ouroboros | 60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1

Analysis

max time kernel
56s
max time network
115s
platform
windows10_x64
resource
win10
submitted
17-09-2020 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
Size

375KB
MD5

d5882c247d498f62deced08d118e122f
SHA1

d889058027e41165b300e2b1864e45b33d0ec142
SHA256

60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1
SHA512

5c714e72e14dac9c4da2cd29cc4d73d8e62537b1bb92bae3f3ed8b8109bf80d6647e0f1c634198af96a239c2511a7bbb37d63e7dbd0b3241a1f3869b3b32b4f2

Score

10^/10

ouroboros evasion ransomware spyware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\StartProtect.tiff	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

Drops startup file 1 IoCs

Processes:

60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

Processes:

60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu Places\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File created	C:\$Recycle.Bin\S-1-5-21-2066881839-3229799743-3576549721-1000\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\SystemData\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\Cookies\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Public\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\SystemData\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 8 http://www.sfml-dev.org/ip-provider.php
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091
Drops file in System32 directory 1 IoCs

Processes:

60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\regedit.exe 60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

description	flow	ioc
HTTP URL	8	http://www.sfml-dev.org/ip-provider.php

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

Drops file in Program Files directory 64 IoCs

Processes:

60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.Email=[[email protected]]ID=[FALB4DJMY8EC60U].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\vlc.mo	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-125_contrast-black.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.ja_5.5.0.165303.jar.Email=[[email protected]]ID=[FALB4DJMY8EC60U].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-24.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIDE.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-fr\ui-strings.js	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util-lookup_ja.jar.Email=[[email protected]]ID=[FALB4DJMY8EC60U].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository_1.1.300.v20131211-1531.jar	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinToolbars.v11.1.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-300.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files (x86)\Google\Chrome\Application\83.0.4103.106\swiftshader\libEGL.dll.Email=[[email protected]]ID=[FALB4DJMY8EC60U].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\GrantClear.rar.Email=[[email protected]]ID=[FALB4DJMY8EC60U].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbynet.jar.Email=[[email protected]]ID=[FALB4DJMY8EC60U].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-sampler.jar	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\SplashScreen.scale-100.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GameEnd\gameEnd_redstrip_center.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ws_60x42.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\LargeTile.scale-200.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-heapdump.jar	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar.Email=[[email protected]]ID=[FALB4DJMY8EC60U].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer_3.2.200.v20140827-1444.jar.Email=[[email protected]]ID=[FALB4DJMY8EC60U].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\de-de\ui-strings.js	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.Email=[[email protected]]ID=[FALB4DJMY8EC60U].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MsoAriaCApiWrapper.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Styles.xbf	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-tools.xml.Email=[[email protected]]ID=[FALB4DJMY8EC60U].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt.Email=[[email protected]]ID=[FALB4DJMY8EC60U].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-phn.xrm-ms	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.Design.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF.Email=[[email protected]]ID=[FALB4DJMY8EC60U].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-oob.xrm-ms	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5665_20x20x32.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\main.css	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\ui-strings.js	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk\ui-strings.js	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\gstreamer-lite.dll.Email=[[email protected]]ID=[FALB4DJMY8EC60U].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL081.XML.Email=[[email protected]]ID=[FALB4DJMY8EC60U].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\dull_tauri.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ppd.xrm-ms	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\resources.pri	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar.Email=[[email protected]]ID=[FALB4DJMY8EC60U].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\ui-strings.js	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msadox.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-80.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_contrast-white.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nssckbi.dll.Email=[[email protected]]ID=[FALB4DJMY8EC60U].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\vlc.mo.Email=[[email protected]]ID=[FALB4DJMY8EC60U].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems32.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-text.jar.Email=[[email protected]]ID=[FALB4DJMY8EC60U].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreMedTile.scale-100.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar.Email=[[email protected]]ID=[FALB4DJMY8EC60U].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\ui-strings.js	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\core_zh_CN.jar	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\libarchive_plugin.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

Drops file in Windows directory 64 IoCs

Processes:

60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

description	ioc	process
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\ProjectionCylindric.scale-100.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-125_contrast-white.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\SmallLogo.scale-150.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5666_40x40x32.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\Settings\Classic_{F120B10E-C882-4613-955F-B4DF13C6E803}.settingcontent-ms	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Boot\PCAT\memtest.exe	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\diagnostics\system\AERO\RS_WinSat.ps1	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\Assets\Images\Tiles\Square44x44Logo.targetsize-24_altform-unplated.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Microsoft.StickyNotes.exe	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\quickreplysend.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\sl-SI_BitLockerToGo.exe.mui	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Fonts\seriffr.fon	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Frameworks\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x64__8wekyb3d8bbwe\logo.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\osf\agavedefaulticon32x32.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\cy_60x42.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\AppxManifest.xml	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\ELAMBKUP\WdBoot.sys	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786#\48ffa648732cc4b9129dd42510e885e6\Microsoft.PowerShell.Management.Activities.ni.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Help\Windows\ContentStore\en-US\windowsclient.mshc	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\Settings\Classic_{5163E94E-4C07-420B-B173-320232B8AFB7}.settingcontent-ms	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\197.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Calendar\corrupt.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\FreeCell\Goal_5.jpg	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\classic_1s.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationFramework.Aero\3.0.0.0__31bf3856ad364e35\PresentationFramework.Aero.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\mask\12c.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\_Resources\index.txt	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1250_36x36x32.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\3899_24x24x32.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4632_32x32x32.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.scale-200.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-black_scale-200.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Kd58820a5#\08803c8aa996354792c73ef12405560e\Microsoft.KeyDistributionService.Cmdlets.ni.dll.aux	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\INF\mssmbios.PNF	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GameEnd\gameEnd_preview_image.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\priidu.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\en-US.PhoneNumber.ot	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\INF\hidi2c.PNF	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\tz_60x42.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-32_altform-fullcolor.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-60_altform-colorize.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-200.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\UIAutomationClientsideProviders\3.0.0.0__31bf3856ad364e35\UIAutomationClientsideProviders.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookMedTile.scale-100.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-40.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-64.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\10910_24x24x32.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_EyeLashEye.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-white\Square310x310Logo.scale-100.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-32.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\INF\iaLPSS2i_I2C_BXT_P.PNF	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\INF\netrtwlanu.inf	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-400.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-60_altform-unplated.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxBadge.scale-100.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\en-US.PostalAddress.ot	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Fonts\comicbd.ttf	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\diagnostics\system\Speech\en-US\CL_LocalizationData.psd1	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Fonts\segoeuib.ttf	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\INF\image.inf	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Frameworks\Microsoft.VCLibs.140.00_14.0.24123.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\starttile.dualsim2.smile.small.scale-150.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\it-IT.Messaging.config	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Pyramid\Goal_7.jpg	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

pid	process
3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 3612 wrote to memory of 640	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 3612 wrote to memory of 640	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 3612 wrote to memory of 640	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 640 wrote to memory of 2996	640	cmd.exe	net.exe
PID 640 wrote to memory of 2996	640	cmd.exe	net.exe
PID 640 wrote to memory of 2996	640	cmd.exe	net.exe
PID 2996 wrote to memory of 644	2996	net.exe	net1.exe
PID 2996 wrote to memory of 644	2996	net.exe	net1.exe
PID 2996 wrote to memory of 644	2996	net.exe	net1.exe
PID 3612 wrote to memory of 860	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 3612 wrote to memory of 860	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 3612 wrote to memory of 860	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 860 wrote to memory of 1096	860	cmd.exe	net.exe
PID 860 wrote to memory of 1096	860	cmd.exe	net.exe
PID 860 wrote to memory of 1096	860	cmd.exe	net.exe
PID 1096 wrote to memory of 1264	1096	net.exe	net1.exe
PID 1096 wrote to memory of 1264	1096	net.exe	net1.exe
PID 1096 wrote to memory of 1264	1096	net.exe	net1.exe
PID 3612 wrote to memory of 1252	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 3612 wrote to memory of 1252	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 3612 wrote to memory of 1252	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 1252 wrote to memory of 1800	1252	cmd.exe	net.exe
PID 1252 wrote to memory of 1800	1252	cmd.exe	net.exe
PID 1252 wrote to memory of 1800	1252	cmd.exe	net.exe
PID 1800 wrote to memory of 1876	1800	net.exe	net1.exe
PID 1800 wrote to memory of 1876	1800	net.exe	net1.exe
PID 1800 wrote to memory of 1876	1800	net.exe	net1.exe
PID 3612 wrote to memory of 2136	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 3612 wrote to memory of 2136	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 3612 wrote to memory of 2136	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 2136 wrote to memory of 2420	2136	cmd.exe	net.exe
PID 2136 wrote to memory of 2420	2136	cmd.exe	net.exe
PID 2136 wrote to memory of 2420	2136	cmd.exe	net.exe
PID 2420 wrote to memory of 2572	2420	net.exe	net1.exe
PID 2420 wrote to memory of 2572	2420	net.exe	net1.exe
PID 2420 wrote to memory of 2572	2420	net.exe	net1.exe
PID 3612 wrote to memory of 2784	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 3612 wrote to memory of 2784	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 3612 wrote to memory of 2784	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 2784 wrote to memory of 740	2784	cmd.exe	net.exe
PID 2784 wrote to memory of 740	2784	cmd.exe	net.exe
PID 2784 wrote to memory of 740	2784	cmd.exe	net.exe
PID 740 wrote to memory of 3992	740	net.exe	net1.exe
PID 740 wrote to memory of 3992	740	net.exe	net1.exe
PID 740 wrote to memory of 3992	740	net.exe	net1.exe
PID 3612 wrote to memory of 4028	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 3612 wrote to memory of 4028	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 3612 wrote to memory of 4028	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 3612 wrote to memory of 2188	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 3612 wrote to memory of 2188	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 3612 wrote to memory of 2188	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 3612 wrote to memory of 3712	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 3612 wrote to memory of 3712	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 3612 wrote to memory of 3712	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 3612 wrote to memory of 964	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 3612 wrote to memory of 964	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 3612 wrote to memory of 964	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 964 wrote to memory of 292	964	cmd.exe	net.exe
PID 964 wrote to memory of 292	964	cmd.exe	net.exe
PID 964 wrote to memory of 292	964	cmd.exe	net.exe
PID 292 wrote to memory of 60	292	net.exe	net1.exe
PID 292 wrote to memory of 60	292	net.exe	net1.exe
PID 292 wrote to memory of 60	292	net.exe	net1.exe
PID 3612 wrote to memory of 1104	3612	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
"C:\Users\Admin\AppData\Local\Temp\60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:1264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:2572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:740
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:3992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:4028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:2188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:3712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:292
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:60
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:1104
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:488
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    PID:1644
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:2664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:2540
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:3384
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:1404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/60-20-0x0000000000000000-mapping.dmp

Download
memory/292-19-0x0000000000000000-mapping.dmp

Download
memory/488-22-0x0000000000000000-mapping.dmp

Download
memory/640-0-0x0000000000000000-mapping.dmp

Download
memory/644-2-0x0000000000000000-mapping.dmp

Download
memory/740-13-0x0000000000000000-mapping.dmp

Download
memory/860-3-0x0000000000000000-mapping.dmp

Download
memory/964-18-0x0000000000000000-mapping.dmp

Download
memory/1096-4-0x0000000000000000-mapping.dmp

Download
memory/1104-21-0x0000000000000000-mapping.dmp

Download
memory/1252-6-0x0000000000000000-mapping.dmp

Download
memory/1264-5-0x0000000000000000-mapping.dmp

Download
memory/1288-23-0x0000000000000000-mapping.dmp

Download
memory/1404-30-0x0000000000000000-mapping.dmp

Download
memory/1644-25-0x0000000000000000-mapping.dmp

Download
memory/1800-7-0x0000000000000000-mapping.dmp

Download
memory/1828-24-0x0000000000000000-mapping.dmp

Download
memory/1876-8-0x0000000000000000-mapping.dmp

Download
memory/2136-9-0x0000000000000000-mapping.dmp

Download
memory/2188-16-0x0000000000000000-mapping.dmp

Download
memory/2420-10-0x0000000000000000-mapping.dmp

Download
memory/2540-27-0x0000000000000000-mapping.dmp

Download
memory/2572-11-0x0000000000000000-mapping.dmp

Download
memory/2664-26-0x0000000000000000-mapping.dmp

Download
memory/2784-12-0x0000000000000000-mapping.dmp

Download
memory/2804-28-0x0000000000000000-mapping.dmp

Download
memory/2996-1-0x0000000000000000-mapping.dmp

Download
memory/3384-29-0x0000000000000000-mapping.dmp

Download
memory/3612-31-0x0000000001B50000-0x0000000001B51000-memory.dmp

Filesize
4KB

Download
memory/3612-32-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/3612-33-0x0000000001B50000-0x0000000001B51000-memory.dmp

Filesize
4KB

Download
memory/3612-34-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/3612-35-0x0000000001B50000-0x0000000001B51000-memory.dmp

Filesize
4KB

Download
memory/3612-41-0x0000000001B50000-0x0000000001B51000-memory.dmp

Filesize
4KB

Download
memory/3612-42-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/3612-43-0x0000000001B50000-0x0000000001B51000-memory.dmp

Filesize
4KB

Download
memory/3712-17-0x0000000000000000-mapping.dmp

Download
memory/3992-14-0x0000000000000000-mapping.dmp

Download
memory/4028-15-0x0000000000000000-mapping.dmp

Download