phobos | e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0

Analysis

max time kernel
85s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2023 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe
Size

281KB
MD5

9769c181ecef69544bbb2f974b8c0e10
SHA1

5d0f447f4ccc89d7d79c0565372195240cdfa25f
SHA256

e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0
SHA512

b3da8fea6ee5d6b67f55a4043f18d7325f1700c9f3dcb0e7cbf21f49ebdbb56b5a10a2d03153d0dfb1e8dc34db20cdea0236c448f2c361fadbabf9a6f59b4c7a
SSDEEP

3072:Z5SXIMALRKEttgCWAbi1D1fJmxIV0BN3omE9MA5yXsztcJe9:GIMpEtCCWAbiBRmE9o6

Score

10^/10

phobos smokeloader backdoor collection evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://serverlogs37.xyz/statweb255/

http://servblog757.xyz/statweb255/

http://dexblog45.xyz/statweb255/

http://admlogs.online/statweb255/

http://blogstat355.xyz/statweb255/

http://blogstatserv25.xyz/statweb255/

rc4.i32

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

980 bcdedit.exe
3968 bcdedit.exe
Renames multiple (136) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Blocklisted process makes network request 2 IoCs

Processes:

WMIC.exepowershell.exe

flow pid process

35 3184 WMIC.exe
44 4004 powershell.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

5088 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

5088 netsh.exe
4320 netsh.exe
Drops startup file 1 IoCs

Processes:

4BE0.exe

description ioc process

File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\4BE0.exe 4BE0.exe
Executes dropped EXE 4 IoCs

Processes:

46EC.exe497D.exe4BE0.exe4BE0.exe

pid process

400 46EC.exe
4916 497D.exe
4428 4BE0.exe
4388 4BE0.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
980	bcdedit.exe
3968	bcdedit.exe

flow	pid	process
35	3184	WMIC.exe
44	4004	powershell.exe

pid	process
5088	wbadmin.exe

pid	process
5088	netsh.exe
4320	netsh.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\4BE0.exe	4BE0.exe

pid	process
400	46EC.exe
4916	497D.exe
4428	4BE0.exe
4388	4BE0.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4BE0.exe46EC.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4BE0 = "C:\\Users\\Admin\\AppData\\Local\\4BE0.exe"	4BE0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rhyivhytef = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rhyivhytef.exe\""	46EC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4BE0 = "C:\\Users\\Admin\\AppData\\Local\\4BE0.exe"	4BE0.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

4BE0.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4238149048-355649189-894321705-1000\desktop.ini	4BE0.exe
File opened for modification	C:\Program Files\desktop.ini	4BE0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	4BE0.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

Processes:

powershell.exe

pid	process
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe

description	pid	process	target process
PID 2292 set thread context of 1780	2292	e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe	e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe

Drops file in Program Files directory 64 IoCs

Processes:

4BE0.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	4BE0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\boot_ja.jar	4BE0.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-javahelp.jar.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms	4BE0.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_CN.properties.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-swing-plaf.jar	4BE0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ul-oob.xrm-ms	4BE0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ppd.xrm-ms	4BE0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINCORE.DLL	4BE0.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ppd.xrm-ms	4BE0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms	4BE0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-pl.xrm-ms	4BE0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui	4BE0.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_ja.jar.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms	4BE0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-phn.xrm-ms.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms	4BE0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-140.png	4BE0.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_zh_CN.jar.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\jfluid-server-15.jar.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_zh_CN.jar.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms	4BE0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms	4BE0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS	4BE0.exe
File opened for modification	C:\Program Files\Common Files\Services\verisign.bmp	4BE0.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_zh_4.4.0.v20140623020002.jar.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar	4BE0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-oob.xrm-ms	4BE0.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar	4BE0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\sa-jdi.jar.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_zh_CN.jar.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ppd.xrm-ms	4BE0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-140.png.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-pl.xrm-ms	4BE0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-pl.xrm-ms	4BE0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png	4BE0.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui	4BE0.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_ja.jar.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPP.HTM.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ppd.xrm-ms	4BE0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_zh_CN.jar.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-pl.xrm-ms.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-compat.xml.id[A9F33F38-3483].[[email protected]].8base	4BE0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ul-oob.xrm-ms	4BE0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-phn.xrm-ms	4BE0.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2744 4388 WerFault.exe 4BE0.exe

pid	pid_target	process	target process
2744	4388	WerFault.exe	4BE0.exe

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exevds.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3808 vssadmin.exe

pid	process
3808	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe

pid	process
1780	e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe
1780	e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3156

pid	process
3156

Suspicious behavior: MapViewOfSection 31 IoCs

Processes:

e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe

pid	process
1780	e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

powershell.exe4BE0.exevssvc.exeWMIC.exewbengine.exe46EC.exe

description	pid	process
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeShutdownPrivilege	3156
Token: SeCreatePagefilePrivilege	3156
Token: SeDebugPrivilege	4428	4BE0.exe
Token: SeBackupPrivilege	4652	vssvc.exe
Token: SeRestorePrivilege	4652	vssvc.exe
Token: SeAuditPrivilege	4652	vssvc.exe
Token: SeShutdownPrivilege	3156
Token: SeCreatePagefilePrivilege	3156
Token: SeIncreaseQuotaPrivilege	3184	WMIC.exe
Token: SeSecurityPrivilege	3184	WMIC.exe
Token: SeTakeOwnershipPrivilege	3184	WMIC.exe
Token: SeLoadDriverPrivilege	3184	WMIC.exe
Token: SeSystemProfilePrivilege	3184	WMIC.exe
Token: SeSystemtimePrivilege	3184	WMIC.exe
Token: SeProfSingleProcessPrivilege	3184	WMIC.exe
Token: SeIncBasePriorityPrivilege	3184	WMIC.exe
Token: SeCreatePagefilePrivilege	3184	WMIC.exe
Token: SeBackupPrivilege	3184	WMIC.exe
Token: SeRestorePrivilege	3184	WMIC.exe
Token: SeShutdownPrivilege	3184	WMIC.exe
Token: SeDebugPrivilege	3184	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3184	WMIC.exe
Token: SeRemoteShutdownPrivilege	3184	WMIC.exe
Token: SeUndockPrivilege	3184	WMIC.exe
Token: SeManageVolumePrivilege	3184	WMIC.exe
Token: 33	3184	WMIC.exe
Token: 34	3184	WMIC.exe
Token: 35	3184	WMIC.exe
Token: 36	3184	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3184	WMIC.exe
Token: SeSecurityPrivilege	3184	WMIC.exe
Token: SeTakeOwnershipPrivilege	3184	WMIC.exe
Token: SeLoadDriverPrivilege	3184	WMIC.exe
Token: SeSystemProfilePrivilege	3184	WMIC.exe
Token: SeSystemtimePrivilege	3184	WMIC.exe
Token: SeProfSingleProcessPrivilege	3184	WMIC.exe
Token: SeIncBasePriorityPrivilege	3184	WMIC.exe
Token: SeCreatePagefilePrivilege	3184	WMIC.exe
Token: SeBackupPrivilege	3184	WMIC.exe
Token: SeRestorePrivilege	3184	WMIC.exe
Token: SeShutdownPrivilege	3184	WMIC.exe
Token: SeDebugPrivilege	3184	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3184	WMIC.exe
Token: SeRemoteShutdownPrivilege	3184	WMIC.exe
Token: SeUndockPrivilege	3184	WMIC.exe
Token: SeManageVolumePrivilege	3184	WMIC.exe
Token: 33	3184	WMIC.exe
Token: 34	3184	WMIC.exe
Token: 35	3184	WMIC.exe
Token: 36	3184	WMIC.exe
Token: SeShutdownPrivilege	3156
Token: SeCreatePagefilePrivilege	3156
Token: SeShutdownPrivilege	3156
Token: SeCreatePagefilePrivilege	3156
Token: SeBackupPrivilege	456	wbengine.exe
Token: SeRestorePrivilege	456	wbengine.exe
Token: SeSecurityPrivilege	456	wbengine.exe
Token: SeShutdownPrivilege	3156
Token: SeCreatePagefilePrivilege	3156
Token: SeDebugPrivilege	400	46EC.exe
Token: SeShutdownPrivilege	4004	powershell.exe
Token: SeCreatePagefilePrivilege	4004	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe497D.exe4BE0.execmd.execmd.exe

description	pid	process	target process
PID 2292 wrote to memory of 1780	2292	e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe	e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe
PID 2292 wrote to memory of 1780	2292	e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe	e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe
PID 2292 wrote to memory of 1780	2292	e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe	e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe
PID 2292 wrote to memory of 1780	2292	e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe	e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe
PID 2292 wrote to memory of 1780	2292	e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe	e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe
PID 2292 wrote to memory of 1780	2292	e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe	e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe
PID 3156 wrote to memory of 400	3156		46EC.exe
PID 3156 wrote to memory of 400	3156		46EC.exe
PID 3156 wrote to memory of 4916	3156		497D.exe
PID 3156 wrote to memory of 4916	3156		497D.exe
PID 3156 wrote to memory of 4916	3156		497D.exe
PID 3156 wrote to memory of 4428	3156		4BE0.exe
PID 3156 wrote to memory of 4428	3156		4BE0.exe
PID 3156 wrote to memory of 4428	3156		4BE0.exe
PID 3156 wrote to memory of 3184	3156		explorer.exe
PID 3156 wrote to memory of 3184	3156		explorer.exe
PID 3156 wrote to memory of 3184	3156		explorer.exe
PID 3156 wrote to memory of 3184	3156		explorer.exe
PID 3156 wrote to memory of 3284	3156		explorer.exe
PID 3156 wrote to memory of 3284	3156		explorer.exe
PID 3156 wrote to memory of 3284	3156		explorer.exe
PID 3156 wrote to memory of 4444	3156		explorer.exe
PID 3156 wrote to memory of 4444	3156		explorer.exe
PID 3156 wrote to memory of 4444	3156		explorer.exe
PID 3156 wrote to memory of 4444	3156		explorer.exe
PID 4916 wrote to memory of 4004	4916	497D.exe	powershell.exe
PID 4916 wrote to memory of 4004	4916	497D.exe	powershell.exe
PID 4916 wrote to memory of 4004	4916	497D.exe	powershell.exe
PID 3156 wrote to memory of 3476	3156		explorer.exe
PID 3156 wrote to memory of 3476	3156		explorer.exe
PID 3156 wrote to memory of 3476	3156		explorer.exe
PID 3156 wrote to memory of 3476	3156		explorer.exe
PID 3156 wrote to memory of 4412	3156		explorer.exe
PID 3156 wrote to memory of 4412	3156		explorer.exe
PID 3156 wrote to memory of 4412	3156		explorer.exe
PID 3156 wrote to memory of 4412	3156		explorer.exe
PID 3156 wrote to memory of 4228	3156		explorer.exe
PID 3156 wrote to memory of 4228	3156		explorer.exe
PID 3156 wrote to memory of 4228	3156		explorer.exe
PID 4428 wrote to memory of 4220	4428	4BE0.exe	cmd.exe
PID 4428 wrote to memory of 4220	4428	4BE0.exe	cmd.exe
PID 4428 wrote to memory of 4028	4428	4BE0.exe	cmd.exe
PID 4428 wrote to memory of 4028	4428	4BE0.exe	cmd.exe
PID 3156 wrote to memory of 4768	3156		explorer.exe
PID 3156 wrote to memory of 4768	3156		explorer.exe
PID 3156 wrote to memory of 4768	3156		explorer.exe
PID 3156 wrote to memory of 4768	3156		explorer.exe
PID 3156 wrote to memory of 2256	3156		explorer.exe
PID 3156 wrote to memory of 2256	3156		explorer.exe
PID 3156 wrote to memory of 2256	3156		explorer.exe
PID 3156 wrote to memory of 1292	3156		explorer.exe
PID 3156 wrote to memory of 1292	3156		explorer.exe
PID 3156 wrote to memory of 1292	3156		explorer.exe
PID 3156 wrote to memory of 1292	3156		explorer.exe
PID 4028 wrote to memory of 5088	4028	cmd.exe	wbadmin.exe
PID 4028 wrote to memory of 5088	4028	cmd.exe	wbadmin.exe
PID 3156 wrote to memory of 4856	3156		explorer.exe
PID 3156 wrote to memory of 4856	3156		explorer.exe
PID 3156 wrote to memory of 4856	3156		explorer.exe
PID 4220 wrote to memory of 3808	4220	cmd.exe	vssadmin.exe
PID 4220 wrote to memory of 3808	4220	cmd.exe	vssadmin.exe
PID 3156 wrote to memory of 4920	3156		explorer.exe
PID 3156 wrote to memory of 4920	3156		explorer.exe
PID 3156 wrote to memory of 4920	3156		explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe
"C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe
  "C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1780

C:\Users\Admin\AppData\Local\Temp\46EC.exe
C:\Users\Admin\AppData\Local\Temp\46EC.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Users\Admin\AppData\Local\Temp\497D.exe
C:\Users\Admin\AppData\Local\Temp\497D.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:4004
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
    3⤵
    PID:3788

C:\Users\Admin\AppData\Local\Temp\4BE0.exe
C:\Users\Admin\AppData\Local\Temp\4BE0.exe
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Users\Admin\AppData\Local\Temp\4BE0.exe
  "C:\Users\Admin\AppData\Local\Temp\4BE0.exe"
  2⤵
  - Executes dropped EXE
  PID:4388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 252
    3⤵
    - Program crash
    PID:2744
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:5088
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:4320
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3808
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of AdjustPrivilegeToken
    PID:3184
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:980
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3968
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:5088

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3184

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4388 -ip 4388
1⤵
PID:2976

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4444

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3476

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4412

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4228

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4768

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2256

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1292

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4856

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4920

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4256

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5048

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1352

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:512

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[A9F33F38-3483].[[email protected]].8base

Filesize
2.7MB

MD5
81c50c607aee227fb6c2340b8660833d

SHA1
4da8afd7b340840e5ea409672b75e0c53828e30e

SHA256
1d9d588ac814c60e4ad5fe9cb89e3fa135a1dd1e5d55b87cea51f48623e4cbb0

SHA512
4d8558e5c3cf00f70e814633171b1338f20fca9bca36e32434c2cb2c01827229ba73faa1597998ee4b38b79d5c8205c3e4d13c7dac08206c0c56c943747e68b5

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\4BE0.exe

Filesize
281KB

MD5
2809e15a3a54484e042fe65fffd17409

SHA1
4a8f0331abaf8f629b3c8220f0d55339cfa30223

SHA256
518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c

SHA512
698e16fd67861377e2ccaace4d0e1a619a8b7c68e8aefc4090e9d1cbbcdfb8d8aede76f9e63f81479f5a035e8008699a4d7175da6248e6e49eb7c81b3dba30c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\46EC.exe

Filesize
2.6MB

MD5
e7ac55d61ab9cfcf180c92c1381a2fa1

SHA1
f79fe555c492a9effe26ead87ec7eb3c53899083

SHA256
afddec37cdc1d196a1136e2252e925c0dcfe587963069d78775e0f174ae9cfe3

SHA512
e3fa85d3af3625384ecea090a7c205325825a1b91ad43e1f86f56a719ad733d71b4be9c34edd03d8ff774e28b3feb605dc073f66f4a01359f8e4bad5b8bcfae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\46EC.exe

Filesize
2.6MB

MD5
e7ac55d61ab9cfcf180c92c1381a2fa1

SHA1
f79fe555c492a9effe26ead87ec7eb3c53899083

SHA256
afddec37cdc1d196a1136e2252e925c0dcfe587963069d78775e0f174ae9cfe3

SHA512
e3fa85d3af3625384ecea090a7c205325825a1b91ad43e1f86f56a719ad733d71b4be9c34edd03d8ff774e28b3feb605dc073f66f4a01359f8e4bad5b8bcfae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\497D.exe

Filesize
228KB

MD5
d1f12c03b8ce33b36d8423b057c7d6c5

SHA1
d6d0631a1f95e3972a803ed1c57b120815b2b5cf

SHA256
c6bd5b8e14551eb899bbe4decb6942581d28b2a42b159146bbc28316e6e14a64

SHA512
43b51f630d631d4f5cac97242595b25d07306280e183c22821f351af1fc2fc118b836df8bd8e06984f5e0cb21b25954dbd335666bd2cd2c5b98b22948bedbf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\497D.exe

Filesize
228KB

MD5
d1f12c03b8ce33b36d8423b057c7d6c5

SHA1
d6d0631a1f95e3972a803ed1c57b120815b2b5cf

SHA256
c6bd5b8e14551eb899bbe4decb6942581d28b2a42b159146bbc28316e6e14a64

SHA512
43b51f630d631d4f5cac97242595b25d07306280e183c22821f351af1fc2fc118b836df8bd8e06984f5e0cb21b25954dbd335666bd2cd2c5b98b22948bedbf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\4BE0.exe

Filesize
281KB

MD5
2809e15a3a54484e042fe65fffd17409

SHA1
4a8f0331abaf8f629b3c8220f0d55339cfa30223

SHA256
518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c

SHA512
698e16fd67861377e2ccaace4d0e1a619a8b7c68e8aefc4090e9d1cbbcdfb8d8aede76f9e63f81479f5a035e8008699a4d7175da6248e6e49eb7c81b3dba30c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4BE0.exe

Filesize
281KB

MD5
2809e15a3a54484e042fe65fffd17409

SHA1
4a8f0331abaf8f629b3c8220f0d55339cfa30223

SHA256
518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c

SHA512
698e16fd67861377e2ccaace4d0e1a619a8b7c68e8aefc4090e9d1cbbcdfb8d8aede76f9e63f81479f5a035e8008699a4d7175da6248e6e49eb7c81b3dba30c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4BE0.exe

Filesize
281KB

MD5
2809e15a3a54484e042fe65fffd17409

SHA1
4a8f0331abaf8f629b3c8220f0d55339cfa30223

SHA256
518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c

SHA512
698e16fd67861377e2ccaace4d0e1a619a8b7c68e8aefc4090e9d1cbbcdfb8d8aede76f9e63f81479f5a035e8008699a4d7175da6248e6e49eb7c81b3dba30c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ijqunb2k.hpf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/400-246-0x0000022B27FC0000-0x0000022B28108000-memory.dmp

Filesize
1.3MB

Download
memory/400-240-0x0000022B27FC0000-0x0000022B28108000-memory.dmp

Filesize
1.3MB

Download
memory/400-248-0x0000022B27FC0000-0x0000022B28108000-memory.dmp

Filesize
1.3MB

Download
memory/400-244-0x0000022B27FC0000-0x0000022B28108000-memory.dmp

Filesize
1.3MB

Download
memory/400-164-0x0000022B27FC0000-0x0000022B28108000-memory.dmp

Filesize
1.3MB

Download
memory/400-165-0x0000022B27FC0000-0x0000022B28108000-memory.dmp

Filesize
1.3MB

Download
memory/400-167-0x0000022B27FC0000-0x0000022B28108000-memory.dmp

Filesize
1.3MB

Download
memory/400-170-0x0000022B27FC0000-0x0000022B28108000-memory.dmp

Filesize
1.3MB

Download
memory/400-242-0x0000022B27FC0000-0x0000022B28108000-memory.dmp

Filesize
1.3MB

Download
memory/400-172-0x0000022B27FC0000-0x0000022B28108000-memory.dmp

Filesize
1.3MB

Download
memory/400-174-0x0000022B27FC0000-0x0000022B28108000-memory.dmp

Filesize
1.3MB

Download
memory/400-237-0x0000022B27FC0000-0x0000022B28108000-memory.dmp

Filesize
1.3MB

Download
memory/400-152-0x0000022B0D700000-0x0000022B0D9A0000-memory.dmp

Filesize
2.6MB

Download
memory/400-235-0x0000022B27FC0000-0x0000022B28108000-memory.dmp

Filesize
1.3MB

Download
memory/400-231-0x0000022B27FC0000-0x0000022B28108000-memory.dmp

Filesize
1.3MB

Download
memory/400-185-0x0000022B27FC0000-0x0000022B28108000-memory.dmp

Filesize
1.3MB

Download
memory/400-228-0x0000022B27FC0000-0x0000022B28108000-memory.dmp

Filesize
1.3MB

Download
memory/400-188-0x0000022B27FC0000-0x0000022B28108000-memory.dmp

Filesize
1.3MB

Download
memory/400-179-0x0000022B27FC0000-0x0000022B28108000-memory.dmp

Filesize
1.3MB

Download
memory/400-190-0x0000022B27FC0000-0x0000022B28108000-memory.dmp

Filesize
1.3MB

Download
memory/400-226-0x0000022B27FC0000-0x0000022B28108000-memory.dmp

Filesize
1.3MB

Download
memory/400-224-0x0000022B27FC0000-0x0000022B28108000-memory.dmp

Filesize
1.3MB

Download
memory/400-192-0x0000022B27FC0000-0x0000022B28108000-memory.dmp

Filesize
1.3MB

Download
memory/400-222-0x0000022B27FC0000-0x0000022B28108000-memory.dmp

Filesize
1.3MB

Download
memory/400-200-0x0000022B27FC0000-0x0000022B28108000-memory.dmp

Filesize
1.3MB

Download
memory/400-208-0x0000022B27FC0000-0x0000022B28108000-memory.dmp

Filesize
1.3MB

Download
memory/400-195-0x0000022B27FC0000-0x0000022B28108000-memory.dmp

Filesize
1.3MB

Download
memory/1292-593-0x0000000000D80000-0x0000000000D89000-memory.dmp

Filesize
36KB

Download
memory/1292-589-0x0000000000D90000-0x0000000000D94000-memory.dmp

Filesize
16KB

Download
memory/1292-1940-0x0000000000D90000-0x0000000000D94000-memory.dmp

Filesize
16KB

Download
memory/1352-954-0x0000000001250000-0x000000000125B000-memory.dmp

Filesize
44KB

Download
memory/1352-946-0x0000000001260000-0x0000000001268000-memory.dmp

Filesize
32KB

Download
memory/1584-781-0x0000000000BC0000-0x0000000000BC9000-memory.dmp

Filesize
36KB

Download
memory/1584-748-0x0000000000BD0000-0x0000000000BD5000-memory.dmp

Filesize
20KB

Download
memory/1780-135-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1780-138-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1780-136-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2256-1938-0x0000000000600000-0x0000000000606000-memory.dmp

Filesize
24KB

Download
memory/2256-574-0x0000000000600000-0x0000000000606000-memory.dmp

Filesize
24KB

Download
memory/2256-583-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2292-133-0x0000000000AC0000-0x0000000000AD5000-memory.dmp

Filesize
84KB

Download
memory/2292-134-0x0000000000AE0000-0x0000000000AE9000-memory.dmp

Filesize
36KB

Download
memory/3156-1791-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/3156-1876-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/3156-137-0x0000000002670000-0x0000000002686000-memory.dmp

Filesize
88KB

Download
memory/3156-1769-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/3156-1804-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/3184-251-0x0000000000E60000-0x0000000000ECB000-memory.dmp

Filesize
428KB

Download
memory/3184-177-0x0000000000E60000-0x0000000000ECB000-memory.dmp

Filesize
428KB

Download
memory/3184-180-0x0000000000ED0000-0x0000000000F45000-memory.dmp

Filesize
468KB

Download
memory/3184-181-0x0000000000E60000-0x0000000000ECB000-memory.dmp

Filesize
428KB

Download
memory/3284-187-0x0000000000DE0000-0x0000000000DEC000-memory.dmp

Filesize
48KB

Download
memory/3284-194-0x0000000000DE0000-0x0000000000DEC000-memory.dmp

Filesize
48KB

Download
memory/3476-233-0x0000000000480000-0x000000000048B000-memory.dmp

Filesize
44KB

Download
memory/3476-239-0x0000000000480000-0x000000000048B000-memory.dmp

Filesize
44KB

Download
memory/4004-254-0x0000000004EC0000-0x00000000054E8000-memory.dmp

Filesize
6.2MB

Download
memory/4004-263-0x0000000004840000-0x0000000004850000-memory.dmp

Filesize
64KB

Download
memory/4004-1504-0x0000000004840000-0x0000000004850000-memory.dmp

Filesize
64KB

Download
memory/4004-1767-0x0000000007800000-0x0000000007E7A000-memory.dmp

Filesize
6.5MB

Download
memory/4004-1488-0x0000000004840000-0x0000000004850000-memory.dmp

Filesize
64KB

Download
memory/4004-262-0x0000000004840000-0x0000000004850000-memory.dmp

Filesize
64KB

Download
memory/4004-1293-0x00000000070B0000-0x0000000007126000-memory.dmp

Filesize
472KB

Download
memory/4004-1223-0x0000000004840000-0x0000000004850000-memory.dmp

Filesize
64KB

Download
memory/4004-1793-0x0000000007130000-0x000000000714A000-memory.dmp

Filesize
104KB

Download
memory/4004-290-0x0000000005810000-0x0000000005876000-memory.dmp

Filesize
408KB

Download
memory/4004-282-0x0000000005660000-0x0000000005682000-memory.dmp

Filesize
136KB

Download
memory/4004-287-0x0000000005730000-0x0000000005796000-memory.dmp

Filesize
408KB

Download
memory/4004-987-0x0000000006370000-0x00000000063B4000-memory.dmp

Filesize
272KB

Download
memory/4004-249-0x0000000004850000-0x0000000004886000-memory.dmp

Filesize
216KB

Download
memory/4004-682-0x0000000005DC0000-0x0000000005DDE000-memory.dmp

Filesize
120KB

Download
memory/4228-310-0x00000000004B0000-0x00000000004B9000-memory.dmp

Filesize
36KB

Download
memory/4228-1765-0x00000000004B0000-0x00000000004B9000-memory.dmp

Filesize
36KB

Download
memory/4228-323-0x00000000004A0000-0x00000000004AF000-memory.dmp

Filesize
60KB

Download
memory/4256-783-0x0000000000E70000-0x0000000000E76000-memory.dmp

Filesize
24KB

Download
memory/4256-785-0x0000000000E60000-0x0000000000E6B000-memory.dmp

Filesize
44KB

Download
memory/4412-1470-0x0000000000E70000-0x0000000000E77000-memory.dmp

Filesize
28KB

Download
memory/4412-257-0x0000000000E70000-0x0000000000E77000-memory.dmp

Filesize
28KB

Download
memory/4412-260-0x0000000000E60000-0x0000000000E6B000-memory.dmp

Filesize
44KB

Download
memory/4428-178-0x0000000002550000-0x000000000255F000-memory.dmp

Filesize
60KB

Download
memory/4444-203-0x0000000000F40000-0x0000000000F49000-memory.dmp

Filesize
36KB

Download
memory/4444-1180-0x0000000000F50000-0x0000000000F54000-memory.dmp

Filesize
16KB

Download
memory/4444-232-0x0000000000F40000-0x0000000000F49000-memory.dmp

Filesize
36KB

Download
memory/4444-230-0x0000000000F50000-0x0000000000F54000-memory.dmp

Filesize
16KB

Download
memory/4768-522-0x0000000000110000-0x0000000000119000-memory.dmp

Filesize
36KB

Download
memory/4768-517-0x0000000000120000-0x0000000000125000-memory.dmp

Filesize
20KB

Download
memory/4768-1874-0x0000000000120000-0x0000000000125000-memory.dmp

Filesize
20KB

Download
memory/4856-648-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/4856-652-0x00000000001A0000-0x00000000001A9000-memory.dmp

Filesize
36KB

Download
memory/4916-168-0x00000000057B0000-0x0000000005D54000-memory.dmp

Filesize
5.6MB

Download
memory/4916-207-0x0000000005250000-0x000000000525A000-memory.dmp

Filesize
40KB

Download
memory/4916-896-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/4916-201-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/4916-175-0x00000000052A0000-0x0000000005332000-memory.dmp

Filesize
584KB

Download
memory/4916-163-0x0000000000840000-0x000000000087E000-memory.dmp

Filesize
248KB

Download
memory/4920-712-0x0000000000430000-0x0000000000451000-memory.dmp

Filesize
132KB

Download
memory/4920-734-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5048-922-0x0000000000740000-0x0000000000747000-memory.dmp

Filesize
28KB

Download
memory/5048-935-0x0000000000730000-0x000000000073D000-memory.dmp

Filesize
52KB

Download