raccoon | 25b2ae77c2dc71ca729c153cce1615b77a396ff4ba598928c788eec57f1777fe

Analysis

max time kernel
70s
max time network
130s
platform
windows7_x64
resource
win7-en-20210920
submitted
08-10-2021 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

097910dc615bd581069c0ec67fa513d0.exe
Size

193KB
MD5

097910dc615bd581069c0ec67fa513d0
SHA1

00597735a09afbe12ad29ea00ede40733c67801c
SHA256

25b2ae77c2dc71ca729c153cce1615b77a396ff4ba598928c788eec57f1777fe
SHA512

cdf2464377db2fc6c2b2c665ac903e74cfde99a3e6cc6acd7d0d2ad6d417d442b27760b79d14693e3ba27d0a1b8a3d0355f48521d9847ab30c38e8541de92752

Score

10^/10

raccoon redline smokeloader vidar 1031 8d179b9e611eee525425544ee8c6d77360ab7cd9 helo backdoor collection discovery evasion infostealer persistence ransomware spyware stealer suricata trojan

Malware Config

Extracted

Path

C:\read-me.txt

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ��14 96 F9 1A 0F 19 71 F5 64 61 B0 0F AA 29 CB B2 AD 7D C5 47 EC 02 E0 BC 7F E4 6C 7A 90 F9 81 4F 0C B3 46 8F 91 96 1D 5C 59 2A F6 68 D3 5E 67 B5 7E 15 9D 83 7C 8D 7A E0 AD CD EF 2A 11 0F 64 CD 33 D7 7F 33 E6 D9 92 88 8D 40 52 98 37 6E A2 A3 B7 7D 4A CA 45 62 B5 5D 49 07 72 54 43 0C B1 D6 26 E3 19 AC E9 F1 E3 51 D8 DA FC 4E 5F 50 6A C9 43 7D CA 54 1C E7 48 94 B0 1F 79 7D 0D E2 CF 2C 31 10 55 8E C5 4C 53 40 1A 3E D3 19 05 F1 31 6A 1F 82 B2 42 C7 71 81 55 E4 BB E2 68 39 F5 9B 81 2E 84 1D E7 29 EC 15 D2 1F 42 0E 61 D8 2A 2F E9 8A B0 82 82 54 91 7F D2 72 FA 71 91 88 49 E6 40 77 CB 50 E5 6D BC FD F2 A1 F6 A5 22 2C 23 09 8E 94 D4 3E 17 A0 53 4C 07 B1 B4 58 8A 4F F0 5A 6A E6 CB 60 85 35 2A 5F 55 42 F6 FE A6 4E 46 3D 0D C2 03 7F BA A6 E4 F1 14 43 C0 BF 6F B5 53 34 01

URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

\??\M:\Boot\cs-CZ\Read_Me.txt

Ransom Note

Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101OJDJYYYO 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5

URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101OJDJYYYO

https://yip.su/2QstD5

Extracted

Family

smokeloader

Version

2020

http://fiskahlilian16.top/

http://paishancho17.top/

http://ydiannetter18.top/

http://azarehanelle19.top/

http://quericeriant20.top/

http://planilhasvba.com.br/wp-admin/js/k/index.php

http://rpk32ubon.ac.th/backup/k/index.php

http://4urhappiness.com/app/k/index.php

http://swedenkhabar.com/wp-admin/js/k/index.php

http://cio.lankapanel.net/wp-admin/js/k/index.php

http://fcmsites.com.br/canal/wp-admin/js/k/index.php

http://lacoibipitanga.com.br/maxart/k/index.php

http://lacoibipitanga.com.br/cgi-bin/k/index.php

http://video.nalahotel.com/k/index.php

http://diving-phocea.com/wp-admin/k/index.php

http://phocea-sudan.com/cgi-bin/k/index.php

http://rpk32ubon.ac.th/wp-admin/js/k/index.php

https://www.twinrealty.com/vworker/k/index.php

rc4.i32

Extracted

Family

vidar

Version

41.2

Botnet

1031

https://mas.to/@serg4325

Attributes

profile_id
1031

Extracted

Family

redline

Botnet

helo

144.202.13.247:46573

Extracted

Family

raccoon

Version

1.8.2

Botnet

8d179b9e611eee525425544ee8c6d77360ab7cd9

Attributes

url4cnc
http://teletop.top/agrybirdsgamerept
http://teleta.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept

rc4.plain

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/812-72-0x0000000004680000-0x00000000046C3000-memory.dmp	family_redline
behavioral1/memory/812-74-0x0000000004750000-0x0000000004792000-memory.dmp	family_redline
behavioral1/memory/384-79-0x000000001AC50000-0x000000001AD5D000-memory.dmp	family_redline
behavioral1/memory/384-91-0x0000000000700000-0x000000000071D000-memory.dmp	family_redline
behavioral1/memory/1740-207-0x00000000023C0000-0x000000000300A000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
suricata

Core1 .NET packer 1 IoCs

Detects packer/loader used by .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/384-79-0x000000001AC50000-0x000000001AD5D000-memory.dmp	Core1

Nirsoft 7 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\8799e5c6-fd91-4333-897c-e6f0f7fbbd99\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\8799e5c6-fd91-4333-897c-e6f0f7fbbd99\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\8799e5c6-fd91-4333-897c-e6f0f7fbbd99\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\8799e5c6-fd91-4333-897c-e6f0f7fbbd99\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\8799e5c6-fd91-4333-897c-e6f0f7fbbd99\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\8799e5c6-fd91-4333-897c-e6f0f7fbbd99\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\8799e5c6-fd91-4333-897c-e6f0f7fbbd99\AdvancedRun.exe	Nirsoft

Vidar Stealer 7 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/384-79-0x000000001AC50000-0x000000001AD5D000-memory.dmp	family_vidar
behavioral1/memory/384-82-0x000000001BC00000-0x000000001BCD5000-memory.dmp	family_vidar
behavioral1/memory/1252-87-0x0000000000400000-0x00000000004D9000-memory.dmp	family_vidar
behavioral1/memory/1252-88-0x0000000000400000-0x00000000004D9000-memory.dmp	family_vidar
behavioral1/memory/1252-94-0x0000000000400000-0x00000000004D9000-memory.dmp	family_vidar
behavioral1/memory/1252-89-0x00000000004A195D-mapping.dmp	family_vidar
behavioral1/memory/320-206-0x0000000002310000-0x0000000002F5A000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 11 IoCs

Processes:

206C.exe26B4.exe2944.exe8D16.exeAdvancedRun.exeAdvancedRun.exe932F.exe932F.exe98EA.exe񒴏񒴏񔅐񒔉񔄎񒄥񒄾񒀮exe8D16.exe

pid	process
320	206C.exe
384	26B4.exe
812	2944.exe
1648	8D16.exe
2044	AdvancedRun.exe
1748	AdvancedRun.exe
1568	932F.exe
1800	932F.exe
1996	98EA.exe
2116	񒴏񒴏񔅐񒔉񔄎񒄥񒄾񒀮exe
2552	8D16.exe

Deletes itself 1 IoCs

Processes:

pid process

1376

Drops startup file 2 IoCs

Processes:

8D16.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\񒴏񒴏񔅐񒔉񔄎񒄥񒄾񒀮exe	8D16.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\񒴏񒴏񔅐񒔉񔄎񒄥񒄾񒀮exe	8D16.exe

Loads dropped DLL 23 IoCs

Processes:

explorer.exe206C.exe8D16.exeAdvancedRun.exe932F.exeWerFault.exe

pid	process
1376
976	explorer.exe
1376
1376
320	206C.exe
320	206C.exe
320	206C.exe
320	206C.exe
320	206C.exe
320	206C.exe
320	206C.exe
1648	8D16.exe
1648	8D16.exe
2044	AdvancedRun.exe
2044	AdvancedRun.exe
1568	932F.exe
948	WerFault.exe
948	WerFault.exe
948	WerFault.exe
948	WerFault.exe
948	WerFault.exe
1648	8D16.exe
1648	8D16.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

8D16.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	8D16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\񒴏񒴏񔅐񒔉񔄎񒄥񒄾񒀮exe = "0"	8D16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Resources\Themes\ᡈᠾᡍᡃᡐᠾ᠏ᠾᠫ᠓᠑ᡑᠡᠿ᠍\svchost.exe = "0"	8D16.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	8D16.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	8D16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	8D16.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	8D16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\8D16.exe = "0"	8D16.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	8D16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	8D16.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

206C.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	206C.exe

Accesses Microsoft Outlook profiles 1 TTPs 11 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe206C.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook	206C.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook	206C.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	206C.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook	206C.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook	206C.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	206C.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook	206C.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	206C.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

932F.exe8D16.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	932F.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\932F.exe"	932F.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\񒴏񒴏񔅐񒔉񔄎񒄥񒄾 = "C:\\Windows\\Resources\\Themes\\ᡈᠾᡍᡃᡐᠾ\u180fᠾᠫ᠓᠑ᡑᠡᠿ᠍\\svchost.exe"	8D16.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

8D16.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8D16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8D16.exe

Drops desktop.ini file(s) 13 IoCs

Processes:

932F.exe

description	ioc	process
File opened for modification	C:\Users\Public\Downloads\desktop.ini	932F.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	932F.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	932F.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	932F.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	932F.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	932F.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	932F.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	932F.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	932F.exe
File opened for modification	C:\Users\Public\desktop.ini	932F.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	932F.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	932F.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	932F.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8D16.exe

description	ioc	process
File opened (read-only)	\??\M:	8D16.exe
File opened (read-only)	\??\S:	8D16.exe
File opened (read-only)	\??\K:	8D16.exe
File opened (read-only)	\??\X:	8D16.exe
File opened (read-only)	\??\N:	8D16.exe
File opened (read-only)	\??\Y:	8D16.exe
File opened (read-only)	\??\G:	8D16.exe
File opened (read-only)	\??\Z:	8D16.exe
File opened (read-only)	\??\V:	8D16.exe
File opened (read-only)	\??\Q:	8D16.exe
File opened (read-only)	\??\E:	8D16.exe
File opened (read-only)	\??\R:	8D16.exe
File opened (read-only)	\??\T:	8D16.exe
File opened (read-only)	\??\L:	8D16.exe
File opened (read-only)	\??\B:	8D16.exe
File opened (read-only)	\??\W:	8D16.exe
File opened (read-only)	\??\U:	8D16.exe
File opened (read-only)	\??\I:	8D16.exe
File opened (read-only)	\??\J:	8D16.exe
File opened (read-only)	\??\H:	8D16.exe
File opened (read-only)	\??\O:	8D16.exe
File opened (read-only)	\??\P:	8D16.exe
File opened (read-only)	\??\A:	8D16.exe
File opened (read-only)	\??\F:	8D16.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

097910dc615bd581069c0ec67fa513d0.exe26B4.exe932F.exe8D16.exe

description	pid	process	target process
PID 1544 set thread context of 1152	1544	097910dc615bd581069c0ec67fa513d0.exe	097910dc615bd581069c0ec67fa513d0.exe
PID 384 set thread context of 1252	384	26B4.exe	explorer.exe
PID 384 set thread context of 976	384	26B4.exe	explorer.exe
PID 1568 set thread context of 1800	1568	932F.exe	932F.exe
PID 1648 set thread context of 2552	1648	8D16.exe	8D16.exe

Drops file in Program Files directory 64 IoCs

Processes:

8D16.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\Read_Me.txt	8D16.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\tipresx.dll.mui	8D16.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IpsMigrationPlugin.dll.mui	8D16.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui	8D16.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\Read_Me.txt	8D16.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\Read_Me.txt	8D16.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\Read_Me.txt	8D16.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	8D16.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	8D16.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	8D16.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\Read_Me.txt	8D16.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll	8D16.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\Read_Me.txt	8D16.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	8D16.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\Read_Me.txt	8D16.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL	8D16.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\Read_Me.txt	8D16.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\Read_Me.txt	8D16.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	8D16.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	8D16.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\Read_Me.txt	8D16.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\Read_Me.txt	8D16.exe
File created	C:\Program Files\Common Files\System\ado\de-DE\Read_Me.txt	8D16.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\Read_Me.txt	8D16.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\Read_Me.txt	8D16.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui	8D16.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\Read_Me.txt	8D16.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\Read_Me.txt	8D16.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	8D16.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	8D16.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	8D16.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\Read_Me.txt	8D16.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\Read_Me.txt	8D16.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Read_Me.txt	8D16.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	8D16.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Read_Me.txt	8D16.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	8D16.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	8D16.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll	8D16.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\Read_Me.txt	8D16.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	8D16.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	8D16.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\Read_Me.txt	8D16.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\Read_Me.txt	8D16.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	8D16.exe
File created	C:\Program Files\Common Files\Services\Read_Me.txt	8D16.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	8D16.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\FlickLearningWizard.exe.mui	8D16.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	8D16.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	8D16.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui	8D16.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\Read_Me.txt	8D16.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\Read_Me.txt	8D16.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui	8D16.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui	8D16.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Read_Me.txt	8D16.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	8D16.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	8D16.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	8D16.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	8D16.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	8D16.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\Read_Me.txt	8D16.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	8D16.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	8D16.exe

Drops file in Windows directory 1 IoCs

Processes:

8D16.exe

description ioc process

File created C:\Windows\Resources\Themes\ᡈᠾᡍᡃᡐᠾ᠏ᠾᠫ᠓᠑ᡑᠡᠿ᠍\svchost.exe 8D16.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1516 1252 WerFault.exe explorer.exe
948 1996 WerFault.exe 98EA.exe

description	ioc	process
File created	C:\Windows\Resources\Themes\ᡈᠾᡍᡃᡐᠾ᠏ᠾᠫ᠓᠑ᡑᠡᠿ᠍\svchost.exe	8D16.exe

pid	pid_target	process	target process
1516	1252	WerFault.exe	explorer.exe
948	1996	WerFault.exe	98EA.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

097910dc615bd581069c0ec67fa513d0.exeexplorer.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	097910dc615bd581069c0ec67fa513d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	explorer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	097910dc615bd581069c0ec67fa513d0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	097910dc615bd581069c0ec67fa513d0.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1148 timeout.exe

pid	process
1148	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

097910dc615bd581069c0ec67fa513d0.exe

pid	process
1152	097910dc615bd581069c0ec67fa513d0.exe
1152	097910dc615bd581069c0ec67fa513d0.exe
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

097910dc615bd581069c0ec67fa513d0.exeexplorer.exe

pid process

1152 097910dc615bd581069c0ec67fa513d0.exe
976 explorer.exe
1376
1376
1376
1376

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

WerFault.exe26B4.exe8D16.exeAdvancedRun.exeAdvancedRun.exe932F.exeWerFault.exe

description	pid	process
Token: SeShutdownPrivilege	1376
Token: SeShutdownPrivilege	1376
Token: SeShutdownPrivilege	1376
Token: SeShutdownPrivilege	1376
Token: SeShutdownPrivilege	1376
Token: SeShutdownPrivilege	1376
Token: SeShutdownPrivilege	1376
Token: SeShutdownPrivilege	1376
Token: SeDebugPrivilege	1516	WerFault.exe
Token: SeShutdownPrivilege	1376
Token: SeDebugPrivilege	384	26B4.exe
Token: SeDebugPrivilege	1648	8D16.exe
Token: SeDebugPrivilege	2044	AdvancedRun.exe
Token: SeImpersonatePrivilege	2044	AdvancedRun.exe
Token: SeDebugPrivilege	1748	AdvancedRun.exe
Token: SeImpersonatePrivilege	1748	AdvancedRun.exe
Token: SeDebugPrivilege	1568	932F.exe
Token: SeDebugPrivilege	948	WerFault.exe
Token: SeShutdownPrivilege	1376

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

pid process

1376
1376
1376
1376
1376
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

pid process

1376
1376
1376
1376
1376
1376
1376

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

097910dc615bd581069c0ec67fa513d0.exe26B4.exeexplorer.exe206C.execmd.exe8D16.exeAdvancedRun.exe932F.exe

description	pid	process	target process
PID 1544 wrote to memory of 1152	1544	097910dc615bd581069c0ec67fa513d0.exe	097910dc615bd581069c0ec67fa513d0.exe
PID 1544 wrote to memory of 1152	1544	097910dc615bd581069c0ec67fa513d0.exe	097910dc615bd581069c0ec67fa513d0.exe
PID 1544 wrote to memory of 1152	1544	097910dc615bd581069c0ec67fa513d0.exe	097910dc615bd581069c0ec67fa513d0.exe
PID 1544 wrote to memory of 1152	1544	097910dc615bd581069c0ec67fa513d0.exe	097910dc615bd581069c0ec67fa513d0.exe
PID 1544 wrote to memory of 1152	1544	097910dc615bd581069c0ec67fa513d0.exe	097910dc615bd581069c0ec67fa513d0.exe
PID 1544 wrote to memory of 1152	1544	097910dc615bd581069c0ec67fa513d0.exe	097910dc615bd581069c0ec67fa513d0.exe
PID 1544 wrote to memory of 1152	1544	097910dc615bd581069c0ec67fa513d0.exe	097910dc615bd581069c0ec67fa513d0.exe
PID 1376 wrote to memory of 320	1376		206C.exe
PID 1376 wrote to memory of 320	1376		206C.exe
PID 1376 wrote to memory of 320	1376		206C.exe
PID 1376 wrote to memory of 320	1376		206C.exe
PID 1376 wrote to memory of 384	1376		26B4.exe
PID 1376 wrote to memory of 384	1376		26B4.exe
PID 1376 wrote to memory of 384	1376		26B4.exe
PID 1376 wrote to memory of 812	1376		2944.exe
PID 1376 wrote to memory of 812	1376		2944.exe
PID 1376 wrote to memory of 812	1376		2944.exe
PID 1376 wrote to memory of 812	1376		2944.exe
PID 384 wrote to memory of 1252	384	26B4.exe	explorer.exe
PID 384 wrote to memory of 1252	384	26B4.exe	explorer.exe
PID 384 wrote to memory of 1252	384	26B4.exe	explorer.exe
PID 384 wrote to memory of 1252	384	26B4.exe	explorer.exe
PID 384 wrote to memory of 1252	384	26B4.exe	explorer.exe
PID 384 wrote to memory of 1252	384	26B4.exe	explorer.exe
PID 384 wrote to memory of 1252	384	26B4.exe	explorer.exe
PID 384 wrote to memory of 1252	384	26B4.exe	explorer.exe
PID 384 wrote to memory of 1252	384	26B4.exe	explorer.exe
PID 384 wrote to memory of 976	384	26B4.exe	explorer.exe
PID 384 wrote to memory of 976	384	26B4.exe	explorer.exe
PID 384 wrote to memory of 976	384	26B4.exe	explorer.exe
PID 384 wrote to memory of 976	384	26B4.exe	explorer.exe
PID 384 wrote to memory of 976	384	26B4.exe	explorer.exe
PID 384 wrote to memory of 976	384	26B4.exe	explorer.exe
PID 384 wrote to memory of 976	384	26B4.exe	explorer.exe
PID 1252 wrote to memory of 1516	1252	explorer.exe	WerFault.exe
PID 1252 wrote to memory of 1516	1252	explorer.exe	WerFault.exe
PID 1252 wrote to memory of 1516	1252	explorer.exe	WerFault.exe
PID 1252 wrote to memory of 1516	1252	explorer.exe	WerFault.exe
PID 320 wrote to memory of 1664	320	206C.exe	cmd.exe
PID 320 wrote to memory of 1664	320	206C.exe	cmd.exe
PID 320 wrote to memory of 1664	320	206C.exe	cmd.exe
PID 320 wrote to memory of 1664	320	206C.exe	cmd.exe
PID 1664 wrote to memory of 1148	1664	cmd.exe	timeout.exe
PID 1664 wrote to memory of 1148	1664	cmd.exe	timeout.exe
PID 1664 wrote to memory of 1148	1664	cmd.exe	timeout.exe
PID 1664 wrote to memory of 1148	1664	cmd.exe	timeout.exe
PID 1376 wrote to memory of 1648	1376		8D16.exe
PID 1376 wrote to memory of 1648	1376		8D16.exe
PID 1376 wrote to memory of 1648	1376		8D16.exe
PID 1376 wrote to memory of 1648	1376		8D16.exe
PID 1648 wrote to memory of 2044	1648	8D16.exe	AdvancedRun.exe
PID 1648 wrote to memory of 2044	1648	8D16.exe	AdvancedRun.exe
PID 1648 wrote to memory of 2044	1648	8D16.exe	AdvancedRun.exe
PID 1648 wrote to memory of 2044	1648	8D16.exe	AdvancedRun.exe
PID 2044 wrote to memory of 1748	2044	AdvancedRun.exe	AdvancedRun.exe
PID 2044 wrote to memory of 1748	2044	AdvancedRun.exe	AdvancedRun.exe
PID 2044 wrote to memory of 1748	2044	AdvancedRun.exe	AdvancedRun.exe
PID 2044 wrote to memory of 1748	2044	AdvancedRun.exe	AdvancedRun.exe
PID 1376 wrote to memory of 1568	1376		932F.exe
PID 1376 wrote to memory of 1568	1376		932F.exe
PID 1376 wrote to memory of 1568	1376		932F.exe
PID 1376 wrote to memory of 1568	1376		932F.exe
PID 1568 wrote to memory of 1800	1568	932F.exe	932F.exe
PID 1568 wrote to memory of 1800	1568	932F.exe	932F.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

8D16.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8D16.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8D16.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\097910dc615bd581069c0ec67fa513d0.exe
"C:\Users\Admin\AppData\Local\Temp\097910dc615bd581069c0ec67fa513d0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\097910dc615bd581069c0ec67fa513d0.exe
"C:\Users\Admin\AppData\Local\Temp\097910dc615bd581069c0ec67fa513d0.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1152

C:\Users\Admin\AppData\Local\Temp\206C.exe
C:\Users\Admin\AppData\Local\Temp\206C.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\206C.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1148

C:\Users\Admin\AppData\Local\Temp\26B4.exe
C:\Users\Admin\AppData\Local\Temp\26B4.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 832
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:976

C:\Users\Admin\AppData\Local\Temp\2944.exe
C:\Users\Admin\AppData\Local\Temp\2944.exe
1⤵
- Executes dropped EXE
PID:812

C:\Users\Admin\AppData\Local\Temp\8D16.exe
C:\Users\Admin\AppData\Local\Temp\8D16.exe
1⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1648

C:\Users\Admin\AppData\Local\Temp\8799e5c6-fd91-4333-897c-e6f0f7fbbd99\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\8799e5c6-fd91-4333-897c-e6f0f7fbbd99\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\8799e5c6-fd91-4333-897c-e6f0f7fbbd99\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\8799e5c6-fd91-4333-897c-e6f0f7fbbd99\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\8799e5c6-fd91-4333-897c-e6f0f7fbbd99\AdvancedRun.exe" /SpecialRun 4101d8 2044
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8D16.exe" -Force
2⤵
PID:320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8D16.exe" -Force
2⤵
PID:1820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\񒴏񒴏񔅐񒔉񔄎񒄥񒄾񒀮exe" -Force
2⤵
PID:1740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8D16.exe" -Force
2⤵
PID:2076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\ᡈᠾᡍᡃᡐᠾ᠏ᠾᠫ᠓᠑ᡑᠡᠿ᠍\svchost.exe" -Force
2⤵
PID:2152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8D16.exe" -Force
2⤵
PID:2260

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\񒴏񒴏񔅐񒔉񔄎񒄥񒄾񒀮exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\񒴏񒴏񔅐񒔉񔄎񒄥񒄾񒀮exe"
2⤵
- Executes dropped EXE
PID:2116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\ᡈᠾᡍᡃᡐᠾ᠏ᠾᠫ᠓᠑ᡑᠡᠿ᠍\svchost.exe" -Force
2⤵
PID:2344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\񒴏񒴏񔅐񒔉񔄎񒄥񒄾񒀮exe" -Force
2⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\8D16.exe
C:\Users\Admin\AppData\Local\Temp\8D16.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
PID:2552

C:\Users\Admin\AppData\Local\Temp\932F.exe
C:\Users\Admin\AppData\Local\Temp\932F.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568

C:\Users\Admin\AppData\Local\Temp\932F.exe
C:\Users\Admin\AppData\Local\Temp\932F.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
PID:1800

C:\Users\Admin\AppData\Local\Temp\98EA.exe
C:\Users\Admin\AppData\Local\Temp\98EA.exe
1⤵
- Executes dropped EXE
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 532
2⤵
- Loads dropped DLL
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1672

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2092

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2892

C:\Users\Admin\AppData\Local\932F.exe
"C:\Users\Admin\AppData\Local\932F.exe"
2⤵
PID:560

C:\Users\Admin\AppData\Local\932F.exe
C:\Users\Admin\AppData\Local\932F.exe
3⤵
PID:1520

C:\Users\Admin\AppData\Local\932F.exe
C:\Users\Admin\AppData\Local\932F.exe
3⤵
PID:1760

C:\Windows\Resources\Themes\ᡈᠾᡍᡃᡐᠾ᠏ᠾᠫ᠓᠑ᡑᠡᠿ᠍\svchost.exe
"C:\Windows\Resources\Themes\ᡈᠾᡍᡃᡐᠾ᠏ᠾᠫ᠓᠑ᡑᠡᠿ᠍\svchost.exe"
2⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\0827ecf3-1baa-4bb9-87e8-94b3596a87a6\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\0827ecf3-1baa-4bb9-87e8-94b3596a87a6\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\0827ecf3-1baa-4bb9-87e8-94b3596a87a6\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\0827ecf3-1baa-4bb9-87e8-94b3596a87a6\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\0827ecf3-1baa-4bb9-87e8-94b3596a87a6\AdvancedRun.exe" /SpecialRun 4101d8 1924
4⤵
PID:2720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\ᡈᠾᡍᡃᡐᠾ᠏ᠾᠫ᠓᠑ᡑᠡᠿ᠍\svchost.exe" -Force
3⤵
PID:284

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\ᡈᠾᡍᡃᡐᠾ᠏ᠾᠫ᠓᠑ᡑᠡᠿ᠍\svchost.exe" -Force
3⤵
PID:968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\ᡈᠾᡍᡃᡐᠾ᠏ᠾᠫ᠓᠑ᡑᠡᠿ᠍\svchost.exe" -Force
3⤵
PID:1816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\ᡈᠾᡍᡃᡐᠾ᠏ᠾᠫ᠓᠑ᡑᠡᠿ᠍\svchost.exe" -Force
3⤵
PID:2884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\ᡈᠾᡍᡃᡐᠾ᠏ᠾᠫ᠓᠑ᡑᠡᠿ᠍\svchost.exe" -Force
3⤵
PID:1876

C:\Windows\Resources\Themes\ᡈᠾᡍᡃᡐᠾ᠏ᠾᠫ᠓᠑ᡑᠡᠿ᠍\svchost.exe
C:\Windows\Resources\Themes\ᡈᠾᡍᡃᡐᠾ᠏ᠾᠫ᠓᠑ᡑᠡᠿ᠍\svchost.exe
3⤵
PID:2564

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2976

C:\Users\Admin\AppData\Local\932F.exe
"C:\Users\Admin\AppData\Local\932F.exe"
2⤵
PID:2672

C:\Windows\Resources\Themes\ᡈᠾᡍᡃᡐᠾ᠏ᠾᠫ᠓᠑ᡑᠡᠿ᠍\svchost.exe
"C:\Windows\Resources\Themes\ᡈᠾᡍᡃᡐᠾ᠏ᠾᠫ᠓᠑ᡑᠡᠿ᠍\svchost.exe"
2⤵
PID:2720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Bypass User Account Control

T1088

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\932F.exe
MD5
bf6c69f9ca692937062ac51b8d70c6c1

SHA1
b70f3bd1ee7ac687f64b9cea11b443546b98ebe1

SHA256
77181bf77dde9838240d6ae57aaf37d2e96cc089a5bdd8c530a9b5195c290851

SHA512
8122bcd5da063dff21d7164809aa42a6d64aa9183928e95a208fa346c60301405dd00d62768be528dfff25effd38d0416845062b706e828ad7c74ce3ad1d8d8f

Download Submit
C:\Users\Admin\AppData\Local\932F.exe
MD5
bf6c69f9ca692937062ac51b8d70c6c1

SHA1
b70f3bd1ee7ac687f64b9cea11b443546b98ebe1

SHA256
77181bf77dde9838240d6ae57aaf37d2e96cc089a5bdd8c530a9b5195c290851

SHA512
8122bcd5da063dff21d7164809aa42a6d64aa9183928e95a208fa346c60301405dd00d62768be528dfff25effd38d0416845062b706e828ad7c74ce3ad1d8d8f

Download Submit
C:\Users\Admin\AppData\Local\932F.exe
MD5
bf6c69f9ca692937062ac51b8d70c6c1

SHA1
b70f3bd1ee7ac687f64b9cea11b443546b98ebe1

SHA256
77181bf77dde9838240d6ae57aaf37d2e96cc089a5bdd8c530a9b5195c290851

SHA512
8122bcd5da063dff21d7164809aa42a6d64aa9183928e95a208fa346c60301405dd00d62768be528dfff25effd38d0416845062b706e828ad7c74ce3ad1d8d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\206C.exe
MD5
8bf1ea90c065586efe2ed1e88d42e36d

SHA1
51d3eb36a830f606656eebbef6c426c368b05b30

SHA256
2eca83ecb9e9fe4f68d4dc75816749a1861e9cd9bd1e56daef884accdbb48fd4

SHA512
217e01e954c680f3ebb4144010bb68089aa487381b6eff0074f75565aa637cc075d2220d7984849072450aced217a991423992684a4b79e1d45bacd2c953a70b

Download Submit
C:\Users\Admin\AppData\Local\Temp\206C.exe
MD5
8bf1ea90c065586efe2ed1e88d42e36d

SHA1
51d3eb36a830f606656eebbef6c426c368b05b30

SHA256
2eca83ecb9e9fe4f68d4dc75816749a1861e9cd9bd1e56daef884accdbb48fd4

SHA512
217e01e954c680f3ebb4144010bb68089aa487381b6eff0074f75565aa637cc075d2220d7984849072450aced217a991423992684a4b79e1d45bacd2c953a70b

Download Submit
C:\Users\Admin\AppData\Local\Temp\26B4.exe
MD5
e03cf8b5db7580f2ac89868800d9481c

SHA1
7c97261b5ea86b5b84881ed4cc2394062742c14e

SHA256
92e463a3267d079981cbcce21f01b7a6e911d667e89c2fa98270247579499b66

SHA512
9dfac446d570bf4f74abd1da9e1a92dae6b6d37793097464b14fb19384a19bd3e75043d74c5c2b404d667d6e5f2fac0267a5d343fb5af53546c5498c5171f239

Download Submit
C:\Users\Admin\AppData\Local\Temp\26B4.exe
MD5
e03cf8b5db7580f2ac89868800d9481c

SHA1
7c97261b5ea86b5b84881ed4cc2394062742c14e

SHA256
92e463a3267d079981cbcce21f01b7a6e911d667e89c2fa98270247579499b66

SHA512
9dfac446d570bf4f74abd1da9e1a92dae6b6d37793097464b14fb19384a19bd3e75043d74c5c2b404d667d6e5f2fac0267a5d343fb5af53546c5498c5171f239

Download Submit
C:\Users\Admin\AppData\Local\Temp\2944.exe
MD5
56083cc74dbec5c8a8e742f1d68240f2

SHA1
48d48886e6ecb985c057ddbb17d8d28f4ed44f44

SHA256
20c6072cb0227a2c6addc88f14b170ff3d182034b92b34a6c8f471def5463bbc

SHA512
805a58a73ea594ee7529f4526afa2a86855a268372477b2d624f98e3c6e1fc3a00643bfc868b2c1f5e66364cbf7113506699f45fdf09e91289b1c212b5c1215a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8799e5c6-fd91-4333-897c-e6f0f7fbbd99\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8799e5c6-fd91-4333-897c-e6f0f7fbbd99\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8799e5c6-fd91-4333-897c-e6f0f7fbbd99\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8D16.exe
MD5
a55ef9dcbb88023626f80aafdecfd00e

SHA1
19cc787693b1a37857f878d27824b4016eebcb7d

SHA256
b57da60a5704d073af34f18ef6b07f2cd236c1994ded14e57ece4c049686e091

SHA512
44b3c568eb0ece6e70f78a6a1ab1e56614844a70da74a5e65d622172a0c688bc98c633be3e70f4d0ce4d7d1b6aa59d59a4957e255c3a1977e9b6e7e3012d5b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\8D16.exe
MD5
a55ef9dcbb88023626f80aafdecfd00e

SHA1
19cc787693b1a37857f878d27824b4016eebcb7d

SHA256
b57da60a5704d073af34f18ef6b07f2cd236c1994ded14e57ece4c049686e091

SHA512
44b3c568eb0ece6e70f78a6a1ab1e56614844a70da74a5e65d622172a0c688bc98c633be3e70f4d0ce4d7d1b6aa59d59a4957e255c3a1977e9b6e7e3012d5b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\8D16.exe
MD5
a55ef9dcbb88023626f80aafdecfd00e

SHA1
19cc787693b1a37857f878d27824b4016eebcb7d

SHA256
b57da60a5704d073af34f18ef6b07f2cd236c1994ded14e57ece4c049686e091

SHA512
44b3c568eb0ece6e70f78a6a1ab1e56614844a70da74a5e65d622172a0c688bc98c633be3e70f4d0ce4d7d1b6aa59d59a4957e255c3a1977e9b6e7e3012d5b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\932F.exe
MD5
bf6c69f9ca692937062ac51b8d70c6c1

SHA1
b70f3bd1ee7ac687f64b9cea11b443546b98ebe1

SHA256
77181bf77dde9838240d6ae57aaf37d2e96cc089a5bdd8c530a9b5195c290851

SHA512
8122bcd5da063dff21d7164809aa42a6d64aa9183928e95a208fa346c60301405dd00d62768be528dfff25effd38d0416845062b706e828ad7c74ce3ad1d8d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\932F.exe
MD5
bf6c69f9ca692937062ac51b8d70c6c1

SHA1
b70f3bd1ee7ac687f64b9cea11b443546b98ebe1

SHA256
77181bf77dde9838240d6ae57aaf37d2e96cc089a5bdd8c530a9b5195c290851

SHA512
8122bcd5da063dff21d7164809aa42a6d64aa9183928e95a208fa346c60301405dd00d62768be528dfff25effd38d0416845062b706e828ad7c74ce3ad1d8d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\932F.exe
MD5
bf6c69f9ca692937062ac51b8d70c6c1

SHA1
b70f3bd1ee7ac687f64b9cea11b443546b98ebe1

SHA256
77181bf77dde9838240d6ae57aaf37d2e96cc089a5bdd8c530a9b5195c290851

SHA512
8122bcd5da063dff21d7164809aa42a6d64aa9183928e95a208fa346c60301405dd00d62768be528dfff25effd38d0416845062b706e828ad7c74ce3ad1d8d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\98EA.exe
MD5
3e4d35c8737cd48a67651ed5bd8fa0e3

SHA1
66fa7009f0b9321ed0d8e465822e83e0a8676c2f

SHA256
83a567afc934f93d8e01a940759a2f53e73adeb88814ec08a5faa7523953d64f

SHA512
e7019a2839b31d718e6598e746dbcc025ea76e3e372f45ebf272a8bc716e7d3020f05ea24daf883ada80694cc97558fb3c96aff70d2620386f8c59d9c75abad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\98EA.exe
MD5
3e4d35c8737cd48a67651ed5bd8fa0e3

SHA1
66fa7009f0b9321ed0d8e465822e83e0a8676c2f

SHA256
83a567afc934f93d8e01a940759a2f53e73adeb88814ec08a5faa7523953d64f

SHA512
e7019a2839b31d718e6598e746dbcc025ea76e3e372f45ebf272a8bc716e7d3020f05ea24daf883ada80694cc97558fb3c96aff70d2620386f8c59d9c75abad3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
1b6ca54dbf4ab24e218429c07ff93999

SHA1
379638e67f69095413564a40c0e4b3443f394a5e

SHA256
034ed385274b5de6c4120302848a40f2eff0174aa027bf82d37454828b167455

SHA512
9cc0273aa4f7f995b975ec88522ea09c5ffc9452e4a6a3b41979b6f47008fbb0da0ac7c139274c6dea1f148b23e89a4f07d72a73dea95e59f160e2c60ca1c851

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
1b6ca54dbf4ab24e218429c07ff93999

SHA1
379638e67f69095413564a40c0e4b3443f394a5e

SHA256
034ed385274b5de6c4120302848a40f2eff0174aa027bf82d37454828b167455

SHA512
9cc0273aa4f7f995b975ec88522ea09c5ffc9452e4a6a3b41979b6f47008fbb0da0ac7c139274c6dea1f148b23e89a4f07d72a73dea95e59f160e2c60ca1c851

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
1b6ca54dbf4ab24e218429c07ff93999

SHA1
379638e67f69095413564a40c0e4b3443f394a5e

SHA256
034ed385274b5de6c4120302848a40f2eff0174aa027bf82d37454828b167455

SHA512
9cc0273aa4f7f995b975ec88522ea09c5ffc9452e4a6a3b41979b6f47008fbb0da0ac7c139274c6dea1f148b23e89a4f07d72a73dea95e59f160e2c60ca1c851

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
1b6ca54dbf4ab24e218429c07ff93999

SHA1
379638e67f69095413564a40c0e4b3443f394a5e

SHA256
034ed385274b5de6c4120302848a40f2eff0174aa027bf82d37454828b167455

SHA512
9cc0273aa4f7f995b975ec88522ea09c5ffc9452e4a6a3b41979b6f47008fbb0da0ac7c139274c6dea1f148b23e89a4f07d72a73dea95e59f160e2c60ca1c851

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
1b6ca54dbf4ab24e218429c07ff93999

SHA1
379638e67f69095413564a40c0e4b3443f394a5e

SHA256
034ed385274b5de6c4120302848a40f2eff0174aa027bf82d37454828b167455

SHA512
9cc0273aa4f7f995b975ec88522ea09c5ffc9452e4a6a3b41979b6f47008fbb0da0ac7c139274c6dea1f148b23e89a4f07d72a73dea95e59f160e2c60ca1c851

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
1b6ca54dbf4ab24e218429c07ff93999

SHA1
379638e67f69095413564a40c0e4b3443f394a5e

SHA256
034ed385274b5de6c4120302848a40f2eff0174aa027bf82d37454828b167455

SHA512
9cc0273aa4f7f995b975ec88522ea09c5ffc9452e4a6a3b41979b6f47008fbb0da0ac7c139274c6dea1f148b23e89a4f07d72a73dea95e59f160e2c60ca1c851

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\񒴏񒴏񔅐񒔉񔄎񒄥񒄾񒀮exe
MD5
a55ef9dcbb88023626f80aafdecfd00e

SHA1
19cc787693b1a37857f878d27824b4016eebcb7d

SHA256
b57da60a5704d073af34f18ef6b07f2cd236c1994ded14e57ece4c049686e091

SHA512
44b3c568eb0ece6e70f78a6a1ab1e56614844a70da74a5e65d622172a0c688bc98c633be3e70f4d0ce4d7d1b6aa59d59a4957e255c3a1977e9b6e7e3012d5b72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\񒴏񒴏񔅐񒔉񔄎񒄥񒄾񒀮exe
MD5
a55ef9dcbb88023626f80aafdecfd00e

SHA1
19cc787693b1a37857f878d27824b4016eebcb7d

SHA256
b57da60a5704d073af34f18ef6b07f2cd236c1994ded14e57ece4c049686e091

SHA512
44b3c568eb0ece6e70f78a6a1ab1e56614844a70da74a5e65d622172a0c688bc98c633be3e70f4d0ce4d7d1b6aa59d59a4957e255c3a1977e9b6e7e3012d5b72

Download Submit
C:\Users\Public\8D9E927358F0E450365F21C7CBB7996EDFF5C6F92A853E877E85154F384B2AD7
MD5
439b165ee4a1afb35254b73079575945

SHA1
96a0605a535d6bef1385009fa76083109b7a46cd

SHA256
d037ba098ed2cdbc4b78f126aedecf7e5972d71cfc9a534ebf51820b870f6859

SHA512
764858d137feb099d003610d9694e2cbef2a3d1ac97ad529164dfbda256b151ebbcd42a6499de5bdbeea562c1a917d947ab37988df97701d71a8faf7b02b36dc

Download Submit
C:\Users\Public\Desktop\Adobe Reader 9.lnk.xls
MD5
16640ae24f18d013bd2d9ce10e91207a

SHA1
323c9991caf26de5541695eaf2087ee91b38dc3c

SHA256
b4c5a2df09568688f94946a98dad7b2148908506a0f7f9caf810d5b59d84855a

SHA512
e8875714eef7f56de2b1508be726a5752ccc93c9a75d574c57560dbf9230a66e50f700a19437cef99763ec57971a06391ea46211c7d244a2619de6ccc03644c7

Download Submit
C:\Users\Public\Desktop\Firefox.lnk.xls
MD5
9431a1c7404e359fe0079cca54a38244

SHA1
4d592b394d23ac2c0e98b7511951381ea95b4673

SHA256
750b1a1055a194729c51d8f8ab6785a975b2bfb561ff69e5a072a7ecb0afc2e8

SHA512
02481960ab0aa54ae636e1fbebf7eb8482e70857585cf9c14f66866b40c9372be71fe7a91037b13adabf8f57787222fb66d74a725b9cd3d4da447ea125ade709

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk.xls
MD5
a6d2395feccae88c26f1b3d50a39c012

SHA1
d6c8a54cf5b8399b20219429f2eb77b933388cb4

SHA256
a990ed6ee249d7095b3b2896918b3a32ee615ebeaa0d4029d0697f9f6667a243

SHA512
de4ea08187d9d39b34c6025b9cd39a2a57755eeb60cf28c9f9a408d2ff8c6d6eae848f514decaea28042214e68b971868a7991d24194618346cbbb32f8ccf61d

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk.xls
MD5
93d8061eed471d2edfdc7fde00dc3beb

SHA1
1fb74a919c80a858826619139368055dfca35cd0

SHA256
708f84ad364081706f620cb8ea30c8707feb80bedd7cdd0442166c8893a1f30e

SHA512
1e80e89f81a6ddc45c785e8552ce11d3521f6b033c1fb8455e621a54db54d00ee399a0bd29b682ce76a9d007dd97c9744694a11105c789ad88d8b78fea58f4a0

Download Submit
C:\Users\Public\Desktop\read-me.txt
MD5
9acd61347f96494262581f105f9e78fa

SHA1
1332ade0e642da63d5bb1014ac4a62971127fcd6

SHA256
b7f4a55988028fda076aac16f544782b47074bc681da25364f25814c6ad8cf19

SHA512
59d6659a036095a5be3b59cd4dc61b675c72c9a79e36cd04ac2c331b9b159cd520878e96e0c12e8774c019ff8cf727da57fbfdca5c11f0a914f25f0e34d5685c

Download Submit
C:\Windows\Resources\Themes\ᡈᠾᡍᡃᡐᠾ᠏ᠾᠫ᠓᠑ᡑᠡᠿ᠍\svchost.exe
MD5
a55ef9dcbb88023626f80aafdecfd00e

SHA1
19cc787693b1a37857f878d27824b4016eebcb7d

SHA256
b57da60a5704d073af34f18ef6b07f2cd236c1994ded14e57ece4c049686e091

SHA512
44b3c568eb0ece6e70f78a6a1ab1e56614844a70da74a5e65d622172a0c688bc98c633be3e70f4d0ce4d7d1b6aa59d59a4957e255c3a1977e9b6e7e3012d5b72

Download Submit
C:\Windows\Resources\Themes\ᡈᠾᡍᡃᡐᠾ᠏ᠾᠫ᠓᠑ᡑᠡᠿ᠍\svchost.exe
MD5
a55ef9dcbb88023626f80aafdecfd00e

SHA1
19cc787693b1a37857f878d27824b4016eebcb7d

SHA256
b57da60a5704d073af34f18ef6b07f2cd236c1994ded14e57ece4c049686e091

SHA512
44b3c568eb0ece6e70f78a6a1ab1e56614844a70da74a5e65d622172a0c688bc98c633be3e70f4d0ce4d7d1b6aa59d59a4957e255c3a1977e9b6e7e3012d5b72

Download Submit
\??\M:\BOOTSECT.BAK.MME
MD5
673ccf33720c3853946c2e9857c77317

SHA1
a9e9c54d781db81c8f91ccc84abd026760be21e0

SHA256
f75ae248f973f9e93f1961d97b09bbc09ea3ec309a4b9add4bc7e555c08c70b1

SHA512
01eeb827434413787763d745c19358d3ee5be101d62674b8d794eb3cef1c4c609fd48c26a0207dff6272af6adf8e46301a1289f32ebab7b803f56ca3264169b4

Download Submit
\??\M:\Boot\BCD.LOG1.MME
MD5
6997818b7e7f6816ef7ccc222058f0a5

SHA1
630070301d6a99b39e6edff5d77503e48ffce84c

SHA256
92a596998f41da2b065b4ac1152e8bc436920896b26311851aebeb341408c938

SHA512
1664886cfa6419924501aca042f3635e65969f9a2e30c469efb0d7c229f96502e21b1ddc8695a48eeceaf73cfd78ed6f0fbbc8112164bd18239a6aa87eff2122

Download Submit
\??\M:\Boot\BCD.LOG2.MME
MD5
3ff6777209c2fe8f165aa8977b5aec30

SHA1
5925ccc5bdf77655acd276ac68d17d03f85385fe

SHA256
61cfff37e0d3812b5fe8f890eb09ea0150d73d58a1a868afe1bfd514b5ed6ac0

SHA512
66d6186de2436ff5d60f4754d05eeefe2df65670f5d80f68ef987aab56efe03331f42ae820926ca3071d27bb682b1cea86f16a986af10a04e52b5f38f565e545

Download Submit
\??\M:\Boot\BOOTSTAT.DAT.MME
MD5
4baec6485ab3868171f3518e5190e46e

SHA1
b68b4fa7aa2252cb4b7c5e13fb3360b20eea5ecc

SHA256
2b02040ba52fbb55da02b2674ba0601d3fb6b5f3fd8741f7e9a2ceac6206f6cf

SHA512
93c583a609004b9d41c22fa8e46424bd0c248ec4d44caf273f8582a1e994d2593aacf87458dcddb013cf4ae41caf38ec49e8ea82c65e6314c027f355a6ac127f

Download Submit
\??\M:\Boot\Read_Me.txt
MD5
ccea90e67a7cc72e2cefe04bdff115d1

SHA1
e03dc4516415443a4ac08ab436b61686a2d7eae2

SHA256
9b974c897f7b5d498dacf2afa5dd0ee437392fbd19af7884d8939b76f2d34b15

SHA512
0ae74409a3cf908a3990c7ea28310c0121a55e678b498c7059ad8a6b44e045607eb59acef2dd56ab63c909cff923e95fea7dd712c2825dd0aad1c293acb12969

Download Submit
\??\M:\Read_Me.txt
MD5
31bcf9dbf0ee64278eb447c7d89e92f5

SHA1
dad309b9c1a60713494f47189061ac9eca67b703

SHA256
bb4ce2132443114fdb3662f8bda2cbd7c6342ba5dbbc1400a7492f4313b9a1f4

SHA512
bb61b4577298f662a755be0a7c48f25948f6453f547b528895ed56f33aabb36eb370490d22abf9c87574e1a1c868e88b98566a6228a8f748eb54202197f62673

Download Submit
\Users\Admin\AppData\LocalLow\FflibsFder.tmp\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\FflibsFder.tmp\mozglue.dll
MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\FflibsFder.tmp\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\LocalLow\FflibsFder.tmp\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\FflibsFder.tmp\softokn3.dll
MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
\Users\Admin\AppData\LocalLow\FflibsFder.tmp\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
\Users\Admin\AppData\Local\Temp\26B4.exe
MD5
e03cf8b5db7580f2ac89868800d9481c

SHA1
7c97261b5ea86b5b84881ed4cc2394062742c14e

SHA256
92e463a3267d079981cbcce21f01b7a6e911d667e89c2fa98270247579499b66

SHA512
9dfac446d570bf4f74abd1da9e1a92dae6b6d37793097464b14fb19384a19bd3e75043d74c5c2b404d667d6e5f2fac0267a5d343fb5af53546c5498c5171f239

Download Submit
\Users\Admin\AppData\Local\Temp\26B4.exe
MD5
e03cf8b5db7580f2ac89868800d9481c

SHA1
7c97261b5ea86b5b84881ed4cc2394062742c14e

SHA256
92e463a3267d079981cbcce21f01b7a6e911d667e89c2fa98270247579499b66

SHA512
9dfac446d570bf4f74abd1da9e1a92dae6b6d37793097464b14fb19384a19bd3e75043d74c5c2b404d667d6e5f2fac0267a5d343fb5af53546c5498c5171f239

Download Submit
\Users\Admin\AppData\Local\Temp\26B4.exe
MD5
e03cf8b5db7580f2ac89868800d9481c

SHA1
7c97261b5ea86b5b84881ed4cc2394062742c14e

SHA256
92e463a3267d079981cbcce21f01b7a6e911d667e89c2fa98270247579499b66

SHA512
9dfac446d570bf4f74abd1da9e1a92dae6b6d37793097464b14fb19384a19bd3e75043d74c5c2b404d667d6e5f2fac0267a5d343fb5af53546c5498c5171f239

Download Submit
\Users\Admin\AppData\Local\Temp\8799e5c6-fd91-4333-897c-e6f0f7fbbd99\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\8799e5c6-fd91-4333-897c-e6f0f7fbbd99\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\8799e5c6-fd91-4333-897c-e6f0f7fbbd99\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\8799e5c6-fd91-4333-897c-e6f0f7fbbd99\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\8D16.exe
MD5
a55ef9dcbb88023626f80aafdecfd00e

SHA1
19cc787693b1a37857f878d27824b4016eebcb7d

SHA256
b57da60a5704d073af34f18ef6b07f2cd236c1994ded14e57ece4c049686e091

SHA512
44b3c568eb0ece6e70f78a6a1ab1e56614844a70da74a5e65d622172a0c688bc98c633be3e70f4d0ce4d7d1b6aa59d59a4957e255c3a1977e9b6e7e3012d5b72

Download Submit
\Users\Admin\AppData\Local\Temp\932F.exe
MD5
bf6c69f9ca692937062ac51b8d70c6c1

SHA1
b70f3bd1ee7ac687f64b9cea11b443546b98ebe1

SHA256
77181bf77dde9838240d6ae57aaf37d2e96cc089a5bdd8c530a9b5195c290851

SHA512
8122bcd5da063dff21d7164809aa42a6d64aa9183928e95a208fa346c60301405dd00d62768be528dfff25effd38d0416845062b706e828ad7c74ce3ad1d8d8f

Download Submit
\Users\Admin\AppData\Local\Temp\98EA.exe
MD5
3e4d35c8737cd48a67651ed5bd8fa0e3

SHA1
66fa7009f0b9321ed0d8e465822e83e0a8676c2f

SHA256
83a567afc934f93d8e01a940759a2f53e73adeb88814ec08a5faa7523953d64f

SHA512
e7019a2839b31d718e6598e746dbcc025ea76e3e372f45ebf272a8bc716e7d3020f05ea24daf883ada80694cc97558fb3c96aff70d2620386f8c59d9c75abad3

Download Submit
\Users\Admin\AppData\Local\Temp\98EA.exe
MD5
3e4d35c8737cd48a67651ed5bd8fa0e3

SHA1
66fa7009f0b9321ed0d8e465822e83e0a8676c2f

SHA256
83a567afc934f93d8e01a940759a2f53e73adeb88814ec08a5faa7523953d64f

SHA512
e7019a2839b31d718e6598e746dbcc025ea76e3e372f45ebf272a8bc716e7d3020f05ea24daf883ada80694cc97558fb3c96aff70d2620386f8c59d9c75abad3

Download Submit
\Users\Admin\AppData\Local\Temp\98EA.exe
MD5
3e4d35c8737cd48a67651ed5bd8fa0e3

SHA1
66fa7009f0b9321ed0d8e465822e83e0a8676c2f

SHA256
83a567afc934f93d8e01a940759a2f53e73adeb88814ec08a5faa7523953d64f

SHA512
e7019a2839b31d718e6598e746dbcc025ea76e3e372f45ebf272a8bc716e7d3020f05ea24daf883ada80694cc97558fb3c96aff70d2620386f8c59d9c75abad3

Download Submit
\Users\Admin\AppData\Local\Temp\98EA.exe
MD5
3e4d35c8737cd48a67651ed5bd8fa0e3

SHA1
66fa7009f0b9321ed0d8e465822e83e0a8676c2f

SHA256
83a567afc934f93d8e01a940759a2f53e73adeb88814ec08a5faa7523953d64f

SHA512
e7019a2839b31d718e6598e746dbcc025ea76e3e372f45ebf272a8bc716e7d3020f05ea24daf883ada80694cc97558fb3c96aff70d2620386f8c59d9c75abad3

Download Submit
\Users\Admin\AppData\Local\Temp\98EA.exe
MD5
3e4d35c8737cd48a67651ed5bd8fa0e3

SHA1
66fa7009f0b9321ed0d8e465822e83e0a8676c2f

SHA256
83a567afc934f93d8e01a940759a2f53e73adeb88814ec08a5faa7523953d64f

SHA512
e7019a2839b31d718e6598e746dbcc025ea76e3e372f45ebf272a8bc716e7d3020f05ea24daf883ada80694cc97558fb3c96aff70d2620386f8c59d9c75abad3

Download Submit
\Users\Admin\AppData\Local\Temp\BC84.tmp
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\񒴏񒴏񔅐񒔉񔄎񒄥񒄾񒀮exe
MD5
a55ef9dcbb88023626f80aafdecfd00e

SHA1
19cc787693b1a37857f878d27824b4016eebcb7d

SHA256
b57da60a5704d073af34f18ef6b07f2cd236c1994ded14e57ece4c049686e091

SHA512
44b3c568eb0ece6e70f78a6a1ab1e56614844a70da74a5e65d622172a0c688bc98c633be3e70f4d0ce4d7d1b6aa59d59a4957e255c3a1977e9b6e7e3012d5b72

Download Submit
memory/284-281-0x0000000002570000-0x00000000031BA000-memory.dmp

Filesize
12.3MB

Download
memory/284-261-0x0000000000000000-mapping.dmp

Download
memory/284-275-0x0000000002570000-0x00000000031BA000-memory.dmp

Filesize
12.3MB

Download
memory/284-285-0x0000000002570000-0x00000000031BA000-memory.dmp

Filesize
12.3MB

Download
memory/320-93-0x0000000000250000-0x00000000002DE000-memory.dmp

Filesize
568KB

Download
memory/320-221-0x0000000002310000-0x0000000002F5A000-memory.dmp

Filesize
12.3MB

Download
memory/320-171-0x0000000000000000-mapping.dmp

Download
memory/320-60-0x0000000000000000-mapping.dmp

Download
memory/320-62-0x0000000002D38000-0x0000000002D87000-memory.dmp

Filesize
316KB

Download
memory/320-206-0x0000000002310000-0x0000000002F5A000-memory.dmp

Filesize
12.3MB

Download
memory/320-228-0x0000000002310000-0x0000000002F5A000-memory.dmp

Filesize
12.3MB

Download
memory/320-95-0x0000000000400000-0x0000000002BB6000-memory.dmp

Filesize
39.7MB

Download
memory/384-67-0x000000013F4F0000-0x000000013F4F1000-memory.dmp

Filesize
4KB

Download
memory/384-64-0x0000000000000000-mapping.dmp

Download
memory/384-82-0x000000001BC00000-0x000000001BCD5000-memory.dmp

Filesize
852KB

Download
memory/384-91-0x0000000000700000-0x000000000071D000-memory.dmp

Filesize
116KB

Download
memory/384-144-0x0000000002446000-0x0000000002465000-memory.dmp

Filesize
124KB

Download
memory/384-97-0x00000000021F0000-0x00000000021F8000-memory.dmp

Filesize
32KB

Download
memory/384-80-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/384-81-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/384-78-0x0000000002440000-0x0000000002442000-memory.dmp

Filesize
8KB

Download
memory/384-71-0x000000001B9A0000-0x000000001BB07000-memory.dmp

Filesize
1.4MB

Download
memory/384-79-0x000000001AC50000-0x000000001AD5D000-memory.dmp

Filesize
1.1MB

Download
memory/560-242-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/560-235-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/560-231-0x0000000000000000-mapping.dmp

Download
memory/812-72-0x0000000004680000-0x00000000046C3000-memory.dmp

Filesize
268KB

Download
memory/812-73-0x0000000004711000-0x0000000004712000-memory.dmp

Filesize
4KB

Download
memory/812-77-0x0000000004713000-0x0000000004714000-memory.dmp

Filesize
4KB

Download
memory/812-76-0x0000000004714000-0x0000000004716000-memory.dmp

Filesize
8KB

Download
memory/812-69-0x0000000000000000-mapping.dmp

Download
memory/812-74-0x0000000004750000-0x0000000004792000-memory.dmp

Filesize
264KB

Download
memory/812-75-0x0000000004712000-0x0000000004713000-memory.dmp

Filesize
4KB

Download
memory/948-168-0x0000000000310000-0x0000000000322000-memory.dmp

Filesize
72KB

Download
memory/948-158-0x0000000000000000-mapping.dmp

Download
memory/968-278-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/968-262-0x0000000000000000-mapping.dmp

Download
memory/968-277-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/968-283-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/976-98-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/976-101-0x0000000000402E2C-mapping.dmp

Download
memory/976-99-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/976-100-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1144-227-0x0000000002360000-0x0000000002FAA000-memory.dmp

Filesize
12.3MB

Download
memory/1144-222-0x0000000002360000-0x0000000002FAA000-memory.dmp

Filesize
12.3MB

Download
memory/1144-211-0x0000000002360000-0x0000000002FAA000-memory.dmp

Filesize
12.3MB

Download
memory/1144-175-0x0000000000000000-mapping.dmp

Download
memory/1148-117-0x0000000000000000-mapping.dmp

Download
memory/1152-56-0x0000000000402F18-mapping.dmp

Download
memory/1152-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1152-57-0x0000000074B91000-0x0000000074B93000-memory.dmp

Filesize
8KB

Download
memory/1252-84-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1252-94-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1252-88-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1252-87-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1252-85-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1252-86-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1252-89-0x00000000004A195D-mapping.dmp

Download
memory/1376-59-0x0000000002A10000-0x0000000002A25000-memory.dmp

Filesize
84KB

Download
memory/1376-113-0x00000000047E0000-0x00000000047F6000-memory.dmp

Filesize
88KB

Download
memory/1516-114-0x0000000000000000-mapping.dmp

Download
memory/1516-115-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/1544-54-0x0000000002C68000-0x0000000002C71000-memory.dmp

Filesize
36KB

Download
memory/1544-58-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/1568-146-0x0000000000720000-0x0000000000742000-memory.dmp

Filesize
136KB

Download
memory/1568-145-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/1568-138-0x0000000000000000-mapping.dmp

Download
memory/1568-141-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1648-126-0x0000000005200000-0x0000000005276000-memory.dmp

Filesize
472KB

Download
memory/1648-125-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/1648-122-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/1648-119-0x0000000000000000-mapping.dmp

Download
memory/1664-116-0x0000000000000000-mapping.dmp

Download
memory/1672-169-0x0000000000180000-0x00000000001F5000-memory.dmp

Filesize
468KB

Download
memory/1672-170-0x0000000000110000-0x000000000017B000-memory.dmp

Filesize
428KB

Download
memory/1672-167-0x0000000070BE1000-0x0000000070BE3000-memory.dmp

Filesize
8KB

Download
memory/1672-165-0x0000000000000000-mapping.dmp

Download
memory/1740-207-0x00000000023C0000-0x000000000300A000-memory.dmp

Filesize
12.3MB

Download
memory/1740-224-0x00000000023C0000-0x000000000300A000-memory.dmp

Filesize
12.3MB

Download
memory/1740-173-0x0000000000000000-mapping.dmp

Download
memory/1748-135-0x0000000000000000-mapping.dmp

Download
memory/1760-246-0x0000000000409F20-mapping.dmp

Download
memory/1800-148-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1800-149-0x0000000000409F20-mapping.dmp

Download
memory/1800-152-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1816-263-0x0000000000000000-mapping.dmp

Download
memory/1816-276-0x0000000002390000-0x0000000002FDA000-memory.dmp

Filesize
12.3MB

Download
memory/1816-282-0x0000000002390000-0x0000000002FDA000-memory.dmp

Filesize
12.3MB

Download
memory/1816-280-0x0000000002390000-0x0000000002FDA000-memory.dmp

Filesize
12.3MB

Download
memory/1820-203-0x00000000024F0000-0x000000000313A000-memory.dmp

Filesize
12.3MB

Download
memory/1820-172-0x0000000000000000-mapping.dmp

Download
memory/1876-267-0x0000000000000000-mapping.dmp

Download
memory/1876-274-0x00000000024E0000-0x000000000312A000-memory.dmp

Filesize
12.3MB

Download
memory/1876-284-0x00000000024E0000-0x000000000312A000-memory.dmp

Filesize
12.3MB

Download
memory/1876-279-0x00000000024E0000-0x000000000312A000-memory.dmp

Filesize
12.3MB

Download
memory/1924-257-0x0000000000000000-mapping.dmp

Download
memory/1996-156-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1996-153-0x0000000000000000-mapping.dmp

Download
memory/2044-129-0x0000000000000000-mapping.dmp

Download
memory/2076-177-0x0000000000000000-mapping.dmp

Download
memory/2076-226-0x0000000002350000-0x0000000002F9A000-memory.dmp

Filesize
12.3MB

Download
memory/2076-210-0x0000000002350000-0x0000000002F9A000-memory.dmp

Filesize
12.3MB

Download
memory/2076-223-0x0000000002350000-0x0000000002F9A000-memory.dmp

Filesize
12.3MB

Download
memory/2092-176-0x0000000000000000-mapping.dmp

Download
memory/2092-186-0x00000000000E0000-0x00000000000EC000-memory.dmp

Filesize
48KB

Download
memory/2092-183-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/2116-179-0x0000000000000000-mapping.dmp

Download
memory/2116-185-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/2152-225-0x00000000003A2000-0x00000000003A4000-memory.dmp

Filesize
8KB

Download
memory/2152-220-0x00000000003A1000-0x00000000003A2000-memory.dmp

Filesize
4KB

Download
memory/2152-181-0x0000000000000000-mapping.dmp

Download
memory/2152-208-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2196-243-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/2196-233-0x0000000000000000-mapping.dmp

Download
memory/2196-237-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/2260-189-0x0000000000000000-mapping.dmp

Download
memory/2260-205-0x00000000023F0000-0x000000000303A000-memory.dmp

Filesize
12.3MB

Download
memory/2344-195-0x0000000000000000-mapping.dmp

Download
memory/2552-209-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2552-212-0x0000000000407CA0-mapping.dmp

Download
memory/2552-214-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2564-272-0x0000000000407CA0-mapping.dmp

Download
memory/2672-298-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2672-289-0x0000000000000000-mapping.dmp

Download
memory/2720-259-0x0000000000000000-mapping.dmp

Download
memory/2720-297-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/2720-290-0x0000000000000000-mapping.dmp

Download
memory/2884-288-0x00000000023A0000-0x0000000002FEA000-memory.dmp

Filesize
12.3MB

Download
memory/2884-287-0x00000000023A0000-0x0000000002FEA000-memory.dmp

Filesize
12.3MB

Download
memory/2884-286-0x00000000023A0000-0x0000000002FEA000-memory.dmp

Filesize
12.3MB

Download
memory/2884-264-0x0000000000000000-mapping.dmp

Download
memory/2892-229-0x000007FEFB711000-0x000007FEFB713000-memory.dmp

Filesize
8KB

Download