1062f9a2a10b67d15a95f2639cef8bdc575d5bd7304f9ff36fe87b367872e01ca63a9af3f2d55be

Download Submit
memory/532-259-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/540-282-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1036-245-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1160-117-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1160-112-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1344-277-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1720-124-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/1720-432-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1720-213-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/1720-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1720-219-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1720-208-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/1720-278-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/1720-111-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/1720-135-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/1720-244-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/1720-207-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/1720-434-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/1720-267-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/1720-256-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/1720-110-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/1860-174-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2036-221-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2036-232-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2220-218-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2312-307-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2352-127-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2500-243-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2892-142-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2892-138-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download