lumma | 2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5

Analysis

max time kernel
138s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2023 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5.exe
Size

164KB
MD5

a85fc38903152fcf020fb5ac1d90aa10
SHA1

caab463070bc5b97431e19344541f01fb06a0883
SHA256

2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5
SHA512

6f591a5f75fad096dff024b745a5ca0219a149a93f38e47ebeaebfaa70a2694f524611fbfbeb559ade7818a6fcf16151b5521c720dec3472e2127c3c6fba87a2
SSDEEP

3072:yCLITMy2+o6bVAR9PMfBMbsIFD9T3WUNztymtohPwM5AJY:HLIgy7refNPFRWUptJR9O

Score

10^/10

lumma phobos rhadamanthys smokeloader systembc 0nf summ backdoor collection discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

summ

Extracted

Family

smokeloader

Version

2022

http://stalagmijesarl.com/

http://ukdantist-sarl.com/

http://cpcorprotationltd.com/

http://serverxlogs21.xyz/statweb255/

http://servxblog79.xyz/statweb255/

http://demblog289.xyz/statweb255/

http://admlogs77x.online/statweb255/

http://blogxstat38.xyz/statweb255/

http://blogxstat25.xyz/statweb255/

rc4.i32

Extracted

Family

smokeloader

Botnet

0nF

Extracted

Family

lumma

gstatic-node.io

Extracted

Family

systembc

adstat477d.xyz:4044

demstat577d.xyz:4044

Signatures

Detect rhadamanthys stealer shellcode 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1204-252-0x0000000002440000-0x0000000002840000-memory.dmp	family_rhadamanthys
behavioral1/memory/1204-253-0x0000000002440000-0x0000000002840000-memory.dmp	family_rhadamanthys
behavioral1/memory/1204-254-0x0000000002440000-0x0000000002840000-memory.dmp	family_rhadamanthys
behavioral1/memory/1204-256-0x0000000002440000-0x0000000002840000-memory.dmp	family_rhadamanthys
behavioral1/memory/1204-302-0x0000000002440000-0x0000000002840000-memory.dmp	family_rhadamanthys
behavioral1/memory/1204-308-0x0000000002440000-0x0000000002840000-memory.dmp	family_rhadamanthys

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

EBD7.exe

description pid process target process

PID 1204 created 3168 1204 EBD7.exe Explorer.EXE
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2780 bcdedit.exe
3912 bcdedit.exe
Renames multiple (321) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3304 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

3984 netsh.exe
1452 netsh.exe
Drops startup file 1 IoCs

Processes:

mVw7.exe

description ioc process

File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\mVw7.exe mVw7.exe
Executes dropped EXE 9 IoCs

Processes:

EBD7.exeF628.exemVw7.exeW7m7ft.exeyKz21.exemVw7.exeyKz21.exe7864.exe7AE6.exe

pid process

1204 EBD7.exe
1364 F628.exe
888 mVw7.exe
1028 W7m7ft.exe
2748 yKz21.exe
3060 mVw7.exe
2184 yKz21.exe
5564 7864.exe
5568 7AE6.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 1204 created 3168	1204	EBD7.exe	Explorer.EXE

pid	process
2780	bcdedit.exe
3912	bcdedit.exe

pid	process
3304	wbadmin.exe

pid	process
3984	netsh.exe
1452	netsh.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\mVw7.exe	mVw7.exe

pid	process
1204	EBD7.exe
1364	F628.exe
888	mVw7.exe
1028	W7m7ft.exe
2748	yKz21.exe
3060	mVw7.exe
2184	yKz21.exe
5564	7864.exe
5568	7AE6.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mVw7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mVw7 = "C:\\Users\\Admin\\AppData\\Local\\mVw7.exe"	mVw7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mVw7 = "C:\\Users\\Admin\\AppData\\Local\\mVw7.exe"	mVw7.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

Processes:

mVw7.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\desktop.ini	mVw7.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1722984668-1829624581-3022101259-1000\desktop.ini	mVw7.exe
File opened for modification	C:\Program Files\desktop.ini	mVw7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	mVw7.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 3 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{15E4DF08-97B7-45CB-9F5E-A87A13CD10AF}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

yKz21.exe

description pid process target process

PID 2748 set thread context of 2184 2748 yKz21.exe yKz21.exe

description	pid	process	target process
PID 2748 set thread context of 2184	2748	yKz21.exe	yKz21.exe

Drops file in Program Files directory 64 IoCs

Processes:

mVw7.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\verify.dll.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml	mVw7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected][94C36C57-3483].[[email protected]].8base	mVw7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.Edm.dll	mVw7.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-private-l1-1-0.dll.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ul-oob.xrm-ms.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms	mVw7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	mVw7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms	mVw7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Excel.dll	mVw7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	mVw7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOXMLMF.DLL	mVw7.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	mVw7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms	mVw7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-80.png.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL104.XML	mVw7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	mVw7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-ms	mVw7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-100.png	mVw7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WIND.WAV	mVw7.exe
File created	C:\Program Files\Microsoft Office\root\rsod\office.x-none.msi.16.x-none.boot.tree.dat.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\INDUST.ELM.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar	mVw7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ppd.xrm-ms	mVw7.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\security\java.policy.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.AnalysisServices.Common.dll.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar	mVw7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ppd.xrm-ms	mVw7.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LEELAWAD.TTF.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAME.DLL	mVw7.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\STSUPLD.DLL.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html	mVw7.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\gstreamer-lite.dll.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-phn.xrm-ms.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\j2pcsc.dll	mVw7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ppd.xrm-ms	mVw7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ppd.xrm-ms.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CASHREG.WAV.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.DLL	mVw7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-80.png.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png	mVw7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial-Times New Roman.xml	mVw7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-phn.xrm-ms	mVw7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-phn.xrm-ms	mVw7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ppd.xrm-ms.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml	mVw7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy.jar.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzmappings	mVw7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar	mVw7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms	mVw7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.common.dll.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmdlocal.dll.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sa.jar.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ppd.xrm-ms	mVw7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms.id[94C36C57-3483].[[email protected]].8base	mVw7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-phn.xrm-ms.id[94C36C57-3483].[[email protected]].8base	mVw7.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

3476 1204 WerFault.exe EBD7.exe
3912 1364 WerFault.exe F628.exe
3720 3060 WerFault.exe mVw7.exe

pid	pid_target	process	target process
3476	1204	WerFault.exe	EBD7.exe
3912	1364	WerFault.exe	F628.exe
3720	3060	WerFault.exe	mVw7.exe

Checks SCSI registry key(s) 3 TTPs 10 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5.exeyKz21.exevds.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	yKz21.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	yKz21.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	yKz21.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1564 vssadmin.exe

pid	process
1564	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5.exeExplorer.EXE

pid	process
484	2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5.exe
484	2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5.exe
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3168 Explorer.EXE

pid	process
3168	Explorer.EXE

Suspicious behavior: MapViewOfSection 20 IoCs

Processes:

2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5.exeExplorer.EXEyKz21.exe

pid	process
484	2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5.exe
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
2184	yKz21.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

Explorer.EXEmVw7.exevssvc.exeWMIC.exewbengine.exe

description	pid	process
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeDebugPrivilege	888	mVw7.exe
Token: SeBackupPrivilege	1356	vssvc.exe
Token: SeRestorePrivilege	1356	vssvc.exe
Token: SeAuditPrivilege	1356	vssvc.exe
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	4768	WMIC.exe
Token: SeSecurityPrivilege	4768	WMIC.exe
Token: SeTakeOwnershipPrivilege	4768	WMIC.exe
Token: SeLoadDriverPrivilege	4768	WMIC.exe
Token: SeSystemProfilePrivilege	4768	WMIC.exe
Token: SeSystemtimePrivilege	4768	WMIC.exe
Token: SeProfSingleProcessPrivilege	4768	WMIC.exe
Token: SeIncBasePriorityPrivilege	4768	WMIC.exe
Token: SeCreatePagefilePrivilege	4768	WMIC.exe
Token: SeBackupPrivilege	4768	WMIC.exe
Token: SeRestorePrivilege	4768	WMIC.exe
Token: SeShutdownPrivilege	4768	WMIC.exe
Token: SeDebugPrivilege	4768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4768	WMIC.exe
Token: SeRemoteShutdownPrivilege	4768	WMIC.exe
Token: SeUndockPrivilege	4768	WMIC.exe
Token: SeManageVolumePrivilege	4768	WMIC.exe
Token: 33	4768	WMIC.exe
Token: 34	4768	WMIC.exe
Token: 35	4768	WMIC.exe
Token: 36	4768	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4768	WMIC.exe
Token: SeSecurityPrivilege	4768	WMIC.exe
Token: SeTakeOwnershipPrivilege	4768	WMIC.exe
Token: SeLoadDriverPrivilege	4768	WMIC.exe
Token: SeSystemProfilePrivilege	4768	WMIC.exe
Token: SeSystemtimePrivilege	4768	WMIC.exe
Token: SeProfSingleProcessPrivilege	4768	WMIC.exe
Token: SeIncBasePriorityPrivilege	4768	WMIC.exe
Token: SeCreatePagefilePrivilege	4768	WMIC.exe
Token: SeBackupPrivilege	4768	WMIC.exe
Token: SeRestorePrivilege	4768	WMIC.exe
Token: SeShutdownPrivilege	4768	WMIC.exe
Token: SeDebugPrivilege	4768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4768	WMIC.exe
Token: SeRemoteShutdownPrivilege	4768	WMIC.exe
Token: SeUndockPrivilege	4768	WMIC.exe
Token: SeManageVolumePrivilege	4768	WMIC.exe
Token: 33	4768	WMIC.exe
Token: 34	4768	WMIC.exe
Token: 35	4768	WMIC.exe
Token: 36	4768	WMIC.exe
Token: SeBackupPrivilege	4260	wbengine.exe
Token: SeRestorePrivilege	4260	wbengine.exe
Token: SeSecurityPrivilege	4260	wbengine.exe
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Explorer.EXEEBD7.exeyKz21.exemVw7.execmd.execmd.exe

description	pid	process	target process
PID 3168 wrote to memory of 1204	3168	Explorer.EXE	EBD7.exe
PID 3168 wrote to memory of 1204	3168	Explorer.EXE	EBD7.exe
PID 3168 wrote to memory of 1204	3168	Explorer.EXE	EBD7.exe
PID 3168 wrote to memory of 1364	3168	Explorer.EXE	F628.exe
PID 3168 wrote to memory of 1364	3168	Explorer.EXE	F628.exe
PID 3168 wrote to memory of 1364	3168	Explorer.EXE	F628.exe
PID 3168 wrote to memory of 812	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 812	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 812	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 812	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 4908	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 4908	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 4908	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 4544	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 4544	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 4544	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 4544	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 4040	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 4040	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 4040	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 3440	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 3440	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 3440	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 3440	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 2180	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 2180	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 2180	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 2180	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 4500	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 4500	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 4500	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 4500	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 4632	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 4632	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 4632	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 1548	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 1548	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 1548	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 1548	3168	Explorer.EXE	explorer.exe
PID 1204 wrote to memory of 2272	1204	EBD7.exe	certreq.exe
PID 1204 wrote to memory of 2272	1204	EBD7.exe	certreq.exe
PID 1204 wrote to memory of 2272	1204	EBD7.exe	certreq.exe
PID 1204 wrote to memory of 2272	1204	EBD7.exe	certreq.exe
PID 2748 wrote to memory of 2184	2748	yKz21.exe	yKz21.exe
PID 2748 wrote to memory of 2184	2748	yKz21.exe	yKz21.exe
PID 2748 wrote to memory of 2184	2748	yKz21.exe	yKz21.exe
PID 2748 wrote to memory of 2184	2748	yKz21.exe	yKz21.exe
PID 2748 wrote to memory of 2184	2748	yKz21.exe	yKz21.exe
PID 2748 wrote to memory of 2184	2748	yKz21.exe	yKz21.exe
PID 888 wrote to memory of 1476	888	mVw7.exe	cmd.exe
PID 888 wrote to memory of 1476	888	mVw7.exe	cmd.exe
PID 888 wrote to memory of 1364	888	mVw7.exe	cmd.exe
PID 888 wrote to memory of 1364	888	mVw7.exe	cmd.exe
PID 1364 wrote to memory of 3984	1364	cmd.exe	netsh.exe
PID 1364 wrote to memory of 3984	1364	cmd.exe	netsh.exe
PID 1476 wrote to memory of 1564	1476	cmd.exe	vssadmin.exe
PID 1476 wrote to memory of 1564	1476	cmd.exe	vssadmin.exe
PID 1364 wrote to memory of 1452	1364	cmd.exe	netsh.exe
PID 1364 wrote to memory of 1452	1364	cmd.exe	netsh.exe
PID 1476 wrote to memory of 4768	1476	cmd.exe	WMIC.exe
PID 1476 wrote to memory of 4768	1476	cmd.exe	WMIC.exe
PID 1476 wrote to memory of 2780	1476	cmd.exe	bcdedit.exe
PID 1476 wrote to memory of 2780	1476	cmd.exe	bcdedit.exe
PID 1476 wrote to memory of 3912	1476	cmd.exe	bcdedit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

outlook_win_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3168

C:\Users\Admin\AppData\Local\Temp\2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5.exe
"C:\Users\Admin\AppData\Local\Temp\2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:484

C:\Users\Admin\AppData\Local\Temp\EBD7.exe
C:\Users\Admin\AppData\Local\Temp\EBD7.exe
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 856
3⤵
- Program crash
PID:3476

C:\Users\Admin\AppData\Local\Temp\F628.exe
C:\Users\Admin\AppData\Local\Temp\F628.exe
2⤵
- Executes dropped EXE
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 3488
3⤵
- Program crash
PID:3912

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:812

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4908

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4544

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4040

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3440

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2180

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4500

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4632

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1548

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
PID:2272

C:\Users\Admin\AppData\Local\Temp\7864.exe
C:\Users\Admin\AppData\Local\Temp\7864.exe
2⤵
- Executes dropped EXE
PID:5564

C:\Users\Admin\AppData\Local\Temp\7AE6.exe
C:\Users\Admin\AppData\Local\Temp\7AE6.exe
2⤵
- Executes dropped EXE
PID:5568

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:5956

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:5948

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3092

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1872

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:5672

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:5140

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:5552

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:5556

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2464

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:6016

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4328

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1204 -ip 1204
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1364 -ip 1364
1⤵
PID:2396

C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe
"C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:888

C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe
"C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe"
2⤵
- Executes dropped EXE
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 468
3⤵
- Program crash
PID:3720

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:3984

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:1452

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1564

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:2780

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:3912

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:3304

C:\Users\Admin\AppData\Local\Microsoft\W7m7ft.exe
"C:\Users\Admin\AppData\Local\Microsoft\W7m7ft.exe"
1⤵
- Executes dropped EXE
PID:1028

C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe
"C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2748

C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe
"C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2184

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2824

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3060 -ip 3060
1⤵
PID:296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[94C36C57-3483].[[email protected]].8base
Filesize
3.2MB

MD5
dc8578bd2c89c3a86191e2c33d9df294

SHA1
9f367bdf2832636603bbafaf0070d79e1524ea49

SHA256
eaaec65280d881ffbe92c56a2e81f4a04ca3b03cf03cf73a189d242074ee65e3

SHA512
9bc61fa9ed0617d0490cf15bbf5633ec8f5c5793a556c027069d93abe433400029009f07c90591a50dbf0a47da515a84aba4ecd028afb0cf9da71d104c229e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\W7m7ft.exe
Filesize
164KB

MD5
6ac14216327dcfb60b33ebd914f62769

SHA1
d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b

SHA256
25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9

SHA512
6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\W7m7ft.exe
Filesize
164KB

MD5
6ac14216327dcfb60b33ebd914f62769

SHA1
d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b

SHA256
25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9

SHA512
6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe
Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe
Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe
Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe
Filesize
164KB

MD5
09d7f30d2f8432be6087038562a029dd

SHA1
07fc20446a03a20c191e750ef21737ec948d9544

SHA256
8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8

SHA512
abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe
Filesize
164KB

MD5
09d7f30d2f8432be6087038562a029dd

SHA1
07fc20446a03a20c191e750ef21737ec948d9544

SHA256
8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8

SHA512
abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe
Filesize
164KB

MD5
09d7f30d2f8432be6087038562a029dd

SHA1
07fc20446a03a20c191e750ef21737ec948d9544

SHA256
8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8

SHA512
abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7864.exe
Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Temp\7864.exe
Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Temp\7864.exe
Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Temp\7AE6.exe
Filesize
164KB

MD5
6ac14216327dcfb60b33ebd914f62769

SHA1
d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b

SHA256
25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9

SHA512
6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\7AE6.exe
Filesize
164KB

MD5
6ac14216327dcfb60b33ebd914f62769

SHA1
d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b

SHA256
25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9

SHA512
6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBD7.exe
Filesize
374KB

MD5
aaf3d68aeea347268ede50e621ca21ce

SHA1
0e7c0e38a200a9ea3af663dfd33941cc5e1657c9

SHA256
09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416

SHA512
61416225031cbb74114ee61e3f7ce697e73423c75a0f2e96f51557b3d289ad868034e2e07ead926cd12a95b524ed37cf1626dc75dc99c47fac9cb8f843002bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBD7.exe
Filesize
374KB

MD5
aaf3d68aeea347268ede50e621ca21ce

SHA1
0e7c0e38a200a9ea3af663dfd33941cc5e1657c9

SHA256
09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416

SHA512
61416225031cbb74114ee61e3f7ce697e73423c75a0f2e96f51557b3d289ad868034e2e07ead926cd12a95b524ed37cf1626dc75dc99c47fac9cb8f843002bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\F628.exe
Filesize
290KB

MD5
6d35d4cb11e99f8645441b0f1f96da3d

SHA1
3b6e12da0c1c37d38db867ab6330ace34461c56a

SHA256
9066d830ae21197499f19a044054b0ea96f5be17cbb246714e15f36f32312204

SHA512
01b5b75ce608f55f70c6471bb20f0a248116ef902f4bd602b5cf11fed747e0af9b811fbe74d393895672806f2b525900c6cef0ce889229d27032683a5e591aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\F628.exe
Filesize
290KB

MD5
6d35d4cb11e99f8645441b0f1f96da3d

SHA1
3b6e12da0c1c37d38db867ab6330ace34461c56a

SHA256
9066d830ae21197499f19a044054b0ea96f5be17cbb246714e15f36f32312204

SHA512
01b5b75ce608f55f70c6471bb20f0a248116ef902f4bd602b5cf11fed747e0af9b811fbe74d393895672806f2b525900c6cef0ce889229d27032683a5e591aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsuA577.tmp
Filesize
14KB

MD5
c01eaa0bdcd7c30a42bbb35a9acbf574

SHA1
0aee3e1b873e41d040f1991819d0027b6cc68f54

SHA256
32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

SHA512
d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\cookies.sqlite.id[94C36C57-3483].[[email protected]].8base
Filesize
96KB

MD5
f241b91d1b80a347375b5b4c074920e6

SHA1
7ad0a47e7af308d5d3eed2895be0da462186183a

SHA256
cd7d39f37dca3602362efe180ba42eb249f68137af30cda21f6a2ae53241fad7

SHA512
a2686be30dbd1f27c03bd0fbd3e0d91fbb2268c3f87ac881dc68083609a0f95858508c66825b510c82d10a7bcf271f0ddf0698a1195650da9c94f1c98890ffb4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize
29KB

MD5
8a5ff1beb7de1cfa32cdac90082151ee

SHA1
7796e35aa79ef1565fc04d538383c06348da0214

SHA256
269f617008efe3238703b9317f32abd0be260d626cc705767d292ab35c9b27be

SHA512
74d817b31b74f66e2a53e2c1195a00425571c80a85c43cb5973926299de533e14d7b22d6e301b2bc0fe918917fc219458c927d056748f4d236ebd4a36c6032ca

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize
29KB

MD5
105275ec8ae532f4fa1df61eea0e6faf

SHA1
0770ccf6593890256d35c35a14f17cbf34187d6e

SHA256
178be379134ecde3997939805e28353f7b9edae60c20ab1055d8120e03a7346e

SHA512
88f5a0ceba2121fde79263238e40a340731bb192245d21215bcf44c7a9459f146d7dd7c12aa4bc06fc08d1ea62ce8f57a913361ad8c76a9e65d3254d61b78d36

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize
29KB

MD5
05d92126753690303abb22f8d787c6c4

SHA1
e46b8e3305889bdf62a4927a767461ef0af7766b

SHA256
626166d13955f6ac670e78b3833b50cb379cd4a35983245435e5cf0e3d334701

SHA512
44cf8f468a9b43f0b4c1b21471e2103c1da27ecd3a91181e6f395e2f7c1f541212d414427a87bc1c133b525d8451daa8576f5e35ba9fb36b7b8ed5a60f12159c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize
29KB

MD5
145163ea3adab902263d196de813a8e5

SHA1
b0f398bfd83cbed208b265b4ed8d904c963ad7d4

SHA256
e2572d6b5a433d65a8863b41d120239a597f6e61b48fae1ee4a03f566a4746e6

SHA512
e6b1c1de333998d8998dbe380b9c6127642f3f7221a343657b78314e4b02baeb055875f78a56190442254708a62639cc3a2c85b23860eeb03eaa890390cd1b41

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize
29KB

MD5
90f4e2bff65c55b1635a8ab7eb977792

SHA1
55eb159812a5ded17489f96b578c802484e329c7

SHA256
3109a2a788ff21024ff7c2762718450d5e6a8c2a6daf5ac3981992b04e8c2879

SHA512
4df8dc060ce385b303052e817c409cdf942ba5cd357c25efdc796ba1e77d6351ef75c4a4515847d1a183f898ff3ba61d224f5b60667e31ad1acce68e871d0814

Download Submit
memory/484-135-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/484-136-0x0000000000650000-0x0000000000659000-memory.dmp

Filesize
36KB

Download
memory/484-138-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/484-140-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/484-134-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/812-220-0x0000000001210000-0x000000000121B000-memory.dmp

Filesize
44KB

Download
memory/812-232-0x0000000001220000-0x0000000001227000-memory.dmp

Filesize
28KB

Download
memory/812-218-0x0000000001220000-0x0000000001227000-memory.dmp

Filesize
28KB

Download
memory/812-219-0x0000000001210000-0x000000000121B000-memory.dmp

Filesize
44KB

Download
memory/888-470-0x0000000000570000-0x000000000057F000-memory.dmp

Filesize
60KB

Download
memory/888-2755-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/888-469-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/888-6193-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/888-471-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/888-4696-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/888-496-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1028-472-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/1028-473-0x0000000000530000-0x0000000000535000-memory.dmp

Filesize
20KB

Download
memory/1028-474-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1028-501-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/1204-308-0x0000000002440000-0x0000000002840000-memory.dmp

Filesize
4.0MB

Download
memory/1204-244-0x0000000000620000-0x0000000000720000-memory.dmp

Filesize
1024KB

Download
memory/1204-252-0x0000000002440000-0x0000000002840000-memory.dmp

Filesize
4.0MB

Download
memory/1204-253-0x0000000002440000-0x0000000002840000-memory.dmp

Filesize
4.0MB

Download
memory/1204-254-0x0000000002440000-0x0000000002840000-memory.dmp

Filesize
4.0MB

Download
memory/1204-245-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1204-256-0x0000000002440000-0x0000000002840000-memory.dmp

Filesize
4.0MB

Download
memory/1204-288-0x0000000003240000-0x0000000003276000-memory.dmp

Filesize
216KB

Download
memory/1204-243-0x0000000002090000-0x0000000002101000-memory.dmp

Filesize
452KB

Download
memory/1204-307-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1204-302-0x0000000002440000-0x0000000002840000-memory.dmp

Filesize
4.0MB

Download
memory/1204-270-0x0000000002090000-0x0000000002101000-memory.dmp

Filesize
452KB

Download
memory/1204-301-0x0000000003240000-0x0000000003276000-memory.dmp

Filesize
216KB

Download
memory/1204-251-0x00000000005D0000-0x00000000005D7000-memory.dmp

Filesize
28KB

Download
memory/1204-285-0x0000000000620000-0x0000000000720000-memory.dmp

Filesize
1024KB

Download
memory/1204-286-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1364-264-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1364-316-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1364-368-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1364-263-0x0000000002190000-0x00000000021E5000-memory.dmp

Filesize
340KB

Download
memory/1364-265-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1364-312-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1548-287-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1548-249-0x0000000000F70000-0x0000000000F7B000-memory.dmp

Filesize
44KB

Download
memory/1548-248-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1548-247-0x0000000000F70000-0x0000000000F7B000-memory.dmp

Filesize
44KB

Download
memory/1872-6281-0x0000000000960000-0x000000000096B000-memory.dmp

Filesize
44KB

Download
memory/2180-234-0x0000000000C50000-0x0000000000C55000-memory.dmp

Filesize
20KB

Download
memory/2180-235-0x0000000000C40000-0x0000000000C49000-memory.dmp

Filesize
36KB

Download
memory/2180-233-0x0000000000C40000-0x0000000000C49000-memory.dmp

Filesize
36KB

Download
memory/2180-255-0x0000000000C50000-0x0000000000C55000-memory.dmp

Filesize
20KB

Download
memory/2184-482-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2184-936-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2184-480-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2272-417-0x00007FF42E790000-0x00007FF42E8BD000-memory.dmp

Filesize
1.2MB

Download
memory/2272-427-0x00007FFD75C30000-0x00007FFD75E25000-memory.dmp

Filesize
2.0MB

Download
memory/2272-381-0x00007FF42E790000-0x00007FF42E8BD000-memory.dmp

Filesize
1.2MB

Download
memory/2272-382-0x00007FFD75C30000-0x00007FFD75E25000-memory.dmp

Filesize
2.0MB

Download
memory/2272-386-0x00007FF42E790000-0x00007FF42E8BD000-memory.dmp

Filesize
1.2MB

Download
memory/2272-393-0x00007FF42E790000-0x00007FF42E8BD000-memory.dmp

Filesize
1.2MB

Download
memory/2272-397-0x00007FF42E790000-0x00007FF42E8BD000-memory.dmp

Filesize
1.2MB

Download
memory/2272-401-0x00007FF42E790000-0x00007FF42E8BD000-memory.dmp

Filesize
1.2MB

Download
memory/2272-363-0x000001B10DED0000-0x000001B10DED3000-memory.dmp

Filesize
12KB

Download
memory/2272-380-0x00007FF42E790000-0x00007FF42E8BD000-memory.dmp

Filesize
1.2MB

Download
memory/2272-379-0x00007FF42E790000-0x00007FF42E8BD000-memory.dmp

Filesize
1.2MB

Download
memory/2272-371-0x00007FF42E790000-0x00007FF42E8BD000-memory.dmp

Filesize
1.2MB

Download
memory/2272-370-0x00007FF42E790000-0x00007FF42E8BD000-memory.dmp

Filesize
1.2MB

Download
memory/2272-369-0x00007FF42E790000-0x00007FF42E8BD000-memory.dmp

Filesize
1.2MB

Download
memory/2272-364-0x000001B10E290000-0x000001B10E297000-memory.dmp

Filesize
28KB

Download
memory/2272-281-0x000001B10DED0000-0x000001B10DED3000-memory.dmp

Filesize
12KB

Download
memory/2272-468-0x00007FFD75C30000-0x00007FFD75E25000-memory.dmp

Filesize
2.0MB

Download
memory/2272-467-0x000001B10E290000-0x000001B10E295000-memory.dmp

Filesize
20KB

Download
memory/2272-374-0x00007FF42E790000-0x00007FF42E8BD000-memory.dmp

Filesize
1.2MB

Download
memory/2272-372-0x00007FF42E790000-0x00007FF42E8BD000-memory.dmp

Filesize
1.2MB

Download
memory/2748-479-0x0000000000540000-0x0000000000549000-memory.dmp

Filesize
36KB

Download
memory/2748-478-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/3060-2771-0x0000000000770000-0x0000000000870000-memory.dmp

Filesize
1024KB

Download
memory/3060-2772-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3092-6278-0x0000000000960000-0x0000000000969000-memory.dmp

Filesize
36KB

Download
memory/3168-891-0x00000000084C0000-0x00000000084D6000-memory.dmp

Filesize
88KB

Download
memory/3168-139-0x0000000002B20000-0x0000000002B36000-memory.dmp

Filesize
88KB

Download
memory/3440-231-0x0000000001290000-0x00000000012B7000-memory.dmp

Filesize
156KB

Download
memory/3440-229-0x0000000001290000-0x00000000012B7000-memory.dmp

Filesize
156KB

Download
memory/3440-250-0x00000000012C0000-0x00000000012E2000-memory.dmp

Filesize
136KB

Download
memory/3440-230-0x00000000012C0000-0x00000000012E2000-memory.dmp

Filesize
136KB

Download
memory/4040-228-0x0000000001030000-0x000000000103C000-memory.dmp

Filesize
48KB

Download
memory/4040-246-0x0000000001040000-0x0000000001046000-memory.dmp

Filesize
24KB

Download
memory/4040-227-0x0000000001040000-0x0000000001046000-memory.dmp

Filesize
24KB

Download
memory/4040-226-0x0000000001030000-0x000000000103C000-memory.dmp

Filesize
48KB

Download
memory/4500-269-0x0000000000C40000-0x0000000000C49000-memory.dmp

Filesize
36KB

Download
memory/4500-236-0x0000000000BE0000-0x0000000000BEB000-memory.dmp

Filesize
44KB

Download
memory/4500-238-0x0000000000BE0000-0x0000000000BEB000-memory.dmp

Filesize
44KB

Download
memory/4544-223-0x0000000000E30000-0x0000000000E39000-memory.dmp

Filesize
36KB

Download
memory/4544-240-0x0000000000E40000-0x0000000000E45000-memory.dmp

Filesize
20KB

Download
memory/4544-224-0x0000000000E40000-0x0000000000E45000-memory.dmp

Filesize
20KB

Download
memory/4544-225-0x0000000000E30000-0x0000000000E39000-memory.dmp

Filesize
36KB

Download
memory/4632-242-0x0000000000FE0000-0x0000000000FED000-memory.dmp

Filesize
52KB

Download
memory/4632-277-0x0000000000BE0000-0x0000000000BEB000-memory.dmp

Filesize
44KB

Download
memory/4632-241-0x0000000000BE0000-0x0000000000BEB000-memory.dmp

Filesize
44KB

Download
memory/4632-239-0x0000000000FE0000-0x0000000000FED000-memory.dmp

Filesize
52KB

Download
memory/4908-222-0x0000000000DE0000-0x0000000000DEF000-memory.dmp

Filesize
60KB

Download
memory/4908-221-0x0000000000DE0000-0x0000000000DEF000-memory.dmp

Filesize
60KB

Download
memory/4908-237-0x0000000001210000-0x000000000121B000-memory.dmp

Filesize
44KB

Download
memory/5948-6196-0x0000000000B40000-0x0000000000B4C000-memory.dmp

Filesize
48KB

Download
memory/5948-6202-0x0000000000B40000-0x0000000000B4C000-memory.dmp

Filesize
48KB

Download
memory/5956-6192-0x0000000000960000-0x00000000009CB000-memory.dmp

Filesize
428KB

Download
memory/5956-6194-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/5956-6200-0x0000000000960000-0x00000000009CB000-memory.dmp

Filesize
428KB

Download