buran | 8b59d8f1ea4fb412eb2064b4243c6f2dcc4efd26b78e3eae92c9daf6f6a70b7b

Analysis

max time kernel
153s
max time network
140s
platform
windows7_x64
resource
win7v20210408
submitted
08-10-2021 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d1e2ef175fcb07d039f702890c6d25c.exe
Size

165KB
MD5

3d1e2ef175fcb07d039f702890c6d25c
SHA1

e6f90a294184278ba6d23487527b3f5fc822b164
SHA256

8b59d8f1ea4fb412eb2064b4243c6f2dcc4efd26b78e3eae92c9daf6f6a70b7b
SHA512

a2ff1aa1d9330db61e204ded129caf0350fd4f9d34154872f2fe71836d5435cf9527c4a5c1e3ae3b1b3dece08e184151973dd50133988793f83da936b000101a

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: payransom500@mail2tor.com and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: payransom500@mail2tor.com Telegram @payransom500 Btc 500$ adress bc1qas8m3c2jv4uyurxacdt99ujj6gp6xt4tqeul8l Your personal ID: AFE-D41-E68 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

payransom500@mail2tor.com

Extracted

Family

smokeloader

Version

2020

http://fazanaharahe10.top/

http://xandelissane20.top/

http://ustiassosale30.top/

http://cytheriata40.top/

http://ggiergionard50.top/

rc4.i32

Extracted

Family

raccoon

Version

1.8.2

Botnet

2ea41939378a473cbe7002fd507389778c0f10e7

Attributes

url4cnc
http://teletop.top/stevuitreen
http://teleta.top/stevuitreen
https://t.me/stevuitreen

rc4.plain

Extracted

Family

vidar

Version

41.2

Botnet

1033

https://mas.to/@serg4325

Attributes

profile_id
1033

Extracted

Family

raccoon

Version

1.8.2

Botnet

8d179b9e611eee525425544ee8c6d77360ab7cd9

Attributes

url4cnc
http://teletop.top/agrybirdsgamerept
http://teleta.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept

rc4.plain

Extracted

Family

redline

Botnet

MIX7

185.237.165.181:58506

Extracted

Family

raccoon

Version

1.8.2

Botnet

c95bfeb977df680e3fb35c1ce322d091ffdbaf92

Attributes

url4cnc
http://teletop.top/vvhotsummer
http://teleta.top/vvhotsummer
https://t.me/vvhotsummer

rc4.plain

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1892-120-0x00000000006E0000-0x00000000006FC000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1748-76-0x0000000002E10000-0x0000000002EE6000-memory.dmp	family_vidar
behavioral1/memory/1748-88-0x0000000000400000-0x0000000002E10000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 16 IoCs

Processes:

E4D3.exeEC05.exeF549.exe7D1.exeAED.exe1451.exe25EE.exesqtvvs.exe3422.exesvcli.exefilename.exeBot_bottov768674.exepay.exetaskeng.exetaskeng.exesqtvvs.exe

pid	process
2004	E4D3.exe
1748	EC05.exe
1732	F549.exe
816	7D1.exe
1892	AED.exe
1624	1451.exe
1440	25EE.exe
768	sqtvvs.exe
1612	3422.exe
2188	svcli.exe
2244	filename.exe
2324	Bot_bottov768674.exe
2408	pay.exe
2536	taskeng.exe
3024	taskeng.exe
2372	sqtvvs.exe

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\25EE.exe	vmprotect
behavioral1/memory/1440-126-0x0000000000E60000-0x00000000015B6000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\25EE.exe	vmprotect
\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe	vmprotect
behavioral1/memory/768-138-0x0000000001000000-0x0000000001756000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe	vmprotect

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7D1.exe3422.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7D1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3422.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3422.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7D1.exe

Deletes itself 1 IoCs

Processes:

pid process

1228

pid	process
1228

Loads dropped DLL 17 IoCs

Processes:

WerFault.exeWerFault.exe25EE.exe7D1.exeAED.exe3422.exepay.exe

pid	process
1416	WerFault.exe
1416	WerFault.exe
1416	WerFault.exe
1416	WerFault.exe
1416	WerFault.exe
1416	WerFault.exe
1416	WerFault.exe
904	WerFault.exe
904	WerFault.exe
904	WerFault.exe
904	WerFault.exe
1440	25EE.exe
816	7D1.exe
1892	AED.exe
1612	3422.exe
2408	pay.exe
2408	pay.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7D1.exe	themida
behavioral1/memory/816-102-0x0000000001330000-0x0000000001331000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\3422.exe	themida
behavioral1/memory/1612-145-0x0000000000AA0000-0x0000000000AA1000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pay.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	pay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start"	pay.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

7D1.exe3422.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7D1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3422.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskeng.exe

description	ioc	process
File opened (read-only)	\??\E:	taskeng.exe
File opened (read-only)	\??\B:	taskeng.exe
File opened (read-only)	\??\A:	taskeng.exe
File opened (read-only)	\??\K:	taskeng.exe
File opened (read-only)	\??\Y:	taskeng.exe
File opened (read-only)	\??\V:	taskeng.exe
File opened (read-only)	\??\U:	taskeng.exe
File opened (read-only)	\??\Q:	taskeng.exe
File opened (read-only)	\??\P:	taskeng.exe
File opened (read-only)	\??\O:	taskeng.exe
File opened (read-only)	\??\N:	taskeng.exe
File opened (read-only)	\??\H:	taskeng.exe
File opened (read-only)	\??\Z:	taskeng.exe
File opened (read-only)	\??\X:	taskeng.exe
File opened (read-only)	\??\W:	taskeng.exe
File opened (read-only)	\??\R:	taskeng.exe
File opened (read-only)	\??\I:	taskeng.exe
File opened (read-only)	\??\G:	taskeng.exe
File opened (read-only)	\??\T:	taskeng.exe
File opened (read-only)	\??\S:	taskeng.exe
File opened (read-only)	\??\M:	taskeng.exe
File opened (read-only)	\??\L:	taskeng.exe
File opened (read-only)	\??\J:	taskeng.exe
File opened (read-only)	\??\F:	taskeng.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

66 geoiptool.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

7D1.exe3422.exe

pid process

816 7D1.exe
1612 3422.exe

flow	ioc
66	geoiptool.com

pid	process
816	7D1.exe
1612	3422.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

3d1e2ef175fcb07d039f702890c6d25c.exeBot_bottov768674.exesvcli.exe

description	pid	process	target process
PID 1684 set thread context of 1496	1684	3d1e2ef175fcb07d039f702890c6d25c.exe	3d1e2ef175fcb07d039f702890c6d25c.exe
PID 2324 set thread context of 2760	2324	Bot_bottov768674.exe	RegSvcs.exe
PID 2188 set thread context of 1356	2188	svcli.exe	RegSvcs.exe

Drops file in Program Files directory 64 IoCs

Processes:

taskeng.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.ja_5.5.0.165303.jar	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.runtime_3.10.0.v20140318-2214.jar	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Enderbury	taskeng.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\SPACER.GIF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\RADAR.WAV.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Paramaribo.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18248_.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART15.BDR.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02450_.WMF.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN110.XML	taskeng.exe
File opened for modification	C:\Program Files\ConfirmCopy.csv.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149018.JPG.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01357_.WMF.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02446_.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HM00114_.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImages.bmp	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_pressed.gif.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rankin_Inlet.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_zh_4.4.0.v20140623020002.jar.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101857.BMP.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Oriel.eftx	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Whitehorse.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02398_.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03012U.BMP	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR24F.GIF.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\VOLTAGE.WAV.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21519_.GIF	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Resolute	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Median.xml.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate.css	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC.HXS.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151063.WMF.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02265_.WMF.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02048_.WMF	taskeng.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00006_.WMF.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\STOPICON.JPG	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00917_.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301480.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\TAB_OFF.GIF.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplate.html.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\London	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01478U.BMP.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0222021.WMF.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18234_.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\UnformattedNumeric.jpg.@payransom500.AFE-D41-E68	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR46B.GIF	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar	taskeng.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1416 2004 WerFault.exe E4D3.exe
904 1748 WerFault.exe EC05.exe

pid	pid_target	process	target process
1416	2004	WerFault.exe	E4D3.exe
904	1748	WerFault.exe	EC05.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3d1e2ef175fcb07d039f702890c6d25c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3d1e2ef175fcb07d039f702890c6d25c.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3d1e2ef175fcb07d039f702890c6d25c.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3d1e2ef175fcb07d039f702890c6d25c.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1392 schtasks.exe
2128 schtasks.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

992 vssadmin.exe
2288 vssadmin.exe

pid	process
1392	schtasks.exe
2128	schtasks.exe

pid	process
992	vssadmin.exe
2288	vssadmin.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

pay.exetaskeng.exeEC05.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	pay.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	pay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	taskeng.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	taskeng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	EC05.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	EC05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	pay.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3d1e2ef175fcb07d039f702890c6d25c.exe

pid	process
1496	3d1e2ef175fcb07d039f702890c6d25c.exe
1496	3d1e2ef175fcb07d039f702890c6d25c.exe
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

WerFault.exeWerFault.exe

pid process

1228
1416 WerFault.exe
904 WerFault.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3d1e2ef175fcb07d039f702890c6d25c.exe

pid process

1496 3d1e2ef175fcb07d039f702890c6d25c.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

RegSvcs.exe

pid process

1356 RegSvcs.exe

pid	process
1228
1416	WerFault.exe
904	WerFault.exe

pid	process
1356	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WerFault.exeAED.exeWerFault.exe7D1.exe3422.exepay.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1416	WerFault.exe
Token: SeShutdownPrivilege	1228
Token: SeShutdownPrivilege	1228
Token: SeShutdownPrivilege	1228
Token: SeDebugPrivilege	1892	AED.exe
Token: SeDebugPrivilege	904	WerFault.exe
Token: SeShutdownPrivilege	1228
Token: SeDebugPrivilege	816	7D1.exe
Token: SeShutdownPrivilege	1228
Token: SeShutdownPrivilege	1228
Token: SeDebugPrivilege	1612	3422.exe
Token: SeShutdownPrivilege	1228
Token: SeDebugPrivilege	2408	pay.exe
Token: SeDebugPrivilege	2408	pay.exe
Token: SeIncreaseQuotaPrivilege	2988	WMIC.exe
Token: SeSecurityPrivilege	2988	WMIC.exe
Token: SeTakeOwnershipPrivilege	2988	WMIC.exe
Token: SeLoadDriverPrivilege	2988	WMIC.exe
Token: SeSystemProfilePrivilege	2988	WMIC.exe
Token: SeSystemtimePrivilege	2988	WMIC.exe
Token: SeProfSingleProcessPrivilege	2988	WMIC.exe
Token: SeIncBasePriorityPrivilege	2988	WMIC.exe
Token: SeCreatePagefilePrivilege	2988	WMIC.exe
Token: SeBackupPrivilege	2988	WMIC.exe
Token: SeRestorePrivilege	2988	WMIC.exe
Token: SeShutdownPrivilege	2988	WMIC.exe
Token: SeDebugPrivilege	2988	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2988	WMIC.exe
Token: SeRemoteShutdownPrivilege	2988	WMIC.exe
Token: SeUndockPrivilege	2988	WMIC.exe
Token: SeManageVolumePrivilege	2988	WMIC.exe
Token: 33	2988	WMIC.exe
Token: 34	2988	WMIC.exe
Token: 35	2988	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1992	WMIC.exe
Token: SeSecurityPrivilege	1992	WMIC.exe
Token: SeTakeOwnershipPrivilege	1992	WMIC.exe
Token: SeLoadDriverPrivilege	1992	WMIC.exe
Token: SeSystemProfilePrivilege	1992	WMIC.exe
Token: SeSystemtimePrivilege	1992	WMIC.exe
Token: SeProfSingleProcessPrivilege	1992	WMIC.exe
Token: SeIncBasePriorityPrivilege	1992	WMIC.exe
Token: SeCreatePagefilePrivilege	1992	WMIC.exe
Token: SeBackupPrivilege	1992	WMIC.exe
Token: SeRestorePrivilege	1992	WMIC.exe
Token: SeShutdownPrivilege	1992	WMIC.exe
Token: SeDebugPrivilege	1992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1992	WMIC.exe
Token: SeRemoteShutdownPrivilege	1992	WMIC.exe
Token: SeUndockPrivilege	1992	WMIC.exe
Token: SeManageVolumePrivilege	1992	WMIC.exe
Token: 33	1992	WMIC.exe
Token: 34	1992	WMIC.exe
Token: 35	1992	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1992	WMIC.exe
Token: SeSecurityPrivilege	1992	WMIC.exe
Token: SeTakeOwnershipPrivilege	1992	WMIC.exe
Token: SeLoadDriverPrivilege	1992	WMIC.exe
Token: SeSystemProfilePrivilege	1992	WMIC.exe
Token: SeSystemtimePrivilege	1992	WMIC.exe
Token: SeProfSingleProcessPrivilege	1992	WMIC.exe
Token: SeIncBasePriorityPrivilege	1992	WMIC.exe
Token: SeCreatePagefilePrivilege	1992	WMIC.exe
Token: SeBackupPrivilege	1992	WMIC.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

pid process

1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

pid process

1228
1228
1228
1228
1228

pid	process
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228

pid	process
1228
1228
1228
1228
1228

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3d1e2ef175fcb07d039f702890c6d25c.exeE4D3.exeEC05.exe25EE.exesqtvvs.execmd.exe7D1.exe

description	pid	process	target process
PID 1684 wrote to memory of 1496	1684	3d1e2ef175fcb07d039f702890c6d25c.exe	3d1e2ef175fcb07d039f702890c6d25c.exe
PID 1684 wrote to memory of 1496	1684	3d1e2ef175fcb07d039f702890c6d25c.exe	3d1e2ef175fcb07d039f702890c6d25c.exe
PID 1684 wrote to memory of 1496	1684	3d1e2ef175fcb07d039f702890c6d25c.exe	3d1e2ef175fcb07d039f702890c6d25c.exe
PID 1684 wrote to memory of 1496	1684	3d1e2ef175fcb07d039f702890c6d25c.exe	3d1e2ef175fcb07d039f702890c6d25c.exe
PID 1684 wrote to memory of 1496	1684	3d1e2ef175fcb07d039f702890c6d25c.exe	3d1e2ef175fcb07d039f702890c6d25c.exe
PID 1684 wrote to memory of 1496	1684	3d1e2ef175fcb07d039f702890c6d25c.exe	3d1e2ef175fcb07d039f702890c6d25c.exe
PID 1684 wrote to memory of 1496	1684	3d1e2ef175fcb07d039f702890c6d25c.exe	3d1e2ef175fcb07d039f702890c6d25c.exe
PID 1228 wrote to memory of 2004	1228		E4D3.exe
PID 1228 wrote to memory of 2004	1228		E4D3.exe
PID 1228 wrote to memory of 2004	1228		E4D3.exe
PID 1228 wrote to memory of 2004	1228		E4D3.exe
PID 1228 wrote to memory of 1748	1228		EC05.exe
PID 1228 wrote to memory of 1748	1228		EC05.exe
PID 1228 wrote to memory of 1748	1228		EC05.exe
PID 1228 wrote to memory of 1748	1228		EC05.exe
PID 1228 wrote to memory of 1732	1228		F549.exe
PID 1228 wrote to memory of 1732	1228		F549.exe
PID 1228 wrote to memory of 1732	1228		F549.exe
PID 1228 wrote to memory of 1732	1228		F549.exe
PID 2004 wrote to memory of 1416	2004	E4D3.exe	WerFault.exe
PID 2004 wrote to memory of 1416	2004	E4D3.exe	WerFault.exe
PID 2004 wrote to memory of 1416	2004	E4D3.exe	WerFault.exe
PID 2004 wrote to memory of 1416	2004	E4D3.exe	WerFault.exe
PID 1228 wrote to memory of 816	1228		7D1.exe
PID 1228 wrote to memory of 816	1228		7D1.exe
PID 1228 wrote to memory of 816	1228		7D1.exe
PID 1228 wrote to memory of 816	1228		7D1.exe
PID 1228 wrote to memory of 1892	1228		AED.exe
PID 1228 wrote to memory of 1892	1228		AED.exe
PID 1228 wrote to memory of 1892	1228		AED.exe
PID 1228 wrote to memory of 1892	1228		AED.exe
PID 1748 wrote to memory of 904	1748	EC05.exe	WerFault.exe
PID 1748 wrote to memory of 904	1748	EC05.exe	WerFault.exe
PID 1748 wrote to memory of 904	1748	EC05.exe	WerFault.exe
PID 1748 wrote to memory of 904	1748	EC05.exe	WerFault.exe
PID 1228 wrote to memory of 1624	1228		1451.exe
PID 1228 wrote to memory of 1624	1228		1451.exe
PID 1228 wrote to memory of 1624	1228		1451.exe
PID 1228 wrote to memory of 1624	1228		1451.exe
PID 1228 wrote to memory of 1440	1228		25EE.exe
PID 1228 wrote to memory of 1440	1228		25EE.exe
PID 1228 wrote to memory of 1440	1228		25EE.exe
PID 1228 wrote to memory of 1440	1228		25EE.exe
PID 1440 wrote to memory of 768	1440	25EE.exe	sqtvvs.exe
PID 1440 wrote to memory of 768	1440	25EE.exe	sqtvvs.exe
PID 1440 wrote to memory of 768	1440	25EE.exe	sqtvvs.exe
PID 1440 wrote to memory of 768	1440	25EE.exe	sqtvvs.exe
PID 1228 wrote to memory of 1612	1228		3422.exe
PID 1228 wrote to memory of 1612	1228		3422.exe
PID 1228 wrote to memory of 1612	1228		3422.exe
PID 1228 wrote to memory of 1612	1228		3422.exe
PID 768 wrote to memory of 1296	768	sqtvvs.exe	cmd.exe
PID 768 wrote to memory of 1296	768	sqtvvs.exe	cmd.exe
PID 768 wrote to memory of 1296	768	sqtvvs.exe	cmd.exe
PID 768 wrote to memory of 1296	768	sqtvvs.exe	cmd.exe
PID 768 wrote to memory of 1392	768	sqtvvs.exe	schtasks.exe
PID 768 wrote to memory of 1392	768	sqtvvs.exe	schtasks.exe
PID 768 wrote to memory of 1392	768	sqtvvs.exe	schtasks.exe
PID 768 wrote to memory of 1392	768	sqtvvs.exe	schtasks.exe
PID 1296 wrote to memory of 1492	1296	cmd.exe	reg.exe
PID 1296 wrote to memory of 1492	1296	cmd.exe	reg.exe
PID 1296 wrote to memory of 1492	1296	cmd.exe	reg.exe
PID 1296 wrote to memory of 1492	1296	cmd.exe	reg.exe
PID 816 wrote to memory of 2188	816	7D1.exe	svcli.exe

C:\Users\Admin\AppData\Local\Temp\3d1e2ef175fcb07d039f702890c6d25c.exe
"C:\Users\Admin\AppData\Local\Temp\3d1e2ef175fcb07d039f702890c6d25c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Local\Temp\3d1e2ef175fcb07d039f702890c6d25c.exe
"C:\Users\Admin\AppData\Local\Temp\3d1e2ef175fcb07d039f702890c6d25c.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1496

C:\Users\Admin\AppData\Local\Temp\E4D3.exe
C:\Users\Admin\AppData\Local\Temp\E4D3.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 432
2⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Users\Admin\AppData\Local\Temp\EC05.exe
C:\Users\Admin\AppData\Local\Temp\EC05.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 868
2⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Users\Admin\AppData\Local\Temp\F549.exe
C:\Users\Admin\AppData\Local\Temp\F549.exe
1⤵
- Executes dropped EXE
PID:1732

C:\Users\Admin\AppData\Local\Temp\7D1.exe
C:\Users\Admin\AppData\Local\Temp\7D1.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\AppData\Local\Temp\svcli.exe
"C:\Users\Admin\AppData\Local\Temp\svcli.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2188

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLgDLcX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFE4C.tmp"
3⤵
- Creates scheduled task(s)
PID:2128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious behavior: SetClipboardViewer
PID:1356

C:\Users\Admin\AppData\Local\Temp\AED.exe
C:\Users\Admin\AppData\Local\Temp\AED.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Users\Admin\AppData\Local\Temp\filename.exe
"C:\Users\Admin\AppData\Local\Temp\filename.exe"
2⤵
- Executes dropped EXE
PID:2244

C:\ProgramData\pay.exe
"C:\ProgramData\pay.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
4⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
PID:2536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
5⤵
PID:2868

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
5⤵
PID:2880

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
5⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
5⤵
PID:2928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
5⤵
PID:2956

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
6⤵
- Interacts with shadow copies
PID:992

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 0
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
5⤵
PID:3000

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
6⤵
- Interacts with shadow copies
PID:2288

C:\Windows\SysWOW64\notepad.exe
notepad.exe
4⤵
PID:2564

C:\Users\Admin\AppData\Local\Temp\1451.exe
C:\Users\Admin\AppData\Local\Temp\1451.exe
1⤵
- Executes dropped EXE
PID:1624

C:\Users\Admin\AppData\Local\Temp\25EE.exe
C:\Users\Admin\AppData\Local\Temp\25EE.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
"C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
3⤵
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
4⤵
PID:1492

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F
3⤵
- Creates scheduled task(s)
PID:1392

C:\Users\Admin\AppData\Local\Temp\3422.exe
C:\Users\Admin\AppData\Local\Temp\3422.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Users\Admin\AppData\Local\Temp\Bot_bottov768674.exe
"C:\Users\Admin\AppData\Local\Temp\Bot_bottov768674.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:2760

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2256

C:\Windows\system32\taskeng.exe
taskeng.exe {5FDF861C-A331-432F-AE80-B1BD8AACF257} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
2⤵
- Executes dropped EXE
PID:2372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pay.exe
MD5
9c13ab7b79aec8dc02869999773cd4b2

SHA1
4b4d865132329e0dd1d129e85fc4fa9ad0c1d206

SHA256
774ef04333c3fb2a6a4407654e28c2900c62bd202ad6e5909336eb9bc180d279

SHA512
3854d8b8fc71f6ff48232839c5a2463ad2f94c6560fc57765a36da8121fdae5975a0334c1424a5fff7a3c7c3a4129f31cd8f14df6425d9f7ccdcf0a0e15724cf

Download Submit
C:\ProgramData\pay.exe
MD5
9c13ab7b79aec8dc02869999773cd4b2

SHA1
4b4d865132329e0dd1d129e85fc4fa9ad0c1d206

SHA256
774ef04333c3fb2a6a4407654e28c2900c62bd202ad6e5909336eb9bc180d279

SHA512
3854d8b8fc71f6ff48232839c5a2463ad2f94c6560fc57765a36da8121fdae5975a0334c1424a5fff7a3c7c3a4129f31cd8f14df6425d9f7ccdcf0a0e15724cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
123ce078f265a756c5ce19625077105d

SHA1
a42e1e043112724f7ff8c1ef6c47388481ea29cf

SHA256
d8f9429e9c2c97768ebbba5e4ff1f05a3ac98444aaad5013bbec671eed423b6f

SHA512
2b4e1587c0c31544dcb7e101ec8cd942c0a488175bf71dc0d840ff6858246326f30ea0268cec17333889787462775c6091fd218e89685fe213957d8b031d4288

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
b0a06d7c0ec787a055614a5b261a56f9

SHA1
416ecbc2c20e635eab68b5120e49e015533d68ec

SHA256
7a34b9593dd3149888d57722cdf3460544e87d2b2dff55e3ec210e4b635bfe20

SHA512
fe62ed5e32ae5eee79dfccdbac9cf33faba21cdbeb0a9e6e11a8e1dc3051ecea530670f81f2daa3d869badc88806cdb66b34437a59e935be8e5686ef4a1af6e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
ab5c36d10261c173c5896f3478cdc6b7

SHA1
87ac53810ad125663519e944bc87ded3979cbee4

SHA256
f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

SHA512
e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
8f439021290aa6bf8af3da275aeca450

SHA1
f52db4ca1c156995e612063ba10b68e19ce16d6d

SHA256
90d9d61871087772c554bd45271bb8c7f018e219b2bc692f08766ad6adec45f1

SHA512
599c96987d5ebf9c4546003265b6727a10787b048bfbf7662301776e345f7b7ba416a6df96dad63e31a96d77ef45f260dd81495d61dad215305593692425e5cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
f6a64ddc3eb2974d7e6398b77ef2f2d2

SHA1
fa42f4f85c810b333fca011eb6f69b8c94ebaf51

SHA256
b4d473cef25749bab10b19f819fd92bbaca3b969b21a7cdf9c07784d4c5d27a4

SHA512
8e31c485189cfcfe4b4615e8b08f6d5c415e826067e19b11ec0aab49387d9dcbbf3cd4487a52ddfe9f07914cd63ef9becc4f1f4b40d9315b3985500636350b54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
69183ed4db0361b6d465fb2a2758710d

SHA1
5f27750e1bdd4afce3ee9220d41e6a8549466771

SHA256
6503c600541b3e30c756f180416681ab2adb0fab4afd57b7c949bb79eec85220

SHA512
9565a0c5235ab5771db4a45751aa8967649bb37f042afb1ea0fa3ae5051f523a94918ff92ca92042372c069ef44c72db895d37c811efa287d8d453e07b004b9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
b8d8c0356e8e187756030544323e1c78

SHA1
2f874fcca531c0f1f6b236d47b657e85fcaa77de

SHA256
8c72964701be45e5db3b6c2d4438ef8d7a5c04d1f48c763e0446a3e9fa50aaa2

SHA512
258067a7ce1b370d21e0f0fcfa5e1499f82e05de551ae3aafa394a01710b19c1f930061567c50c43edb1453e32a7807e935d8a45c01514e10ed417104af82175

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
d65edfb46e6c192f7b37def7f4b37d96

SHA1
681571797fdd6107f1df003cb5c8d8fb2551845c

SHA256
39e7211e2e58f667f45119696fbc4f9037f248869d0aa22f02e43e784b10da2d

SHA512
c74c44fe70a703acaae2f66ed67c2916b94422cbb0821ed27b1e8960933dde2166283077d3281107fcb048114bc9f3a5f260af6a9cee6ac36d5a6407dad1280c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
7a7956636d19d728067fd492b16b9940

SHA1
c4232c282f58e0cd988fef2e20955b5a1778b127

SHA256
8473ad400a8d6c72892cf45ae079e6f0fa82d105ecd8ff6fbe2e44308e2e0552

SHA512
7dc9e54cf3ccbe8c585b0d7e833cd46c066b08951995824a02cde6a50e7b0ea2be1117fcc3c4fe20bda7f5f99e1e8b7b1557f2de50e2a00c6144097027e6d189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D4X32ZLU\OSQZCRT6.htm
MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L1Y3K90W\LYVSGSQ1.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\1451.exe
MD5
61ac16369c6228d0e762519946fae610

SHA1
851bff728927da7f5245488c5abb9b7787b0fa85

SHA256
9ab460a5a88fb1c145c85a43bb56211c9209d650d25318f128a6a7f429b6bf45

SHA512
c9c5d689e86dfec882fa43d183d176b6cbec36a205c8ab53352f0c6c73b202472fe80f0324a741b220331a7273e5ac68fdcc4f199560d50c865739fa51ad2aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\15212455352368107708
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\15212455352368107708
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\25EE.exe
MD5
9dcec4cd98534038775474bedc66a237

SHA1
37c4e6955d492ba77b8b3101a46c0d9056a1620d

SHA256
9b7927979f7205cc87f772dafa96ab34b9914c205f42a18de80d7eaec8bb9871

SHA512
84c5d078c10fd1912004c98535096f16a8ffcd25f0387037ebc6482d1d6b501a455c5e59f5774b14f142d6222c6930f1a65cd923e89e865fc4a5c2a5d600ad01

Download Submit
C:\Users\Admin\AppData\Local\Temp\25EE.exe
MD5
9dcec4cd98534038775474bedc66a237

SHA1
37c4e6955d492ba77b8b3101a46c0d9056a1620d

SHA256
9b7927979f7205cc87f772dafa96ab34b9914c205f42a18de80d7eaec8bb9871

SHA512
84c5d078c10fd1912004c98535096f16a8ffcd25f0387037ebc6482d1d6b501a455c5e59f5774b14f142d6222c6930f1a65cd923e89e865fc4a5c2a5d600ad01

Download Submit
C:\Users\Admin\AppData\Local\Temp\3422.exe
MD5
4c65a9ca5daa3a5c2253f97921def28c

SHA1
0b0f69d7a1df109c4bf21c3fa22595bcbe83a1c1

SHA256
6a623648d1e44d8966e35890baa148cbbc3160e978de078c78045d1e6d3a848e

SHA512
b0e28023cedfbafd70fe41a9f9706bf2f874923360f2e2cc68e2e13deacf81715cd2a70c83933e54eaa2d840d69daf82b593d2457c0aa1b5e68832c2cf555370

Download Submit
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
MD5
9dcec4cd98534038775474bedc66a237

SHA1
37c4e6955d492ba77b8b3101a46c0d9056a1620d

SHA256
9b7927979f7205cc87f772dafa96ab34b9914c205f42a18de80d7eaec8bb9871

SHA512
84c5d078c10fd1912004c98535096f16a8ffcd25f0387037ebc6482d1d6b501a455c5e59f5774b14f142d6222c6930f1a65cd923e89e865fc4a5c2a5d600ad01

Download Submit
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
MD5
9dcec4cd98534038775474bedc66a237

SHA1
37c4e6955d492ba77b8b3101a46c0d9056a1620d

SHA256
9b7927979f7205cc87f772dafa96ab34b9914c205f42a18de80d7eaec8bb9871

SHA512
84c5d078c10fd1912004c98535096f16a8ffcd25f0387037ebc6482d1d6b501a455c5e59f5774b14f142d6222c6930f1a65cd923e89e865fc4a5c2a5d600ad01

Download Submit
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
MD5
9dcec4cd98534038775474bedc66a237

SHA1
37c4e6955d492ba77b8b3101a46c0d9056a1620d

SHA256
9b7927979f7205cc87f772dafa96ab34b9914c205f42a18de80d7eaec8bb9871

SHA512
84c5d078c10fd1912004c98535096f16a8ffcd25f0387037ebc6482d1d6b501a455c5e59f5774b14f142d6222c6930f1a65cd923e89e865fc4a5c2a5d600ad01

Download Submit
C:\Users\Admin\AppData\Local\Temp\7D1.exe
MD5
57b5f410bba704152ed728ae30b26665

SHA1
755da63fac5d2f95d600253a0a94e4d19c62eb96

SHA256
2dbeea7c52d13a743dbdbdde06da28d1616ea6b1d765684fd3ec1a8f44040269

SHA512
670a23161098b3c990f5c1c07ad86cb3fb14a61a62460f2e016d660331c07353a809ed5da92fa32e0e1d84512d8325fa3ecc896c0c2c10e1e8a6762a34cc416c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AED.exe
MD5
42161cff637993d514d1cc15ad5229af

SHA1
03ae4b56ba6f0fa6612d45f1f336fcc059d76178

SHA256
66a92814d6e3eab407e0c49e9dd10a21b093dbd79e7b3dd2c89367c94658e3f3

SHA512
722eeb2176d94254edf52a32ecd95eede02e0c518d924059520471e4232626b76041f9e6dcc586a8abc5a632ed013891c3dd92264cf891131a08d1baa0cadc8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AED.exe
MD5
42161cff637993d514d1cc15ad5229af

SHA1
03ae4b56ba6f0fa6612d45f1f336fcc059d76178

SHA256
66a92814d6e3eab407e0c49e9dd10a21b093dbd79e7b3dd2c89367c94658e3f3

SHA512
722eeb2176d94254edf52a32ecd95eede02e0c518d924059520471e4232626b76041f9e6dcc586a8abc5a632ed013891c3dd92264cf891131a08d1baa0cadc8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bot_bottov768674.exe
MD5
8e0be060385c07d8e8860749f9c721c3

SHA1
18d38d893ded507b058266857633083d1fbdbac5

SHA256
46c8ac53157328105a599fd431f76664c79b597ab7686e12897b2d07043f8d2b

SHA512
8950b31c5615b8518894d0222d49d9f447a76b3e0c67556e31503bbdf899a7e3eaf352b18d22207b1752289c6d4520b77369fc5a5b43efcd86d9b37eaf1ade30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bot_bottov768674.exe
MD5
8e0be060385c07d8e8860749f9c721c3

SHA1
18d38d893ded507b058266857633083d1fbdbac5

SHA256
46c8ac53157328105a599fd431f76664c79b597ab7686e12897b2d07043f8d2b

SHA512
8950b31c5615b8518894d0222d49d9f447a76b3e0c67556e31503bbdf899a7e3eaf352b18d22207b1752289c6d4520b77369fc5a5b43efcd86d9b37eaf1ade30

Download Submit
C:\Users\Admin\AppData\Local\Temp\E4D3.exe
MD5
20fe1450230d861579e323ffd7ba5485

SHA1
971e83ba0ff1cbbdc9e1ac1ff6cd1c9ae38ce633

SHA256
0cbd381e5c415c904ab13ab415f549b5b5711831fd20f46975c83fb4e03fc9e3

SHA512
abf22e174d97ffe32dcaa14277e9f658e5e3c2d47c21efd40be2d645cb3639534cc22c73de59c83d0e9485fffe17e9064b40f953de42b8bd9d28da95d2ff753f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E4D3.exe
MD5
20fe1450230d861579e323ffd7ba5485

SHA1
971e83ba0ff1cbbdc9e1ac1ff6cd1c9ae38ce633

SHA256
0cbd381e5c415c904ab13ab415f549b5b5711831fd20f46975c83fb4e03fc9e3

SHA512
abf22e174d97ffe32dcaa14277e9f658e5e3c2d47c21efd40be2d645cb3639534cc22c73de59c83d0e9485fffe17e9064b40f953de42b8bd9d28da95d2ff753f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC05.exe
MD5
047b7730310a945e1a587c5395c0638a

SHA1
685e18a8f11c49fcd2829cd79fb4acdcd254f2fa

SHA256
4ecf8f85d92f0d00fe80c0c8f7140888f8804b4834b94472960067fa54584a79

SHA512
f3ad7a1cdb85c051a6fcd0fa415c242bf77bf9ee9ce4f571ecb16d4f28292e0f1ccf6d84ea9db0b71a88ecb0bc3946df6ac77526dfd7f3054f3c68a8ebc49120

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC05.exe
MD5
047b7730310a945e1a587c5395c0638a

SHA1
685e18a8f11c49fcd2829cd79fb4acdcd254f2fa

SHA256
4ecf8f85d92f0d00fe80c0c8f7140888f8804b4834b94472960067fa54584a79

SHA512
f3ad7a1cdb85c051a6fcd0fa415c242bf77bf9ee9ce4f571ecb16d4f28292e0f1ccf6d84ea9db0b71a88ecb0bc3946df6ac77526dfd7f3054f3c68a8ebc49120

Download Submit
C:\Users\Admin\AppData\Local\Temp\F549.exe
MD5
a17c071fb4c0c7efe7c0c3020d6d9e12

SHA1
f6f0e87deca0fdfe3f3f87921d07fa89ed9cfb59

SHA256
f302db2e7293cac08f7c95cb9ffaa0066e85db088747b80c8e42855d8fe29e1a

SHA512
cb871e46f858bf7fbb391a5de2b39dc74356c15ed1b183960f4ec42c9ca67311726647f88618a31d8a9a16194dcdf0c4e660cfc75a2c09c7cce8b7a436ee9400

Download Submit
C:\Users\Admin\AppData\Local\Temp\filename.exe
MD5
4498fc49ef44442a2727cde9dc9c6aef

SHA1
bbe773c15ee59ab0ac0b2bb2d3d2a660ef84b16a

SHA256
e53ea20c7026e81930009f61c70ebba16de4bad0ee8211203422ecad3f2c9412

SHA512
1411170c8c131348cae3a69dbef01f127640435bdb48184d84ceae716273d2425b9e6328513c33db81b4b47dff6d39896389f3267c92f51e2e1efd9201294de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\filename.exe
MD5
4498fc49ef44442a2727cde9dc9c6aef

SHA1
bbe773c15ee59ab0ac0b2bb2d3d2a660ef84b16a

SHA256
e53ea20c7026e81930009f61c70ebba16de4bad0ee8211203422ecad3f2c9412

SHA512
1411170c8c131348cae3a69dbef01f127640435bdb48184d84ceae716273d2425b9e6328513c33db81b4b47dff6d39896389f3267c92f51e2e1efd9201294de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\svcli.exe
MD5
1e6dd03f819ceb81293623cbf88505d3

SHA1
90a4237bd0a54e9d964805520477f11ae6859dc2

SHA256
9a2204f9f2ee0f3c5331b88a148770b0ab6bfcb6fa4452c040ef1245418a6dbf

SHA512
6aaf95d8b4209d233802ec0aaab55c29d3d5e500b00925c1bd6219035f022edf73e884d16a2b89a615a82b832e405b454f104eabc768916833193f0882b44e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\svcli.exe
MD5
1e6dd03f819ceb81293623cbf88505d3

SHA1
90a4237bd0a54e9d964805520477f11ae6859dc2

SHA256
9a2204f9f2ee0f3c5331b88a148770b0ab6bfcb6fa4452c040ef1245418a6dbf

SHA512
6aaf95d8b4209d233802ec0aaab55c29d3d5e500b00925c1bd6219035f022edf73e884d16a2b89a615a82b832e405b454f104eabc768916833193f0882b44e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
9c13ab7b79aec8dc02869999773cd4b2

SHA1
4b4d865132329e0dd1d129e85fc4fa9ad0c1d206

SHA256
774ef04333c3fb2a6a4407654e28c2900c62bd202ad6e5909336eb9bc180d279

SHA512
3854d8b8fc71f6ff48232839c5a2463ad2f94c6560fc57765a36da8121fdae5975a0334c1424a5fff7a3c7c3a4129f31cd8f14df6425d9f7ccdcf0a0e15724cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
9c13ab7b79aec8dc02869999773cd4b2

SHA1
4b4d865132329e0dd1d129e85fc4fa9ad0c1d206

SHA256
774ef04333c3fb2a6a4407654e28c2900c62bd202ad6e5909336eb9bc180d279

SHA512
3854d8b8fc71f6ff48232839c5a2463ad2f94c6560fc57765a36da8121fdae5975a0334c1424a5fff7a3c7c3a4129f31cd8f14df6425d9f7ccdcf0a0e15724cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
9c13ab7b79aec8dc02869999773cd4b2

SHA1
4b4d865132329e0dd1d129e85fc4fa9ad0c1d206

SHA256
774ef04333c3fb2a6a4407654e28c2900c62bd202ad6e5909336eb9bc180d279

SHA512
3854d8b8fc71f6ff48232839c5a2463ad2f94c6560fc57765a36da8121fdae5975a0334c1424a5fff7a3c7c3a4129f31cd8f14df6425d9f7ccdcf0a0e15724cf

Download Submit
\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
MD5
9dcec4cd98534038775474bedc66a237

SHA1
37c4e6955d492ba77b8b3101a46c0d9056a1620d

SHA256
9b7927979f7205cc87f772dafa96ab34b9914c205f42a18de80d7eaec8bb9871

SHA512
84c5d078c10fd1912004c98535096f16a8ffcd25f0387037ebc6482d1d6b501a455c5e59f5774b14f142d6222c6930f1a65cd923e89e865fc4a5c2a5d600ad01

Download Submit
\Users\Admin\AppData\Local\Temp\Bot_bottov768674.exe
MD5
8e0be060385c07d8e8860749f9c721c3

SHA1
18d38d893ded507b058266857633083d1fbdbac5

SHA256
46c8ac53157328105a599fd431f76664c79b597ab7686e12897b2d07043f8d2b

SHA512
8950b31c5615b8518894d0222d49d9f447a76b3e0c67556e31503bbdf899a7e3eaf352b18d22207b1752289c6d4520b77369fc5a5b43efcd86d9b37eaf1ade30

Download Submit
\Users\Admin\AppData\Local\Temp\E4D3.exe
MD5
20fe1450230d861579e323ffd7ba5485

SHA1
971e83ba0ff1cbbdc9e1ac1ff6cd1c9ae38ce633

SHA256
0cbd381e5c415c904ab13ab415f549b5b5711831fd20f46975c83fb4e03fc9e3

SHA512
abf22e174d97ffe32dcaa14277e9f658e5e3c2d47c21efd40be2d645cb3639534cc22c73de59c83d0e9485fffe17e9064b40f953de42b8bd9d28da95d2ff753f

Download Submit
\Users\Admin\AppData\Local\Temp\E4D3.exe
MD5
20fe1450230d861579e323ffd7ba5485

SHA1
971e83ba0ff1cbbdc9e1ac1ff6cd1c9ae38ce633

SHA256
0cbd381e5c415c904ab13ab415f549b5b5711831fd20f46975c83fb4e03fc9e3

SHA512
abf22e174d97ffe32dcaa14277e9f658e5e3c2d47c21efd40be2d645cb3639534cc22c73de59c83d0e9485fffe17e9064b40f953de42b8bd9d28da95d2ff753f

Download Submit
\Users\Admin\AppData\Local\Temp\E4D3.exe
MD5
20fe1450230d861579e323ffd7ba5485

SHA1
971e83ba0ff1cbbdc9e1ac1ff6cd1c9ae38ce633

SHA256
0cbd381e5c415c904ab13ab415f549b5b5711831fd20f46975c83fb4e03fc9e3

SHA512
abf22e174d97ffe32dcaa14277e9f658e5e3c2d47c21efd40be2d645cb3639534cc22c73de59c83d0e9485fffe17e9064b40f953de42b8bd9d28da95d2ff753f

Download Submit
\Users\Admin\AppData\Local\Temp\E4D3.exe
MD5
20fe1450230d861579e323ffd7ba5485

SHA1
971e83ba0ff1cbbdc9e1ac1ff6cd1c9ae38ce633

SHA256
0cbd381e5c415c904ab13ab415f549b5b5711831fd20f46975c83fb4e03fc9e3

SHA512
abf22e174d97ffe32dcaa14277e9f658e5e3c2d47c21efd40be2d645cb3639534cc22c73de59c83d0e9485fffe17e9064b40f953de42b8bd9d28da95d2ff753f

Download Submit
\Users\Admin\AppData\Local\Temp\E4D3.exe
MD5
20fe1450230d861579e323ffd7ba5485

SHA1
971e83ba0ff1cbbdc9e1ac1ff6cd1c9ae38ce633

SHA256
0cbd381e5c415c904ab13ab415f549b5b5711831fd20f46975c83fb4e03fc9e3

SHA512
abf22e174d97ffe32dcaa14277e9f658e5e3c2d47c21efd40be2d645cb3639534cc22c73de59c83d0e9485fffe17e9064b40f953de42b8bd9d28da95d2ff753f

Download Submit
\Users\Admin\AppData\Local\Temp\E4D3.exe
MD5
20fe1450230d861579e323ffd7ba5485

SHA1
971e83ba0ff1cbbdc9e1ac1ff6cd1c9ae38ce633

SHA256
0cbd381e5c415c904ab13ab415f549b5b5711831fd20f46975c83fb4e03fc9e3

SHA512
abf22e174d97ffe32dcaa14277e9f658e5e3c2d47c21efd40be2d645cb3639534cc22c73de59c83d0e9485fffe17e9064b40f953de42b8bd9d28da95d2ff753f

Download Submit
\Users\Admin\AppData\Local\Temp\E4D3.exe
MD5
20fe1450230d861579e323ffd7ba5485

SHA1
971e83ba0ff1cbbdc9e1ac1ff6cd1c9ae38ce633

SHA256
0cbd381e5c415c904ab13ab415f549b5b5711831fd20f46975c83fb4e03fc9e3

SHA512
abf22e174d97ffe32dcaa14277e9f658e5e3c2d47c21efd40be2d645cb3639534cc22c73de59c83d0e9485fffe17e9064b40f953de42b8bd9d28da95d2ff753f

Download Submit
\Users\Admin\AppData\Local\Temp\EC05.exe
MD5
047b7730310a945e1a587c5395c0638a

SHA1
685e18a8f11c49fcd2829cd79fb4acdcd254f2fa

SHA256
4ecf8f85d92f0d00fe80c0c8f7140888f8804b4834b94472960067fa54584a79

SHA512
f3ad7a1cdb85c051a6fcd0fa415c242bf77bf9ee9ce4f571ecb16d4f28292e0f1ccf6d84ea9db0b71a88ecb0bc3946df6ac77526dfd7f3054f3c68a8ebc49120

Download Submit
\Users\Admin\AppData\Local\Temp\EC05.exe
MD5
047b7730310a945e1a587c5395c0638a

SHA1
685e18a8f11c49fcd2829cd79fb4acdcd254f2fa

SHA256
4ecf8f85d92f0d00fe80c0c8f7140888f8804b4834b94472960067fa54584a79

SHA512
f3ad7a1cdb85c051a6fcd0fa415c242bf77bf9ee9ce4f571ecb16d4f28292e0f1ccf6d84ea9db0b71a88ecb0bc3946df6ac77526dfd7f3054f3c68a8ebc49120

Download Submit
\Users\Admin\AppData\Local\Temp\EC05.exe
MD5
047b7730310a945e1a587c5395c0638a

SHA1
685e18a8f11c49fcd2829cd79fb4acdcd254f2fa

SHA256
4ecf8f85d92f0d00fe80c0c8f7140888f8804b4834b94472960067fa54584a79

SHA512
f3ad7a1cdb85c051a6fcd0fa415c242bf77bf9ee9ce4f571ecb16d4f28292e0f1ccf6d84ea9db0b71a88ecb0bc3946df6ac77526dfd7f3054f3c68a8ebc49120

Download Submit
\Users\Admin\AppData\Local\Temp\EC05.exe
MD5
047b7730310a945e1a587c5395c0638a

SHA1
685e18a8f11c49fcd2829cd79fb4acdcd254f2fa

SHA256
4ecf8f85d92f0d00fe80c0c8f7140888f8804b4834b94472960067fa54584a79

SHA512
f3ad7a1cdb85c051a6fcd0fa415c242bf77bf9ee9ce4f571ecb16d4f28292e0f1ccf6d84ea9db0b71a88ecb0bc3946df6ac77526dfd7f3054f3c68a8ebc49120

Download Submit
\Users\Admin\AppData\Local\Temp\filename.exe
MD5
4498fc49ef44442a2727cde9dc9c6aef

SHA1
bbe773c15ee59ab0ac0b2bb2d3d2a660ef84b16a

SHA256
e53ea20c7026e81930009f61c70ebba16de4bad0ee8211203422ecad3f2c9412

SHA512
1411170c8c131348cae3a69dbef01f127640435bdb48184d84ceae716273d2425b9e6328513c33db81b4b47dff6d39896389f3267c92f51e2e1efd9201294de3

Download Submit
\Users\Admin\AppData\Local\Temp\svcli.exe
MD5
1e6dd03f819ceb81293623cbf88505d3

SHA1
90a4237bd0a54e9d964805520477f11ae6859dc2

SHA256
9a2204f9f2ee0f3c5331b88a148770b0ab6bfcb6fa4452c040ef1245418a6dbf

SHA512
6aaf95d8b4209d233802ec0aaab55c29d3d5e500b00925c1bd6219035f022edf73e884d16a2b89a615a82b832e405b454f104eabc768916833193f0882b44e77

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
9c13ab7b79aec8dc02869999773cd4b2

SHA1
4b4d865132329e0dd1d129e85fc4fa9ad0c1d206

SHA256
774ef04333c3fb2a6a4407654e28c2900c62bd202ad6e5909336eb9bc180d279

SHA512
3854d8b8fc71f6ff48232839c5a2463ad2f94c6560fc57765a36da8121fdae5975a0334c1424a5fff7a3c7c3a4129f31cd8f14df6425d9f7ccdcf0a0e15724cf

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
9c13ab7b79aec8dc02869999773cd4b2

SHA1
4b4d865132329e0dd1d129e85fc4fa9ad0c1d206

SHA256
774ef04333c3fb2a6a4407654e28c2900c62bd202ad6e5909336eb9bc180d279

SHA512
3854d8b8fc71f6ff48232839c5a2463ad2f94c6560fc57765a36da8121fdae5975a0334c1424a5fff7a3c7c3a4129f31cd8f14df6425d9f7ccdcf0a0e15724cf

Download Submit
memory/768-138-0x0000000001000000-0x0000000001756000-memory.dmp

Filesize
7.3MB

Download
memory/768-132-0x0000000000000000-mapping.dmp

Download
memory/816-114-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/816-94-0x0000000000000000-mapping.dmp

Download
memory/816-102-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download
memory/904-116-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/904-107-0x0000000000000000-mapping.dmp

Download
memory/992-231-0x0000000000000000-mapping.dmp

Download
memory/1228-65-0x0000000002A00000-0x0000000002A16000-memory.dmp

Filesize
88KB

Download
memory/1296-148-0x0000000000000000-mapping.dmp

Download
memory/1356-246-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/1356-243-0x00000000004042AE-mapping.dmp

Download
memory/1392-149-0x0000000000000000-mapping.dmp

Download
memory/1416-90-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1416-80-0x0000000000000000-mapping.dmp

Download
memory/1440-122-0x0000000000000000-mapping.dmp

Download
memory/1440-126-0x0000000000E60000-0x00000000015B6000-memory.dmp

Filesize
7.3MB

Download
memory/1492-150-0x0000000000000000-mapping.dmp

Download
memory/1496-63-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/1496-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1496-62-0x0000000000402E4E-mapping.dmp

Download
memory/1612-135-0x0000000000000000-mapping.dmp

Download
memory/1612-147-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/1612-145-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/1624-121-0x0000000006BA0000-0x000000000B67A000-memory.dmp

Filesize
74.9MB

Download
memory/1624-125-0x0000000000400000-0x0000000004F36000-memory.dmp

Filesize
75.2MB

Download
memory/1624-115-0x0000000000000000-mapping.dmp

Download
memory/1684-64-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/1684-60-0x00000000002E8000-0x00000000002F1000-memory.dmp

Filesize
36KB

Download
memory/1732-92-0x00000000004A0000-0x000000000052E000-memory.dmp

Filesize
568KB

Download
memory/1732-79-0x0000000000248000-0x0000000000297000-memory.dmp

Filesize
316KB

Download
memory/1732-93-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1732-77-0x0000000000000000-mapping.dmp

Download
memory/1748-88-0x0000000000400000-0x0000000002E10000-memory.dmp

Filesize
42.1MB

Download
memory/1748-69-0x0000000000000000-mapping.dmp

Download
memory/1748-71-0x0000000002F5B000-0x0000000002FD8000-memory.dmp

Filesize
500KB

Download
memory/1748-76-0x0000000002E10000-0x0000000002EE6000-memory.dmp

Filesize
856KB

Download
memory/1892-120-0x00000000006E0000-0x00000000006FC000-memory.dmp

Filesize
112KB

Download
memory/1892-119-0x0000000000410000-0x0000000000431000-memory.dmp

Filesize
132KB

Download
memory/1892-112-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/1892-97-0x0000000000000000-mapping.dmp

Download
memory/1892-103-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1992-233-0x0000000000000000-mapping.dmp

Download
memory/2004-68-0x0000000002CD8000-0x0000000002D27000-memory.dmp

Filesize
316KB

Download
memory/2004-66-0x0000000000000000-mapping.dmp

Download
memory/2004-74-0x0000000000400000-0x0000000002BB6000-memory.dmp

Filesize
39.7MB

Download
memory/2004-73-0x0000000000330000-0x00000000003BE000-memory.dmp

Filesize
568KB

Download
memory/2128-237-0x0000000000000000-mapping.dmp

Download
memory/2188-155-0x0000000001380000-0x0000000001381000-memory.dmp

Filesize
4KB

Download
memory/2188-165-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/2188-152-0x0000000000000000-mapping.dmp

Download
memory/2188-207-0x0000000000500000-0x0000000000511000-memory.dmp

Filesize
68KB

Download
memory/2244-181-0x000000001B9A0000-0x000000001B9A2000-memory.dmp

Filesize
8KB

Download
memory/2244-180-0x0000000002270000-0x00000000022A9000-memory.dmp

Filesize
228KB

Download
memory/2244-166-0x0000000002070000-0x00000000020AD000-memory.dmp

Filesize
244KB

Download
memory/2244-162-0x000000013F690000-0x000000013F691000-memory.dmp

Filesize
4KB

Download
memory/2244-159-0x0000000000000000-mapping.dmp

Download
memory/2288-235-0x0000000000000000-mapping.dmp

Download
memory/2324-178-0x0000000000810000-0x0000000000854000-memory.dmp

Filesize
272KB

Download
memory/2324-168-0x0000000000000000-mapping.dmp

Download
memory/2324-171-0x0000000000E00000-0x0000000000EA3000-memory.dmp

Filesize
652KB

Download
memory/2324-172-0x0000000000E00000-0x0000000000EA3000-memory.dmp

Filesize
652KB

Download
memory/2324-173-0x0000000000E00000-0x0000000000EA3000-memory.dmp

Filesize
652KB

Download
memory/2324-174-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2324-177-0x0000000075890000-0x00000000758D7000-memory.dmp

Filesize
284KB

Download
memory/2324-179-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2372-248-0x0000000000000000-mapping.dmp

Download
memory/2408-182-0x0000000000000000-mapping.dmp

Download
memory/2536-190-0x0000000000000000-mapping.dmp

Download
memory/2564-196-0x0000000000000000-mapping.dmp

Download
memory/2564-193-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2564-234-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2760-219-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/2760-217-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2760-208-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/2760-214-0x0000000000093F6E-mapping.dmp

Download
memory/2760-209-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/2760-215-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/2760-216-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/2868-220-0x0000000000000000-mapping.dmp

Download
memory/2880-221-0x0000000000000000-mapping.dmp

Download
memory/2908-222-0x0000000000000000-mapping.dmp

Download
memory/2928-223-0x0000000000000000-mapping.dmp

Download
memory/2956-224-0x0000000000000000-mapping.dmp

Download
memory/2988-226-0x0000000000000000-mapping.dmp

Download
memory/3000-225-0x0000000000000000-mapping.dmp

Download
memory/3024-228-0x0000000000000000-mapping.dmp

Download