lokibot | a3c37478d879d20b7d6c392c70c0acdf0ed7ef4fba94578d9a5a9131b873831b

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

lokibot quasar xworm office office04 collection discovery evasion execution persistence rat spyware stealer themida trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

connectdadad.ddns.net:4782

Mutex

e862a94f-5f45-4b8c-89de-f84dadb095d0

Attributes

encryption_key
23E5F6D22FEE1750D36544A759A48349B064BC34
install_name
PerfWatson1.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
KDOT

Extracted

Family

lokibot

http://94.156.177.41/maxzi/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

xworm

147.185.221.22:47930

127.0.0.1:47930

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

45.136.51.217:2222

Mutex

d1mBeqcqGummV1rEKw

Attributes

encryption_key
h9j7M9986eVjQwMbjacZ
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000900000001a41b-504.dat	family_xworm
behavioral1/memory/2920-508-0x0000000000BD0000-0x0000000000BEA000-memory.dmp	family_xworm

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Lokibot family
lokibot
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 8 IoCs

resource	yara_rule
behavioral1/files/0x0004000000004ed7-136.dat	family_quasar
behavioral1/memory/3048-141-0x0000000000D70000-0x0000000001094000-memory.dmp	family_quasar
behavioral1/memory/1868-155-0x0000000001160000-0x0000000001484000-memory.dmp	family_quasar
behavioral1/memory/1536-204-0x0000000001230000-0x0000000001554000-memory.dmp	family_quasar
behavioral1/memory/2616-266-0x00000000012C0000-0x00000000015E4000-memory.dmp	family_quasar
behavioral1/memory/2796-492-0x0000000000230000-0x0000000000554000-memory.dmp	family_quasar
behavioral1/memory/704-510-0x0000000001090000-0x00000000013B4000-memory.dmp	family_quasar
behavioral1/memory/2968-545-0x0000000000C80000-0x0000000000CCE000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2456 created 1256	2456	hsefawdrthg.exe	21

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TigerHulk3.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2812	powershell.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TigerHulk3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TigerHulk3.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe

Executes dropped EXE 24 IoCs

pid	Process
3048	Client-built.exe
2268	Serials_Checker.exe
1868	PerfWatson1.exe
1548	caspol.exe
2716	PerfWatson1.exe
1536	PerfWatson1.exe
2388	caspol.exe
1992	caspol.exe
960	TigerHulk3.exe
2616	PerfWatson1.exe
2412	PerfWatson1.exe
2680	kxfh9qhs.exe
1976	PerfWatson1.exe
2456	hsefawdrthg.exe
2252	kxfh9qhs.exe
2556	Vidar.exe
2068	PerfWatson1.exe
2796	PerfWatson1.exe
2920	svchost.exe
704	PerfWatson1.exe
2232	PerfWatson1.exe
2968	jgesfyhjsefa.exe
1924	PerfWatson1.exe
1928	PerfWatson1.exe

Loads dropped DLL 21 IoCs

pid	Process
2348	4363463463464363463463463.exe
2348	4363463463464363463463463.exe
2348	4363463463464363463463463.exe
1548	caspol.exe
1548	caspol.exe
2348	4363463463464363463463463.exe
988	Process not Found
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2348	4363463463464363463463463.exe
2348	4363463463464363463463463.exe
2348	4363463463464363463463463.exe
2456	hsefawdrthg.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
2348	4363463463464363463463463.exe
2348	4363463463464363463463463.exe
2348	4363463463464363463463463.exe
2348	4363463463464363463463463.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000500000001a325-257.dat	themida
behavioral1/memory/2348-260-0x0000000006B10000-0x000000000741C000-memory.dmp	themida
behavioral1/memory/960-263-0x000000013FA30000-0x000000014033C000-memory.dmp	themida
behavioral1/memory/960-262-0x000000013FA30000-0x000000014033C000-memory.dmp	themida
behavioral1/memory/960-265-0x000000013FA30000-0x000000014033C000-memory.dmp	themida
behavioral1/memory/960-280-0x000000013FA30000-0x000000014033C000-memory.dmp	themida

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	caspol.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Serials_Checker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TigerHulk3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
12	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
42	ip-api.com
46	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
960	TigerHulk3.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1548 set thread context of 1992	1548	caspol.exe	74

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1940	2252	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jgesfyhjsefa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caspol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kxfh9qhs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hsefawdrthg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kxfh9qhs.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1432	PING.EXE
1544	PING.EXE
2172	PING.EXE
780	PING.EXE
2152	PING.EXE
2572	PING.EXE
1156	PING.EXE
2160	PING.EXE
1244	PING.EXE
1544	PING.EXE
1644	PING.EXE
1512	PING.EXE

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	kxfh9qhs.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	kxfh9qhs.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	kxfh9qhs.exe

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
2572	PING.EXE
1644	PING.EXE
1432	PING.EXE
1544	PING.EXE
2160	PING.EXE
1244	PING.EXE
2152	PING.EXE
1156	PING.EXE
2172	PING.EXE
780	PING.EXE
1544	PING.EXE
1512	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1832	schtasks.exe
2516	schtasks.exe
2184	schtasks.exe
2128	schtasks.exe
2932	schtasks.exe
2448	schtasks.exe
2960	schtasks.exe
1036	schtasks.exe
1660	schtasks.exe
640	schtasks.exe
2824	schtasks.exe
784	schtasks.exe
1372	schtasks.exe
1364	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1548	caspol.exe
1548	caspol.exe
2812	powershell.exe
2680	kxfh9qhs.exe
2680	kxfh9qhs.exe
2456	hsefawdrthg.exe
2456	hsefawdrthg.exe
2456	hsefawdrthg.exe
2456	hsefawdrthg.exe
2920	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	4363463463464363463463463.exe
Token: SeDebugPrivilege	3048	Client-built.exe
Token: SeIncreaseQuotaPrivilege	2088	WMIC.exe
Token: SeSecurityPrivilege	2088	WMIC.exe
Token: SeTakeOwnershipPrivilege	2088	WMIC.exe
Token: SeLoadDriverPrivilege	2088	WMIC.exe
Token: SeSystemProfilePrivilege	2088	WMIC.exe
Token: SeSystemtimePrivilege	2088	WMIC.exe
Token: SeProfSingleProcessPrivilege	2088	WMIC.exe
Token: SeIncBasePriorityPrivilege	2088	WMIC.exe
Token: SeCreatePagefilePrivilege	2088	WMIC.exe
Token: SeBackupPrivilege	2088	WMIC.exe
Token: SeRestorePrivilege	2088	WMIC.exe
Token: SeShutdownPrivilege	2088	WMIC.exe
Token: SeDebugPrivilege	2088	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2088	WMIC.exe
Token: SeRemoteShutdownPrivilege	2088	WMIC.exe
Token: SeUndockPrivilege	2088	WMIC.exe
Token: SeManageVolumePrivilege	2088	WMIC.exe
Token: 33	2088	WMIC.exe
Token: 34	2088	WMIC.exe
Token: 35	2088	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2088	WMIC.exe
Token: SeSecurityPrivilege	2088	WMIC.exe
Token: SeTakeOwnershipPrivilege	2088	WMIC.exe
Token: SeLoadDriverPrivilege	2088	WMIC.exe
Token: SeSystemProfilePrivilege	2088	WMIC.exe
Token: SeSystemtimePrivilege	2088	WMIC.exe
Token: SeProfSingleProcessPrivilege	2088	WMIC.exe
Token: SeIncBasePriorityPrivilege	2088	WMIC.exe
Token: SeCreatePagefilePrivilege	2088	WMIC.exe
Token: SeBackupPrivilege	2088	WMIC.exe
Token: SeRestorePrivilege	2088	WMIC.exe
Token: SeShutdownPrivilege	2088	WMIC.exe
Token: SeDebugPrivilege	2088	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2088	WMIC.exe
Token: SeRemoteShutdownPrivilege	2088	WMIC.exe
Token: SeUndockPrivilege	2088	WMIC.exe
Token: SeManageVolumePrivilege	2088	WMIC.exe
Token: 33	2088	WMIC.exe
Token: 34	2088	WMIC.exe
Token: 35	2088	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1504	WMIC.exe
Token: SeSecurityPrivilege	1504	WMIC.exe
Token: SeTakeOwnershipPrivilege	1504	WMIC.exe
Token: SeLoadDriverPrivilege	1504	WMIC.exe
Token: SeSystemProfilePrivilege	1504	WMIC.exe
Token: SeSystemtimePrivilege	1504	WMIC.exe
Token: SeProfSingleProcessPrivilege	1504	WMIC.exe
Token: SeIncBasePriorityPrivilege	1504	WMIC.exe
Token: SeCreatePagefilePrivilege	1504	WMIC.exe
Token: SeBackupPrivilege	1504	WMIC.exe
Token: SeRestorePrivilege	1504	WMIC.exe
Token: SeShutdownPrivilege	1504	WMIC.exe
Token: SeDebugPrivilege	1504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1504	WMIC.exe
Token: SeRemoteShutdownPrivilege	1504	WMIC.exe
Token: SeUndockPrivilege	1504	WMIC.exe
Token: SeManageVolumePrivilege	1504	WMIC.exe
Token: 33	1504	WMIC.exe
Token: 34	1504	WMIC.exe
Token: 35	1504	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1504	WMIC.exe
Token: SeSecurityPrivilege	1504	WMIC.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1868	PerfWatson1.exe
2920	svchost.exe
2968	jgesfyhjsefa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 3048	2348	4363463463464363463463463.exe	32
PID 2348 wrote to memory of 3048	2348	4363463463464363463463463.exe	32
PID 2348 wrote to memory of 3048	2348	4363463463464363463463463.exe	32
PID 2348 wrote to memory of 3048	2348	4363463463464363463463463.exe	32
PID 2348 wrote to memory of 2268	2348	4363463463464363463463463.exe	33
PID 2348 wrote to memory of 2268	2348	4363463463464363463463463.exe	33
PID 2348 wrote to memory of 2268	2348	4363463463464363463463463.exe	33
PID 2348 wrote to memory of 2268	2348	4363463463464363463463463.exe	33
PID 2268 wrote to memory of 2392	2268	Serials_Checker.exe	34
PID 2268 wrote to memory of 2392	2268	Serials_Checker.exe	34
PID 2268 wrote to memory of 2392	2268	Serials_Checker.exe	34
PID 2392 wrote to memory of 2264	2392	cmd.exe	36
PID 2392 wrote to memory of 2264	2392	cmd.exe	36
PID 2392 wrote to memory of 2264	2392	cmd.exe	36
PID 2392 wrote to memory of 2088	2392	cmd.exe	37
PID 2392 wrote to memory of 2088	2392	cmd.exe	37
PID 2392 wrote to memory of 2088	2392	cmd.exe	37
PID 2392 wrote to memory of 1504	2392	cmd.exe	39
PID 2392 wrote to memory of 1504	2392	cmd.exe	39
PID 2392 wrote to memory of 1504	2392	cmd.exe	39
PID 2392 wrote to memory of 844	2392	cmd.exe	41
PID 2392 wrote to memory of 844	2392	cmd.exe	41
PID 2392 wrote to memory of 844	2392	cmd.exe	41
PID 3048 wrote to memory of 640	3048	Client-built.exe	40
PID 3048 wrote to memory of 640	3048	Client-built.exe	40
PID 3048 wrote to memory of 640	3048	Client-built.exe	40
PID 2392 wrote to memory of 940	2392	cmd.exe	43
PID 2392 wrote to memory of 940	2392	cmd.exe	43
PID 2392 wrote to memory of 940	2392	cmd.exe	43
PID 3048 wrote to memory of 1868	3048	Client-built.exe	44
PID 3048 wrote to memory of 1868	3048	Client-built.exe	44
PID 3048 wrote to memory of 1868	3048	Client-built.exe	44
PID 2392 wrote to memory of 1560	2392	cmd.exe	45
PID 2392 wrote to memory of 1560	2392	cmd.exe	45
PID 2392 wrote to memory of 1560	2392	cmd.exe	45
PID 2392 wrote to memory of 1712	2392	cmd.exe	46
PID 2392 wrote to memory of 1712	2392	cmd.exe	46
PID 2392 wrote to memory of 1712	2392	cmd.exe	46
PID 2348 wrote to memory of 1548	2348	4363463463464363463463463.exe	47
PID 2348 wrote to memory of 1548	2348	4363463463464363463463463.exe	47
PID 2348 wrote to memory of 1548	2348	4363463463464363463463463.exe	47
PID 2348 wrote to memory of 1548	2348	4363463463464363463463463.exe	47
PID 2392 wrote to memory of 2312	2392	cmd.exe	48
PID 2392 wrote to memory of 2312	2392	cmd.exe	48
PID 2392 wrote to memory of 2312	2392	cmd.exe	48
PID 2392 wrote to memory of 2192	2392	cmd.exe	49
PID 2392 wrote to memory of 2192	2392	cmd.exe	49
PID 2392 wrote to memory of 2192	2392	cmd.exe	49
PID 1868 wrote to memory of 2184	1868	PerfWatson1.exe	50
PID 1868 wrote to memory of 2184	1868	PerfWatson1.exe	50
PID 1868 wrote to memory of 2184	1868	PerfWatson1.exe	50
PID 1868 wrote to memory of 2480	1868	PerfWatson1.exe	52
PID 1868 wrote to memory of 2480	1868	PerfWatson1.exe	52
PID 1868 wrote to memory of 2480	1868	PerfWatson1.exe	52
PID 2392 wrote to memory of 2144	2392	cmd.exe	55
PID 2480 wrote to memory of 2668	2480	cmd.exe	54
PID 2392 wrote to memory of 2144	2392	cmd.exe	55
PID 2480 wrote to memory of 2668	2480	cmd.exe	54
PID 2392 wrote to memory of 2144	2392	cmd.exe	55
PID 2480 wrote to memory of 2668	2480	cmd.exe	54
PID 2480 wrote to memory of 2152	2480	cmd.exe	56
PID 2480 wrote to memory of 2152	2480	cmd.exe	56
PID 2480 wrote to memory of 2152	2480	cmd.exe	56
PID 2480 wrote to memory of 2716	2480	cmd.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	caspol.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	caspol.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:640
  - - C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
      "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1868
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2184
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Y1VsEJYL53R5.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2480
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2668
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2152
      - C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        6⤵
        Executes dropped EXE
        
        PID:2716
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2824
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YO9Kh8SoQLcl.bat" "
        7⤵
        
        PID:2792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2572
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        8⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2932
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gGH1YSt0qWob.bat" "
        9⤵
        
        PID:868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1640
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1644
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        10⤵
        Executes dropped EXE
        
        PID:2616
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1832
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\F014dJD1mjGu.bat" "
        11⤵
        
        PID:2360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1508
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1512
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        12⤵
        Executes dropped EXE
        
        PID:2412
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2448
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Asz3l85dV5To.bat" "
        13⤵
        
        PID:2368
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2720
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1156
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        14⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1372
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xx8ErDZHo7QK.bat" "
        15⤵
        
        PID:2968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1432
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        16⤵
        Executes dropped EXE
        
        PID:2068
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1364
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OW3ZNoCTIiqy.bat" "
        17⤵
        
        PID:484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1544
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        18⤵
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2960
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fUIrzsArW4GP.bat" "
        19⤵
        
        PID:2304
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2724
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2172
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        20⤵
        Executes dropped EXE
        
        PID:704
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2128
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KbiAAGDBGoqJ.bat" "
        21⤵
        
        PID:1948
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2160
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        22⤵
        Executes dropped EXE
        
        PID:2232
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2516
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\c83jC0luNSeM.bat" "
        23⤵
        
        PID:2256
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1244
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        24⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1036
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pSOCnN5DZ5vE.bat" "
        25⤵
        
        PID:552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2112
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:780
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        26⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1660
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lIQHqOvlqewe.bat" "
        27⤵
        
        PID:1316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1488
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1544
- - C:\Users\Admin\AppData\Local\Temp\Files\Serials_Checker.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Serials_Checker.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\system32\cmd.exe
      cmd /c "Serials_Checker.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2392
    - - C:\Windows\system32\mode.com
        
        mode con: cols=90 lines=48
        5⤵
        
        PID:2264
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic bios get serialnumber
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get serialnumber
        5⤵
        
        PID:844
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get processorid
        5⤵
        
        PID:940
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        
        PID:1560
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:1712
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic memorychip get serialnumber
        5⤵
        
        PID:2312
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
        5⤵
        
        PID:2192
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Description,PNPDeviceID
        5⤵
        
        PID:2144
- - C:\Users\Admin\AppData\Local\Temp\Files\caspol.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\caspol.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1548
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files\caspol.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2812
  - - C:\Users\Admin\AppData\Local\Temp\Files\caspol.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\caspol.exe"
      4⤵
      Executes dropped EXE
      PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\Files\caspol.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\caspol.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      outlook_office_path
      outlook_win_path
      PID:1992
- - C:\Users\Admin\AppData\Local\Temp\Files\TigerHulk3.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\TigerHulk3.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:960
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 960 -s 156
      4⤵
      Loads dropped DLL
      PID:2204
- - C:\Users\Admin\AppData\Local\Temp\Files\kxfh9qhs.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\kxfh9qhs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:2680
- - C:\Users\Admin\AppData\Local\Temp\Files\hsefawdrthg.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\hsefawdrthg.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2456
- - C:\Users\Admin\AppData\Local\Temp\Files\Vidar.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Vidar.exe"
    3⤵
    - Executes dropped EXE
    PID:2556
- - C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2920
- - C:\Users\Admin\AppData\Local\Temp\Files\jgesfyhjsefa.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\jgesfyhjsefa.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2968
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "NET framework" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\jgesfyhjsefa.exe" /rl HIGHEST /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:784
- C:\Users\Admin\AppData\Local\Temp\Files\kxfh9qhs.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\kxfh9qhs.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2252
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 152
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87ebf9b0b2626b163a9c532017316e91

SHA1
013f17751e2aeb2a8bdefb508754505367d6a1e7

SHA256
80d0763fb77ffa82c9789aad32428bc16470c8fd64422ab4d86cdca0c7f5d632

SHA512
9610cd06e4253104baaccf55f954c8b94f76c311abaedcd85bd374eda88e7d00b49fe687aa4ed384add4fd18f3b74a258dc954d6db427ea7ae1725162b4fcc39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Asz3l85dV5To.bat

Filesize
210B

MD5
6ea332d8c515af2406b3dcd5612b10eb

SHA1
45d33163c0fc1f236d011ea45580b8adb6581779

SHA256
8b43e21af783a31cc051d8d4f17e11b9a77d555f66be6d36cc38b47a6201658c

SHA512
26036f3b28ed14eecb4fa9794d19c8130c24fa41fba5b0e054d13912cbb89dd01ceaf274a83dee372853d29daf7b5a35d0ae9d750df97a467df5c3955b28b5a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD2DB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F014dJD1mjGu.bat

Filesize
210B

MD5
24f10ddd8a0b162be355990e47946218

SHA1
869ad318af0afa2bc0f18fd6f646be4ee74ad0a4

SHA256
529a4cf574238f75922ce4d2cacd37a7030cbf4c118ae4bec0947b7d93184b52

SHA512
79773037ab711ef68f6c0d20c838d9ee921776c0d5c3e39b15af14ed428671ab21d0d14f52771932d4100df19c97a1e7b6570809a784c234cf880eb8afffdcf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Serials_Checker.exe

Filesize
156KB

MD5
7bb94f8ef9ae8d6440291eead6967970

SHA1
154414a487b8f61f0b5e894fa48372ee8158f8ae

SHA256
5541c5c5a62d4bfa83b4e1f1202d9cedbb1c9c642daeaa470fe6d1c1fbb37551

SHA512
64f3407c876f47d365c9c6a319f489f248b49df8b243c2983c24861e7e0b75a65c4ab9e250b09cf1b32e4603273277f4dbb06c82c4fd47103716d710dcce8288

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hsefawdrthg.exe

Filesize
439KB

MD5
a06a7af02c4a932448ff3a172d620e13

SHA1
82b29b616d9a717b4502d7a849f5c2e3029a2840

SHA256
29d3678e7aa0187318bc83bf5e6d9ca06fc0d6a858ce006b05f7f97322051ee7

SHA512
6a50a157289b821f5e134d4bff0307b0e11b3a981601363177b5c96d5bff5c0dc72e4f50b8327290a25d623994e5fe4a18f17ad334896c116590b4a412889e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Serials_Checker.bat

Filesize
855B

MD5
ab84096b01cdcc304e442659c12edfc3

SHA1
f42281b6ab6e7373307091381a300bc659076ecc

SHA256
f943b4a7127ef21b45db4731a3df69431c051f8e6b3e4c13c2b4ea51616f1045

SHA512
601dedb7d0a64c2e12a63c548ffd1801c67c8cc4dcae88848cd897d3d0ea34480169b3714a538e86eac71d6d577d4b82644aca1a87e7994b8a619f71b4b1aeca

Download Submit
C:\Users\Admin\AppData\Local\Temp\KbiAAGDBGoqJ.bat

Filesize
210B

MD5
b0419edafd8bf63822d6836a7f30a660

SHA1
203ae51d7002caa2f03895e57719c1041856b36b

SHA256
1c29493f53651c16a4b62965a8cf2b4d8092268585f4458171536522c557837c

SHA512
73deea29073dd159380d35c0125657b6b238fe3ec7cbc344f669cc4f87b6e29b3adaa8e8e3be94294cdc0c4f7e32165945bbcefa5a92efe12115997cb27c0828

Download Submit
C:\Users\Admin\AppData\Local\Temp\OW3ZNoCTIiqy.bat

Filesize
210B

MD5
8bf034b8cfc608aeb53a23cfccf28521

SHA1
2b5b9262686efbe96100879270ba21969a8a28b9

SHA256
c48110d2b2d178e3707d1a033aeaabd31dbcce7a67a08ee6a1fe40af4b1afe0b

SHA512
7e4ce14929caa1cab2b8a668a6865f0c9a4501eafb0ee9f8b473baae2bb070d484f34d8c0ee6d38668102c36e5934e2957435bc9cf5e5070eccdb46d7d525e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD2EE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y1VsEJYL53R5.bat

Filesize
210B

MD5
6919b1098efd78475d054c6488fc170f

SHA1
3049c68ad5a98e652397998d1e407ed33ddfd211

SHA256
ca2b675ee56f1cd345e5a4dc4d346b734d388356c278709c3b61066c344ddeb5

SHA512
2b7afa6c222444b7f9c1f8a3718999a408c7ebf2c6d91b107150f4fd39817c1b016f53e0faec6d376471391514f368b4dfdaa4607bf09167c1d04070e12a49c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YO9Kh8SoQLcl.bat

Filesize
210B

MD5
799c930d2f56cb95c5b80226438aa23e

SHA1
07797b19fd2015031259326943a79a69c48384ba

SHA256
996c73101febe24434970be5fa666d0b074136dfe4c72924407e638513d23831

SHA512
74b86506d719d9333bfe93fa6c906510bd7c1b306b04726fae5f987dff54b09d58c3599c38c3387a1cbd2f474ba396f41a7e6c57f64313cb88450c051ee58f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c83jC0luNSeM.bat

Filesize
210B

MD5
7e1713c9781803938ddeb57c0b20cb99

SHA1
493c021e74fac22a3064932d71e68f8378194345

SHA256
5b1144362de105358abc609009f7dbadaf9bb46f6bf9a7d4a7d52bd2124ef5f0

SHA512
5c4257c1e9dc96873c19c67b00f8bc9287e1349b7cfacfc5e50e345e28d913a0c74fada57ad6c9f747d0495e6cbb15abd8792fdcf1d17e86966c197d94fab66d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fUIrzsArW4GP.bat

Filesize
210B

MD5
75cd871e8fa36713613af8b3450bc225

SHA1
af9beef386b8cb5b400ca87cf5f2b85113868ec6

SHA256
2c98421b70d04085f51749da68840336570b3dc8a7927222e44f0efeca0af8d5

SHA512
19a81bf53d0dc172e8b81774f192ad8c8a4360e8bf1b99b333a1f59e6fcc949966e7eb61bf174acb0764b51855a24d7e4993d54e091e183d10198c7da0473062

Download Submit
C:\Users\Admin\AppData\Local\Temp\gGH1YSt0qWob.bat

Filesize
210B

MD5
151633cb03d9bdfe295c60679f5e09c2

SHA1
d071e1ba582018518fb3177c8758a990a7b12502

SHA256
d5a41f84cbd2e51cd95605d5f77a2bd74d7c1f206b4ddeb7a51886803b9e161b

SHA512
68e8072608521928b33ad2f1ed9415e2c91a4c6bdd86e209efda25d38f8417bf7cc717838a6de9f06f1a5dba3e337b6c38f60e097179a4346b4c64f541745fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\lIQHqOvlqewe.bat

Filesize
210B

MD5
2ea476eb503c0f47a9af27c1d4ba9a86

SHA1
752c33ba4ac414519486e99f81ead2f108a60b67

SHA256
9852d81e6921f711b112aad862932928d916991488ac7de4111ab9cb243b34c1

SHA512
0783d95e69e03de5d1a46f00461382d9ebb5370251336e1106c64877004fb53cee3254313607d772e95303fa4690cc5ad74ce36082989f8b878778e2b56320f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pSOCnN5DZ5vE.bat

Filesize
210B

MD5
a4707c90b443945b1c158af8cfa91227

SHA1
43841e17ef7d56728c4cab283077d99d31ee84a2

SHA256
3e8850ab77021e13c95343ac81f20729f9660bac4c3449922ca788e7f6d33bf4

SHA512
a5d879a372f4054901ea419d22b8f9b4c406446a6830ff86711fba87bada54f1427727e86cb7434e7c47a5e7d1f5cf942b62a1f69d028193fce1a567b6e47098

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx8ErDZHo7QK.bat

Filesize
210B

MD5
1c9646c0e91e358092c60f26b29c9e6d

SHA1
cc375ee824e885f18275ae9f171c61e2dd17d420

SHA256
dc3af595efb7a084d6d3c929bc71453318629522c5ec6622efae17c0729ba490

SHA512
dab25d0b398d0de4aaec5dbfd04c8f10de39045473d70b8a21fc867da433844ee424f430c8c7e680b6f110adf5b3feb1b96291cef2874baf198a0c7af912f3a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\0f5007522459c86e95ffcc62f32308f1_38b42d9b-3e83-45f4-8789-a30be34574b0

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\0f5007522459c86e95ffcc62f32308f1_38b42d9b-3e83-45f4-8789-a30be34574b0

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Client-built.exe

Filesize
3.1MB

MD5
c2281b1740f2acd02e9e19f83441b033

SHA1
bf321d96b83261e5487f06c9c0ddfc75786c7c8c

SHA256
8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997

SHA512
0c8a95e5caa07047073077a252a891e321cf1a8c964e6e99b72a1c701e6368e63aa82c0425f58364887de3c277130c3c1acda2064332c377efaccf6ce568e027

Download Submit
\Users\Admin\AppData\Local\Temp\Files\TigerHulk3.exe

Filesize
3.3MB

MD5
2ac74d8748c9671b6be2bbbef5161e64

SHA1
9eda3c4895874c51debb63efe0b00247d7a26578

SHA256
cc5edd7e3d2b641070e903361869ccd5eb9e5f74dda16dc8696f63a777fbed19

SHA512
02be9a90c786e7e2065b14f75d51ae39026aff0e7603f6c98614fd0edc9ee8a6cbbe2f6a0115663e9f2fb3a7caa657a4d36d8645f211bcfe144aa667df2b5774

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Vidar.exe

Filesize
1.2MB

MD5
2f79684349eb97b0e072d21a1b462243

SHA1
ed9b9eeafc5535802e498e78611f262055d736af

SHA256
9be494b1233a38c3d86ae075d3073ff4de88bc3064011554aa7c96d5ef068c04

SHA512
4d94ae4633f3bf489d1bc9613fc6028865064ec98f73b5e9e775f08ff55d246daeddce6a4a0a013a9d05e65edc726768c397d0382e5c35352144b5338d6467d3

Download Submit
\Users\Admin\AppData\Local\Temp\Files\caspol.exe

Filesize
586KB

MD5
66b03d1aff27d81e62b53fc108806211

SHA1
2557ec8b32d0b42cac9cabde199d31c5d4e40041

SHA256
59586e753c54629f428a6b880f6aff09f67af0ace76823af3627dda2281532e4

SHA512
9f8ef3dd8c482debb535b1e7c9155e4ab33a04f8c4f31ade9e70adbd5598362033785438d5d60c536a801e134e09fcd1bc80fc7aed2d167af7f531a81f12e43d

Download Submit
\Users\Admin\AppData\Local\Temp\Files\kxfh9qhs.exe

Filesize
3.9MB

MD5
b3834900eea7e3c2bae3ab65bb78664a

SHA1
cf5665241bc0ea70d7856ea75b812619cb31fb94

SHA256
cc35b0641c3c85446892311031369a42990c019c7b143b875be5c683e83ff3ce

SHA512
ae36ab053e692434b9307a21dcebe6499b60a3d0bca8549d7264b4756565cb44e190aa9396aea087609adaeb1443f098da1787fd8ffe2458c4fa1c5faea15909

Download Submit
\Users\Admin\AppData\Local\Temp\Files\svchost.exe

Filesize
75KB

MD5
1ece670aaa09ac9e02ae27b7678b167c

SHA1
d98cffd5d00fe3b8a7a6f50a4cd2fc30b9ec565d

SHA256
b88c6884675cdb358f46c1fbfeddf24af749372a6c14c1c4a2757d7bde3fbc39

SHA512
ad8b877261b2f69c89aa429691da67100a054006504a2735948415eebdc38eba20f923d327347560d066e65b205e80ea8f0a296e586107dc051d9edc410b40c5

Download Submit
memory/704-510-0x0000000001090000-0x00000000013B4000-memory.dmp

Filesize
3.1MB

Download
memory/960-262-0x000000013FA30000-0x000000014033C000-memory.dmp

Filesize
9.0MB

Download
memory/960-263-0x000000013FA30000-0x000000014033C000-memory.dmp

Filesize
9.0MB

Download
memory/960-265-0x000000013FA30000-0x000000014033C000-memory.dmp

Filesize
9.0MB

Download
memory/960-280-0x000000013FA30000-0x000000014033C000-memory.dmp

Filesize
9.0MB

Download
memory/1536-204-0x0000000001230000-0x0000000001554000-memory.dmp

Filesize
3.1MB

Download
memory/1548-164-0x0000000001130000-0x00000000011C8000-memory.dmp

Filesize
608KB

Download
memory/1548-214-0x00000000010D0000-0x0000000001134000-memory.dmp

Filesize
400KB

Download
memory/1548-192-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1868-155-0x0000000001160000-0x0000000001484000-memory.dmp

Filesize
3.1MB

Download
memory/1992-220-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1992-229-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1992-231-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1992-218-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1992-253-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1992-222-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1992-226-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1992-228-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1992-224-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1992-531-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2252-401-0x00000000001C0000-0x00000000001CA000-memory.dmp

Filesize
40KB

Download
memory/2252-406-0x0000000000400000-0x0000000000AD0000-memory.dmp

Filesize
6.8MB

Download
memory/2252-422-0x0000000000400000-0x0000000000AD0000-memory.dmp

Filesize
6.8MB

Download
memory/2348-78-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2348-75-0x000000007470E000-0x000000007470F000-memory.dmp

Filesize
4KB

Download
memory/2348-424-0x0000000004B70000-0x0000000004BF1000-memory.dmp

Filesize
516KB

Download
memory/2348-423-0x0000000004B70000-0x0000000004BF1000-memory.dmp

Filesize
516KB

Download
memory/2348-298-0x0000000006B10000-0x00000000071E0000-memory.dmp

Filesize
6.8MB

Download
memory/2348-419-0x0000000006B10000-0x00000000071E0000-memory.dmp

Filesize
6.8MB

Download
memory/2348-2-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2348-260-0x0000000006B10000-0x000000000741C000-memory.dmp

Filesize
9.0MB

Download
memory/2348-281-0x0000000006B10000-0x000000000741C000-memory.dmp

Filesize
9.0MB

Download
memory/2348-0-0x000000007470E000-0x000000007470F000-memory.dmp

Filesize
4KB

Download
memory/2348-1-0x0000000000350000-0x0000000000358000-memory.dmp

Filesize
32KB

Download
memory/2348-381-0x0000000004B70000-0x0000000004BF1000-memory.dmp

Filesize
516KB

Download
memory/2348-382-0x0000000004B70000-0x0000000004BF1000-memory.dmp

Filesize
516KB

Download
memory/2456-396-0x0000000077630000-0x00000000777D9000-memory.dmp

Filesize
1.7MB

Download
memory/2456-403-0x0000000000DB0000-0x0000000000E31000-memory.dmp

Filesize
516KB

Download
memory/2456-383-0x0000000000DB0000-0x0000000000E31000-memory.dmp

Filesize
516KB

Download
memory/2456-394-0x0000000000810000-0x0000000000C10000-memory.dmp

Filesize
4.0MB

Download
memory/2456-395-0x0000000000810000-0x0000000000C10000-memory.dmp

Filesize
4.0MB

Download
memory/2456-398-0x0000000077110000-0x0000000077157000-memory.dmp

Filesize
284KB

Download
memory/2556-418-0x000000001BA20000-0x000000001BB20000-memory.dmp

Filesize
1024KB

Download
memory/2556-417-0x00000000001C0000-0x0000000000302000-memory.dmp

Filesize
1.3MB

Download
memory/2616-266-0x00000000012C0000-0x00000000015E4000-memory.dmp

Filesize
3.1MB

Download
memory/2680-420-0x0000000000400000-0x0000000000AD0000-memory.dmp

Filesize
6.8MB

Download
memory/2680-330-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2680-318-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2680-323-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2680-334-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2680-316-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2680-315-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2680-336-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2680-311-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2680-340-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2680-350-0x0000000000400000-0x0000000000AD0000-memory.dmp

Filesize
6.8MB

Download
memory/2680-342-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2680-325-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2680-320-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2680-490-0x0000000000400000-0x0000000000AD0000-memory.dmp

Filesize
6.8MB

Download
memory/2680-313-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2680-328-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2680-300-0x0000000000400000-0x0000000000AD0000-memory.dmp

Filesize
6.8MB

Download
memory/2680-299-0x0000000000400000-0x0000000000AD0000-memory.dmp

Filesize
6.8MB

Download
memory/2796-492-0x0000000000230000-0x0000000000554000-memory.dmp

Filesize
3.1MB

Download
memory/2920-508-0x0000000000BD0000-0x0000000000BEA000-memory.dmp

Filesize
104KB

Download
memory/2968-545-0x0000000000C80000-0x0000000000CCE000-memory.dmp

Filesize
312KB

Download
memory/3048-156-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/3048-142-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/3048-141-0x0000000000D70000-0x0000000001094000-memory.dmp

Filesize
3.1MB

Download
memory/3048-140-0x000007FEF5983000-0x000007FEF5984000-memory.dmp

Filesize
4KB

Download