dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7

Analysis

max time kernel
60s
max time network
119s
platform
windows7_x64
resource
win7-en-20211014
submitted
21-10-2021 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
Size

58KB
MD5

9d4458f6de6fb97b9b2a6ee9a69b62f4
SHA1

b7e91d625d95e6b6c8452c0beb4d9900da1931a2
SHA256

dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7
SHA512

a7b91a7df43fa0902192d34b556d6957954c2878f3329a347226bb2edcfa5a5c44de3e0e245bfd1bcf2efd3c4bcbbb6e7dc17528d5917798cb9795a53dd53e06

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Extracted

Path

\??\M:\Boot\cs-CZ\Read_Me.txt

Ransom Note

Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101IYODTIYO 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5

URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101IYODTIYO

https://yip.su/2QstD5

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Nirsoft 14 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\283b3d01-0d90-47e7-94cf-70a022979014\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\283b3d01-0d90-47e7-94cf-70a022979014\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\283b3d01-0d90-47e7-94cf-70a022979014\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\283b3d01-0d90-47e7-94cf-70a022979014\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\283b3d01-0d90-47e7-94cf-70a022979014\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\283b3d01-0d90-47e7-94cf-70a022979014\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\283b3d01-0d90-47e7-94cf-70a022979014\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\5c565f84-73fd-4e8b-a818-89c39741e58d\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\5c565f84-73fd-4e8b-a818-89c39741e58d\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\5c565f84-73fd-4e8b-a818-89c39741e58d\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\5c565f84-73fd-4e8b-a818-89c39741e58d\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\5c565f84-73fd-4e8b-a818-89c39741e58d\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\5c565f84-73fd-4e8b-a818-89c39741e58d\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\5c565f84-73fd-4e8b-a818-89c39741e58d\AdvancedRun.exe	Nirsoft

Executes dropped EXE 7 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exesvchost.exeAdvancedRun.execonhost.exesvchost.exesvchost.exe

pid process

1532 AdvancedRun.exe
1060 AdvancedRun.exe
1484 svchost.exe
816 AdvancedRun.exe
1148 conhost.exe
1924 svchost.exe
1132 svchost.exe
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 8 IoCs

Processes:

9d4458f6de6fb97b9b2a6ee9a69b62f4.exeAdvancedRun.exesvchost.exeAdvancedRun.exe

pid	process
1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1532	AdvancedRun.exe
1532	AdvancedRun.exe
1484	svchost.exe
1484	svchost.exe
816	AdvancedRun.exe
816	AdvancedRun.exe

Windows security modification 2 TTPs 9 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

9d4458f6de6fb97b9b2a6ee9a69b62f4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe = "0"	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\9d4458f6de6fb97b9b2a6ee9a69b62f4.exe = "0"	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9d4458f6de6fb97b9b2a6ee9a69b62f4.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\鰢鱓鰨鱗鰣鰩鱀鰢鰠鱖鰢鰠鰢鱑鰣 = "C:\\Users\\Public\\Documents\\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\\svchost.exe"	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\鰢鱓鰨鱗鰣鰩鱀鰢鰠鱖鰢鰠鰢鱑鰣 = "C:\\Users\\Public\\Documents\\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\\svchost.exe"	svchost.exe

Drops desktop.ini file(s) 10 IoCs

Processes:

9d4458f6de6fb97b9b2a6ee9a69b62f4.exeexplorer.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\desktop.ini	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	\??\M:\$RECYCLE.BIN\S-1-5-21-2955169046-2371869340-1800780948-1000\desktop.ini	explorer.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe

Enumerates connected drives 3 TTPs 47 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

9d4458f6de6fb97b9b2a6ee9a69b62f4.exesvchost.exe

description	ioc	process
File opened (read-only)	\??\R:	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened (read-only)	\??\O:	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened (read-only)	\??\N:	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\Z:	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\W:	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened (read-only)	\??\S:	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened (read-only)	\??\H:	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened (read-only)	\??\J:	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened (read-only)	\??\K:	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\Y:	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened (read-only)	\??\L:	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened (read-only)	\??\B:	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\F:	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened (read-only)	\??\G:	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\I:	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened (read-only)	\??\X:	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\V:	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\Q:	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened (read-only)	\??\E:	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened (read-only)	\??\T:	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened (read-only)	\??\U:	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened (read-only)	\??\P:	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened (read-only)	\??\A:	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened (read-only)	\??\M:	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

9d4458f6de6fb97b9b2a6ee9a69b62f4.exesvchost.exe

description	pid	process	target process
PID 1424 set thread context of 1568	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
PID 1484 set thread context of 1924	1484	svchost.exe	svchost.exe

Drops file in Program Files directory 64 IoCs

Processes:

9d4458f6de6fb97b9b2a6ee9a69b62f4.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\gstreamer-lite.dll	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vincennes	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File created	C:\Program Files\Java\jre7\lib\fonts\Read_Me.txt	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\Read_Me.txt	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\Read_Me.txt	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File created	C:\Program Files\Common Files\System\de-DE\Read_Me.txt	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_ja.jar	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDXFile_8.ico	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\YST9YDT	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.png	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\RSSFeeds.js	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File created	C:\Program Files\Internet Explorer\images\Read_Me.txt	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Resolute	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IPSEventLogMsg.dll.mui	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Beulah	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_chromecast_plugin.dll	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_foggy.png	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libx264_plugin.dll	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveNoDrop32x32.gif	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\mip.exe.mui	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Merida	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\Read_Me.txt	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\Read_Me.txt	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\view.html	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Read_Me.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\MSADDNDR.DLL	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\Read_Me.txt	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\DVD Maker\bod_r.TTF	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-outline.jar	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\Read_Me.txt	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\Read_Me.txt	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pohnpei	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\Read_Me.txt	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\logo.png	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\Read_Me.txt	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\settings.html	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.FNT	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_left_mouseout.png	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\Read_Me.txt	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Brisbane	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\Read_Me.txt	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 10 IoCs

Processes:

explorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exe9d4458f6de6fb97b9b2a6ee9a69b62f4.exe9d4458f6de6fb97b9b2a6ee9a69b62f4.exe

pid	process
1532	AdvancedRun.exe
1532	AdvancedRun.exe
1060	AdvancedRun.exe
1060	AdvancedRun.exe
848	powershell.exe
960	powershell.exe
676	powershell.exe
1872	powershell.exe
1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
1568	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

9d4458f6de6fb97b9b2a6ee9a69b62f4.exeAdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exeexplorer.exesvchost.exeAUDIODG.EXEpowershell.exeAdvancedRun.exepowershell.exepowershell.execonhost.exepowershell.exeexplorer.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
Token: SeDebugPrivilege	1532	AdvancedRun.exe
Token: SeImpersonatePrivilege	1532	AdvancedRun.exe
Token: SeDebugPrivilege	1060	AdvancedRun.exe
Token: SeImpersonatePrivilege	1060	AdvancedRun.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeShutdownPrivilege	336	explorer.exe
Token: SeShutdownPrivilege	336	explorer.exe
Token: SeShutdownPrivilege	336	explorer.exe
Token: SeShutdownPrivilege	336	explorer.exe
Token: SeShutdownPrivilege	336	explorer.exe
Token: SeShutdownPrivilege	336	explorer.exe
Token: SeShutdownPrivilege	336	explorer.exe
Token: SeDebugPrivilege	1484	svchost.exe
Token: 33	1732	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1732	AUDIODG.EXE
Token: 33	1732	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1732	AUDIODG.EXE
Token: SeShutdownPrivilege	336	explorer.exe
Token: SeShutdownPrivilege	336	explorer.exe
Token: SeShutdownPrivilege	336	explorer.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	816	AdvancedRun.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeImpersonatePrivilege	816	AdvancedRun.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	1148	conhost.exe
Token: SeImpersonatePrivilege	1148	conhost.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeDebugPrivilege	1132	svchost.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe

Suspicious use of FindShellTrayWindow 16 IoCs

Processes:

explorer.exeexplorer.exe

pid	process
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe

Suspicious use of SendNotifyMessage 28 IoCs

Processes:

explorer.exeexplorer.exe

pid	process
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9d4458f6de6fb97b9b2a6ee9a69b62f4.exeAdvancedRun.exeexplorer.exesvchost.exeAdvancedRun.exe

description	pid	process	target process
PID 1424 wrote to memory of 848	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	powershell.exe
PID 1424 wrote to memory of 848	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	powershell.exe
PID 1424 wrote to memory of 848	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	powershell.exe
PID 1424 wrote to memory of 848	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	powershell.exe
PID 1424 wrote to memory of 676	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	powershell.exe
PID 1424 wrote to memory of 676	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	powershell.exe
PID 1424 wrote to memory of 676	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	powershell.exe
PID 1424 wrote to memory of 676	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	powershell.exe
PID 1424 wrote to memory of 960	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	powershell.exe
PID 1424 wrote to memory of 960	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	powershell.exe
PID 1424 wrote to memory of 960	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	powershell.exe
PID 1424 wrote to memory of 960	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	powershell.exe
PID 1424 wrote to memory of 1532	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	AdvancedRun.exe
PID 1424 wrote to memory of 1532	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	AdvancedRun.exe
PID 1424 wrote to memory of 1532	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	AdvancedRun.exe
PID 1424 wrote to memory of 1532	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	AdvancedRun.exe
PID 1532 wrote to memory of 1060	1532	AdvancedRun.exe	AdvancedRun.exe
PID 1532 wrote to memory of 1060	1532	AdvancedRun.exe	AdvancedRun.exe
PID 1532 wrote to memory of 1060	1532	AdvancedRun.exe	AdvancedRun.exe
PID 1532 wrote to memory of 1060	1532	AdvancedRun.exe	AdvancedRun.exe
PID 1424 wrote to memory of 1872	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	powershell.exe
PID 1424 wrote to memory of 1872	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	powershell.exe
PID 1424 wrote to memory of 1872	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	powershell.exe
PID 1424 wrote to memory of 1872	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	powershell.exe
PID 1424 wrote to memory of 1568	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
PID 1424 wrote to memory of 1568	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
PID 1424 wrote to memory of 1568	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
PID 1424 wrote to memory of 1568	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
PID 1424 wrote to memory of 1568	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
PID 1424 wrote to memory of 1568	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
PID 1424 wrote to memory of 1568	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
PID 1424 wrote to memory of 1568	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
PID 1424 wrote to memory of 1568	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
PID 1424 wrote to memory of 1568	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
PID 1424 wrote to memory of 1568	1424	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
PID 336 wrote to memory of 1484	336	explorer.exe	svchost.exe
PID 336 wrote to memory of 1484	336	explorer.exe	svchost.exe
PID 336 wrote to memory of 1484	336	explorer.exe	svchost.exe
PID 336 wrote to memory of 1484	336	explorer.exe	svchost.exe
PID 1484 wrote to memory of 1480	1484	svchost.exe	powershell.exe
PID 1484 wrote to memory of 1480	1484	svchost.exe	powershell.exe
PID 1484 wrote to memory of 1480	1484	svchost.exe	powershell.exe
PID 1484 wrote to memory of 1480	1484	svchost.exe	powershell.exe
PID 1484 wrote to memory of 1704	1484	svchost.exe	powershell.exe
PID 1484 wrote to memory of 1704	1484	svchost.exe	powershell.exe
PID 1484 wrote to memory of 1704	1484	svchost.exe	powershell.exe
PID 1484 wrote to memory of 1704	1484	svchost.exe	powershell.exe
PID 1484 wrote to memory of 1488	1484	svchost.exe	powershell.exe
PID 1484 wrote to memory of 1488	1484	svchost.exe	powershell.exe
PID 1484 wrote to memory of 1488	1484	svchost.exe	powershell.exe
PID 1484 wrote to memory of 1488	1484	svchost.exe	powershell.exe
PID 1484 wrote to memory of 816	1484	svchost.exe	AdvancedRun.exe
PID 1484 wrote to memory of 816	1484	svchost.exe	AdvancedRun.exe
PID 1484 wrote to memory of 816	1484	svchost.exe	AdvancedRun.exe
PID 1484 wrote to memory of 816	1484	svchost.exe	AdvancedRun.exe
PID 816 wrote to memory of 1148	816	AdvancedRun.exe	conhost.exe
PID 816 wrote to memory of 1148	816	AdvancedRun.exe	conhost.exe
PID 816 wrote to memory of 1148	816	AdvancedRun.exe	conhost.exe
PID 816 wrote to memory of 1148	816	AdvancedRun.exe	conhost.exe
PID 1484 wrote to memory of 1792	1484	svchost.exe	powershell.exe
PID 1484 wrote to memory of 1792	1484	svchost.exe	powershell.exe
PID 1484 wrote to memory of 1792	1484	svchost.exe	powershell.exe
PID 1484 wrote to memory of 1792	1484	svchost.exe	powershell.exe
PID 1484 wrote to memory of 1924	1484	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
"C:\Users\Admin\AppData\Local\Temp\9d4458f6de6fb97b9b2a6ee9a69b62f4.exe"
1⤵
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9d4458f6de6fb97b9b2a6ee9a69b62f4.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Users\Admin\AppData\Local\Temp\283b3d01-0d90-47e7-94cf-70a022979014\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\283b3d01-0d90-47e7-94cf-70a022979014\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\283b3d01-0d90-47e7-94cf-70a022979014\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Local\Temp\283b3d01-0d90-47e7-94cf-70a022979014\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\283b3d01-0d90-47e7-94cf-70a022979014\AdvancedRun.exe" /SpecialRun 4101d8 1532
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9d4458f6de6fb97b9b2a6ee9a69b62f4.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Users\Admin\AppData\Local\Temp\9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
C:\Users\Admin\AppData\Local\Temp\9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
2⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1568

C:\Windows\explorer.exe
explorer.exe
1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:336

C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe
"C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force
3⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force
3⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force
3⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Users\Admin\AppData\Local\Temp\5c565f84-73fd-4e8b-a818-89c39741e58d\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\5c565f84-73fd-4e8b-a818-89c39741e58d\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\5c565f84-73fd-4e8b-a818-89c39741e58d\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\AppData\Local\Temp\5c565f84-73fd-4e8b-a818-89c39741e58d\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\5c565f84-73fd-4e8b-a818-89c39741e58d\AdvancedRun.exe" /SpecialRun 4101d8 816
4⤵
PID:1148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force
3⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe
C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
PID:1924

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x538
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1904

C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe
"C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force
3⤵
PID:112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force
3⤵
PID:1796

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force
3⤵
PID:1424

C:\Users\Admin\AppData\Local\Temp\9716e5e4-690c-4915-9e3c-d5d46fc4ca80\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\9716e5e4-690c-4915-9e3c-d5d46fc4ca80\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\9716e5e4-690c-4915-9e3c-d5d46fc4ca80\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\9716e5e4-690c-4915-9e3c-d5d46fc4ca80\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\9716e5e4-690c-4915-9e3c-d5d46fc4ca80\AdvancedRun.exe" /SpecialRun 4101d8 1900
4⤵
PID:1372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force
3⤵
PID:1540

C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe
C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe
3⤵
PID:1716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19613860873922134-1613828152-1154256999864202066178632247433488822144742678"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1580

C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe
"C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe"
2⤵
PID:1532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force
3⤵
PID:1816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force
3⤵
PID:1288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force
3⤵
PID:112

C:\Users\Admin\AppData\Local\Temp\34b1caab-7b7a-41c1-86ee-b623068c2b77\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\34b1caab-7b7a-41c1-86ee-b623068c2b77\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\34b1caab-7b7a-41c1-86ee-b623068c2b77\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
PID:988

C:\Users\Admin\AppData\Local\Temp\34b1caab-7b7a-41c1-86ee-b623068c2b77\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\34b1caab-7b7a-41c1-86ee-b623068c2b77\AdvancedRun.exe" /SpecialRun 4101d8 988
4⤵
PID:2076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force
3⤵
PID:2148

C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe
C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe
3⤵
PID:2188

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2336

C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe
"C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe"
2⤵
PID:2492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107308.WMF
MD5
e39b30b08ced0107f01e0795c8f37c59

SHA1
7edd6d71b7f1dfb163e4a27492020aa09e9c6d62

SHA256
01efefe1edd3272726b3127dc23e3d5316bfba547ec40665b6809f8cf4ef48f8

SHA512
8dd44ba717020b4998451fdb862664de2c26b76ae64f99b4ff41d55ed07a525234151beb8fb131cf2d9c8f8234735efb98c3e32b5d005db36d7b1d0fc4bb3601

Download Submit
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107350.WMF
MD5
67aed4a2fc5d3adb03956187e95d4f80

SHA1
ea5a2f37c97d394593857b2b317c7853aa57c50d

SHA256
dfcae71de40c330068f41b783af632406a5ac8367904f00b009954e571352fd8

SHA512
9fb04afc9f0d208709fe64dffecd86e3721c5fe9e0c00969db2c77c7fe8fe84589873ed16521e92d5cc1817f16008d1b5c01bb3cbc9604076e918510b7d9e20d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Stationery\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\TextConv\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Triedit\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\VGX\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\Services\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\SpeechEngines\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\SpeechEngines\Microsoft\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\System\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\System\ado\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\System\ado\en-US\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Common Files\System\en-US\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\283b3d01-0d90-47e7-94cf-70a022979014\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\283b3d01-0d90-47e7-94cf-70a022979014\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\283b3d01-0d90-47e7-94cf-70a022979014\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c565f84-73fd-4e8b-a818-89c39741e58d\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c565f84-73fd-4e8b-a818-89c39741e58d\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c565f84-73fd-4e8b-a818-89c39741e58d\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
c5b728950e7613faee3f500626b42af4

SHA1
64ece5ee3f635f270198f4ee75421b51695f1434

SHA256
3b7dcb38fe53d609ab99689efdad4629f15cb95f87265daaf69b66079f166d2d

SHA512
82166ffcfcf475804023199738fb77d788f6eb78fc9eb48cf0b6ac0d218ae8475cb8d75bd5f97096c5c29c31e0e0abeabead006fff54a01ba5025b50ddb68466

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
c5b728950e7613faee3f500626b42af4

SHA1
64ece5ee3f635f270198f4ee75421b51695f1434

SHA256
3b7dcb38fe53d609ab99689efdad4629f15cb95f87265daaf69b66079f166d2d

SHA512
82166ffcfcf475804023199738fb77d788f6eb78fc9eb48cf0b6ac0d218ae8475cb8d75bd5f97096c5c29c31e0e0abeabead006fff54a01ba5025b50ddb68466

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
c5b728950e7613faee3f500626b42af4

SHA1
64ece5ee3f635f270198f4ee75421b51695f1434

SHA256
3b7dcb38fe53d609ab99689efdad4629f15cb95f87265daaf69b66079f166d2d

SHA512
82166ffcfcf475804023199738fb77d788f6eb78fc9eb48cf0b6ac0d218ae8475cb8d75bd5f97096c5c29c31e0e0abeabead006fff54a01ba5025b50ddb68466

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
c5b728950e7613faee3f500626b42af4

SHA1
64ece5ee3f635f270198f4ee75421b51695f1434

SHA256
3b7dcb38fe53d609ab99689efdad4629f15cb95f87265daaf69b66079f166d2d

SHA512
82166ffcfcf475804023199738fb77d788f6eb78fc9eb48cf0b6ac0d218ae8475cb8d75bd5f97096c5c29c31e0e0abeabead006fff54a01ba5025b50ddb68466

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
c5b728950e7613faee3f500626b42af4

SHA1
64ece5ee3f635f270198f4ee75421b51695f1434

SHA256
3b7dcb38fe53d609ab99689efdad4629f15cb95f87265daaf69b66079f166d2d

SHA512
82166ffcfcf475804023199738fb77d788f6eb78fc9eb48cf0b6ac0d218ae8475cb8d75bd5f97096c5c29c31e0e0abeabead006fff54a01ba5025b50ddb68466

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
c5b728950e7613faee3f500626b42af4

SHA1
64ece5ee3f635f270198f4ee75421b51695f1434

SHA256
3b7dcb38fe53d609ab99689efdad4629f15cb95f87265daaf69b66079f166d2d

SHA512
82166ffcfcf475804023199738fb77d788f6eb78fc9eb48cf0b6ac0d218ae8475cb8d75bd5f97096c5c29c31e0e0abeabead006fff54a01ba5025b50ddb68466

Download Submit
C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe
MD5
9d4458f6de6fb97b9b2a6ee9a69b62f4

SHA1
b7e91d625d95e6b6c8452c0beb4d9900da1931a2

SHA256
dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7

SHA512
a7b91a7df43fa0902192d34b556d6957954c2878f3329a347226bb2edcfa5a5c44de3e0e245bfd1bcf2efd3c4bcbbb6e7dc17528d5917798cb9795a53dd53e06

Download Submit
C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe
MD5
9d4458f6de6fb97b9b2a6ee9a69b62f4

SHA1
b7e91d625d95e6b6c8452c0beb4d9900da1931a2

SHA256
dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7

SHA512
a7b91a7df43fa0902192d34b556d6957954c2878f3329a347226bb2edcfa5a5c44de3e0e245bfd1bcf2efd3c4bcbbb6e7dc17528d5917798cb9795a53dd53e06

Download Submit
C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe
MD5
9d4458f6de6fb97b9b2a6ee9a69b62f4

SHA1
b7e91d625d95e6b6c8452c0beb4d9900da1931a2

SHA256
dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7

SHA512
a7b91a7df43fa0902192d34b556d6957954c2878f3329a347226bb2edcfa5a5c44de3e0e245bfd1bcf2efd3c4bcbbb6e7dc17528d5917798cb9795a53dd53e06

Download Submit
C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe
MD5
9d4458f6de6fb97b9b2a6ee9a69b62f4

SHA1
b7e91d625d95e6b6c8452c0beb4d9900da1931a2

SHA256
dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7

SHA512
a7b91a7df43fa0902192d34b556d6957954c2878f3329a347226bb2edcfa5a5c44de3e0e245bfd1bcf2efd3c4bcbbb6e7dc17528d5917798cb9795a53dd53e06

Download Submit
\??\M:\$RECYCLE.BIN\S-1-5-21-2955169046-2371869340-1800780948-1000\desktop.ini
MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\283b3d01-0d90-47e7-94cf-70a022979014\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\283b3d01-0d90-47e7-94cf-70a022979014\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\283b3d01-0d90-47e7-94cf-70a022979014\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\283b3d01-0d90-47e7-94cf-70a022979014\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\5c565f84-73fd-4e8b-a818-89c39741e58d\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\5c565f84-73fd-4e8b-a818-89c39741e58d\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\5c565f84-73fd-4e8b-a818-89c39741e58d\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\5c565f84-73fd-4e8b-a818-89c39741e58d\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/112-213-0x0000000000000000-mapping.dmp

Download
memory/112-229-0x0000000002480000-0x00000000030CA000-memory.dmp

Filesize
12.3MB

Download
memory/112-179-0x0000000000000000-mapping.dmp

Download
memory/112-196-0x0000000002420000-0x000000000306A000-memory.dmp

Filesize
12.3MB

Download
memory/112-197-0x0000000002420000-0x000000000306A000-memory.dmp

Filesize
12.3MB

Download
memory/112-200-0x0000000002420000-0x000000000306A000-memory.dmp

Filesize
12.3MB

Download
memory/112-227-0x0000000002480000-0x00000000030CA000-memory.dmp

Filesize
12.3MB

Download
memory/112-225-0x0000000002480000-0x00000000030CA000-memory.dmp

Filesize
12.3MB

Download
memory/336-92-0x000007FEFC361000-0x000007FEFC363000-memory.dmp

Filesize
8KB

Download
memory/676-81-0x0000000002472000-0x0000000002474000-memory.dmp

Filesize
8KB

Download
memory/676-78-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/676-61-0x0000000000000000-mapping.dmp

Download
memory/676-80-0x0000000002471000-0x0000000002472000-memory.dmp

Filesize
4KB

Download
memory/816-112-0x0000000000000000-mapping.dmp

Download
memory/848-60-0x0000000000000000-mapping.dmp

Download
memory/848-82-0x00000000025A0000-0x00000000031EA000-memory.dmp

Filesize
12.3MB

Download
memory/960-63-0x0000000000000000-mapping.dmp

Download
memory/960-79-0x0000000002420000-0x000000000306A000-memory.dmp

Filesize
12.3MB

Download
memory/988-223-0x0000000000000000-mapping.dmp

Download
memory/1060-75-0x0000000000000000-mapping.dmp

Download
memory/1132-147-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/1132-141-0x0000000000000000-mapping.dmp

Download
memory/1148-119-0x0000000000000000-mapping.dmp

Download
memory/1288-212-0x0000000000000000-mapping.dmp

Download
memory/1288-222-0x00000000024A0000-0x00000000030EA000-memory.dmp

Filesize
12.3MB

Download
memory/1288-224-0x00000000024A0000-0x00000000030EA000-memory.dmp

Filesize
12.3MB

Download
memory/1288-230-0x00000000024A0000-0x00000000030EA000-memory.dmp

Filesize
12.3MB

Download
memory/1372-202-0x0000000000000000-mapping.dmp

Download
memory/1424-192-0x0000000002370000-0x0000000002FBA000-memory.dmp

Filesize
12.3MB

Download
memory/1424-55-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/1424-57-0x0000000075D31000-0x0000000075D33000-memory.dmp

Filesize
8KB

Download
memory/1424-58-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/1424-194-0x0000000002370000-0x0000000002FBA000-memory.dmp

Filesize
12.3MB

Download
memory/1424-59-0x00000000047A0000-0x0000000004814000-memory.dmp

Filesize
464KB

Download
memory/1424-191-0x0000000002370000-0x0000000002FBA000-memory.dmp

Filesize
12.3MB

Download
memory/1424-181-0x0000000000000000-mapping.dmp

Download
memory/1480-127-0x0000000002450000-0x000000000309A000-memory.dmp

Filesize
12.3MB

Download
memory/1480-122-0x0000000002450000-0x000000000309A000-memory.dmp

Filesize
12.3MB

Download
memory/1480-124-0x0000000002450000-0x000000000309A000-memory.dmp

Filesize
12.3MB

Download
memory/1480-101-0x0000000000000000-mapping.dmp

Download
memory/1484-96-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/1484-94-0x0000000000000000-mapping.dmp

Download
memory/1484-99-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/1488-104-0x0000000000000000-mapping.dmp

Download
memory/1488-128-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1488-130-0x0000000002482000-0x0000000002484000-memory.dmp

Filesize
8KB

Download
memory/1488-129-0x0000000002481000-0x0000000002482000-memory.dmp

Filesize
4KB

Download
memory/1532-195-0x0000000000000000-mapping.dmp

Download
memory/1532-69-0x0000000000000000-mapping.dmp

Download
memory/1532-204-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/1540-218-0x0000000002271000-0x0000000002272000-memory.dmp

Filesize
4KB

Download
memory/1540-219-0x0000000002272000-0x0000000002274000-memory.dmp

Filesize
8KB

Download
memory/1540-206-0x0000000000000000-mapping.dmp

Download
memory/1540-217-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1568-90-0x0000000000407CA0-mapping.dmp

Download
memory/1568-91-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1568-89-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1580-178-0x000007FEF9071000-0x000007FEF9073000-memory.dmp

Filesize
8KB

Download
memory/1580-205-0x0000000003C20000-0x0000000003C21000-memory.dmp

Filesize
4KB

Download
memory/1704-125-0x00000000022D0000-0x0000000002F1A000-memory.dmp

Filesize
12.3MB

Download
memory/1704-126-0x00000000022D0000-0x0000000002F1A000-memory.dmp

Filesize
12.3MB

Download
memory/1704-102-0x0000000000000000-mapping.dmp

Download
memory/1704-123-0x00000000022D0000-0x0000000002F1A000-memory.dmp

Filesize
12.3MB

Download
memory/1716-211-0x0000000000407CA0-mapping.dmp

Download
memory/1792-135-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1792-132-0x0000000000000000-mapping.dmp

Download
memory/1792-137-0x0000000002301000-0x0000000002302000-memory.dmp

Filesize
4KB

Download
memory/1792-139-0x0000000002302000-0x0000000002304000-memory.dmp

Filesize
8KB

Download
memory/1796-180-0x0000000000000000-mapping.dmp

Download
memory/1796-189-0x0000000002280000-0x0000000002ECA000-memory.dmp

Filesize
12.3MB

Download
memory/1796-193-0x0000000002280000-0x0000000002ECA000-memory.dmp

Filesize
12.3MB

Download
memory/1796-190-0x0000000002280000-0x0000000002ECA000-memory.dmp

Filesize
12.3MB

Download
memory/1816-209-0x0000000000000000-mapping.dmp

Download
memory/1816-221-0x0000000002490000-0x00000000030DA000-memory.dmp

Filesize
12.3MB

Download
memory/1816-220-0x0000000002490000-0x00000000030DA000-memory.dmp

Filesize
12.3MB

Download
memory/1816-228-0x0000000002490000-0x00000000030DA000-memory.dmp

Filesize
12.3MB

Download
memory/1872-86-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/1872-83-0x0000000000000000-mapping.dmp

Download
memory/1872-87-0x00000000024E1000-0x00000000024E2000-memory.dmp

Filesize
4KB

Download
memory/1872-88-0x00000000024E2000-0x00000000024E4000-memory.dmp

Filesize
8KB

Download
memory/1900-187-0x0000000000000000-mapping.dmp

Download
memory/1924-138-0x0000000000407CA0-mapping.dmp

Download
memory/2076-231-0x0000000000000000-mapping.dmp

Download
memory/2148-233-0x0000000000000000-mapping.dmp

Download
memory/2148-237-0x0000000002450000-0x000000000309A000-memory.dmp

Filesize
12.3MB

Download
memory/2148-238-0x0000000002450000-0x000000000309A000-memory.dmp

Filesize
12.3MB

Download
memory/2148-239-0x0000000002450000-0x000000000309A000-memory.dmp

Filesize
12.3MB

Download
memory/2188-236-0x0000000000407CA0-mapping.dmp

Download
memory/2336-240-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp

Filesize
8KB

Download
memory/2492-241-0x0000000000000000-mapping.dmp

Download
memory/2492-242-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/2492-245-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download