phobos | 09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416

Analysis

max time kernel
129s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2023 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe
Size

374KB
MD5

aaf3d68aeea347268ede50e621ca21ce
SHA1

0e7c0e38a200a9ea3af663dfd33941cc5e1657c9
SHA256

09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416
SHA512

61416225031cbb74114ee61e3f7ce697e73423c75a0f2e96f51557b3d289ad868034e2e07ead926cd12a95b524ed37cf1626dc75dc99c47fac9cb8f843002bd0
SSDEEP

6144:TGLsY7ein4IiPnD2sB8qQi69nygVfjx+ZlrLM3N2qPkaG+C+Bsq:qgkf4IiPD26dT24brLcNhPtZ5

Score

10^/10

phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

systembc

adstat477d.xyz:4044

demstat577d.xyz:4044

Extracted

Family

smokeloader

Version

2022

http://serverxlogs21.xyz/statweb255/

http://servxblog79.xyz/statweb255/

http://demblog289.xyz/statweb255/

http://admlogs77x.online/statweb255/

http://blogxstat38.xyz/statweb255/

http://blogxstat25.xyz/statweb255/

rc4.i32

Extracted

Path

C:\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>cartilage</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #C6B5C4; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #B5CC8E; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #e6ecf2; border-left: 10px solid #B58CB2; } .alert { background: #FFE4E4; border-left: 10px solid #FFA07A; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC.</div> <div class='bold'>If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Or write us to the Tox: <span class='mark'>78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>2C79BA2A-3483</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Extracted

Path

C:\Users\Admin\Desktop\info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Or write us to the Tox: 78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074 Write this ID in the title of your message 2C79BA2A-3483 You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Detect rhadamanthys stealer shellcode 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/500-139-0x00000000024D0000-0x00000000028D0000-memory.dmp	family_rhadamanthys
behavioral1/memory/500-140-0x00000000024D0000-0x00000000028D0000-memory.dmp	family_rhadamanthys
behavioral1/memory/500-141-0x00000000024D0000-0x00000000028D0000-memory.dmp	family_rhadamanthys
behavioral1/memory/500-142-0x00000000024D0000-0x00000000028D0000-memory.dmp	family_rhadamanthys
behavioral1/memory/500-154-0x00000000024D0000-0x00000000028D0000-memory.dmp	family_rhadamanthys
behavioral1/memory/500-157-0x00000000024D0000-0x00000000028D0000-memory.dmp	family_rhadamanthys

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe

description pid process target process

PID 500 created 3128 500 09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe Explorer.EXE
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

388 bcdedit.exe
4356 bcdedit.exe
4316 bcdedit.exe
412 bcdedit.exe
Renames multiple (479) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

2672 wbadmin.exe
5044 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

2144 netsh.exe
932 netsh.exe

description	pid	process	target process
PID 500 created 3128	500	09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe	Explorer.EXE

pid	process
388	bcdedit.exe
4356	bcdedit.exe
4316	bcdedit.exe
412	bcdedit.exe

pid	process
2672	wbadmin.exe
5044	wbadmin.exe

pid	process
2144	netsh.exe
932	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

U85-i%aI2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	U85-i%aI2.exe

Drops startup file 3 IoCs

Processes:

U85-i%aI2.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\U85-i%aI2.exe	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	U85-i%aI2.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[2C79BA2A-3483].[[email protected]].8base	U85-i%aI2.exe

Executes dropped EXE 7 IoCs

Processes:

24CF.exeU85-i%aI2.exe425j0S.exeU85-i%aI2.exe24CF.exeC8F8.exeCA80.exe

pid process

1976 24CF.exe
2060 U85-i%aI2.exe
4172 425j0S.exe
3172 U85-i%aI2.exe
4592 24CF.exe
4724 C8F8.exe
3900 CA80.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1976	24CF.exe
2060	U85-i%aI2.exe
4172	425j0S.exe
3172	U85-i%aI2.exe
4592	24CF.exe
4724	C8F8.exe
3900	CA80.exe

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

Processes:

certreq.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

U85-i%aI2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\U85-i%aI2 = "C:\\Users\\Admin\\AppData\\Local\\U85-i%aI2.exe"	U85-i%aI2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\U85-i%aI2 = "C:\\Users\\Admin\\AppData\\Local\\U85-i%aI2.exe"	U85-i%aI2.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

U85-i%aI2.exe

description	ioc	process
File opened for modification	C:\Users\Public\Libraries\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	U85-i%aI2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Public\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Program Files\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	U85-i%aI2.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3011986978-2180659500-3669311805-1000\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3011986978-2180659500-3669311805-1000\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	U85-i%aI2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	U85-i%aI2.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

24CF.exe

description pid process target process

PID 1976 set thread context of 4592 1976 24CF.exe 24CF.exe

description	pid	process	target process
PID 1976 set thread context of 4592	1976	24CF.exe	24CF.exe

Drops file in Program Files directory 64 IoCs

Processes:

U85-i%aI2.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Runtime.InteropServices.WindowsRuntime.dll	U85-i%aI2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml	U85-i%aI2.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-80.png	U85-i%aI2.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-125.png	U85-i%aI2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png	U85-i%aI2.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\th.pak	U85-i%aI2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-si\ui-strings.js	U85-i%aI2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX	U85-i%aI2.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\THMBNAIL.PNG.id[2C79BA2A-3483].[[email protected]].8base	U85-i%aI2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\SplashScreen\PaintSplashScreen.scale-100.png	U85-i%aI2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\meetings-chat-upsell.png	U85-i%aI2.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeLargeTile.scale-100.png	U85-i%aI2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\SmallTile.scale-200.png	U85-i%aI2.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\sysinfo.id[2C79BA2A-3483].[[email protected]].8base	U85-i%aI2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_zh_CN.jar	U85-i%aI2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN095.XML.id[2C79BA2A-3483].[[email protected]].8base	U85-i%aI2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionLargeTile.scale-150.png	U85-i%aI2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionMedTile.scale-100.png	U85-i%aI2.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-200.png	U85-i%aI2.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Printing.resources.dll	U85-i%aI2.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\LargeTile.scale-125.png	U85-i%aI2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-100_contrast-white.png	U85-i%aI2.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarLargeTile.scale-125.png	U85-i%aI2.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\nunit_schema_2.5.xsd	U85-i%aI2.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml.id[2C79BA2A-3483].[[email protected]].8base	U85-i%aI2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-oob.xrm-ms	U85-i%aI2.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsamplerate_plugin.dll	U85-i%aI2.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblendbench_plugin.dll	U85-i%aI2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-256.png	U85-i%aI2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_listview-hover.svg.id[2C79BA2A-3483].[[email protected]].8base	U85-i%aI2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee90.tlb	U85-i%aI2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms	U85-i%aI2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SAEXT.DLL	U85-i%aI2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-string-l1-1-0.dll	U85-i%aI2.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	U85-i%aI2.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	U85-i%aI2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\SuccessControl.xaml	U85-i%aI2.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\msjet.xsl.id[2C79BA2A-3483].[[email protected]].8base	U85-i%aI2.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\PSGet.Resource.psd1.id[2C79BA2A-3483].[[email protected]].8base	U85-i%aI2.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\ext\sunjce_provider.jar.id[2C79BA2A-3483].[[email protected]].8base	U85-i%aI2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config	U85-i%aI2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\ui-strings.js.id[2C79BA2A-3483].[[email protected]].8base	U85-i%aI2.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.id[2C79BA2A-3483].[[email protected]].8base	U85-i%aI2.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml.id[2C79BA2A-3483].[[email protected]].8base	U85-i%aI2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-ms	U85-i%aI2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64	U85-i%aI2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\duplicate.svg	U85-i%aI2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\main.css	U85-i%aI2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_ja_4.4.0.v20140623020002.jar	U85-i%aI2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-oob.xrm-ms.id[2C79BA2A-3483].[[email protected]].8base	U85-i%aI2.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLessThan.ps1	U85-i%aI2.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libflac_plugin.dll.id[2C79BA2A-3483].[[email protected]].8base	U85-i%aI2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\rtscom.dll.mui	U85-i%aI2.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hu.pak.id[2C79BA2A-3483].[[email protected]].8base	U85-i%aI2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF	U85-i%aI2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-100_contrast-white.png	U85-i%aI2.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-400.png	U85-i%aI2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\ui-strings.js	U85-i%aI2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.id[2C79BA2A-3483].[[email protected]].8base	U85-i%aI2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-white_scale-100.png	U85-i%aI2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\ui-strings.js	U85-i%aI2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hu-hu\ui-strings.js	U85-i%aI2.exe
File created	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\vlc.mo.id[2C79BA2A-3483].[[email protected]].8base	U85-i%aI2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\share_icons.png	U85-i%aI2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4872	500	WerFault.exe	09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe
3240	3172	WerFault.exe	U85-i%aI2.exe
3268	4724	WerFault.exe	C8F8.exe

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe24CF.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	24CF.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	24CF.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	24CF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

828 vssadmin.exe
4624 vssadmin.exe

pid	process
828	vssadmin.exe
4624	vssadmin.exe

Modifies registry class 3 IoCs

Processes:

Explorer.EXEU85-i%aI2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	U85-i%aI2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.execertreq.exe24CF.exeU85-i%aI2.exeExplorer.EXE

pid	process
500	09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe
500	09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe
500	09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe
500	09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe
2148	certreq.exe
2148	certreq.exe
2148	certreq.exe
2148	certreq.exe
4592	24CF.exe
4592	24CF.exe
2060	U85-i%aI2.exe
2060	U85-i%aI2.exe
2060	U85-i%aI2.exe
2060	U85-i%aI2.exe
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
2060	U85-i%aI2.exe
2060	U85-i%aI2.exe
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
2060	U85-i%aI2.exe
2060	U85-i%aI2.exe
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
2060	U85-i%aI2.exe
2060	U85-i%aI2.exe
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
2060	U85-i%aI2.exe
2060	U85-i%aI2.exe
3128	Explorer.EXE
3128	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3128 Explorer.EXE

pid	process
3128	Explorer.EXE

Suspicious behavior: MapViewOfSection 31 IoCs

Processes:

24CF.exeExplorer.EXE

pid	process
4592	24CF.exe
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

U85-i%aI2.exevssvc.exeWMIC.exewbengine.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2060	U85-i%aI2.exe
Token: SeBackupPrivilege	1232	vssvc.exe
Token: SeRestorePrivilege	1232	vssvc.exe
Token: SeAuditPrivilege	1232	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4508	WMIC.exe
Token: SeSecurityPrivilege	4508	WMIC.exe
Token: SeTakeOwnershipPrivilege	4508	WMIC.exe
Token: SeLoadDriverPrivilege	4508	WMIC.exe
Token: SeSystemProfilePrivilege	4508	WMIC.exe
Token: SeSystemtimePrivilege	4508	WMIC.exe
Token: SeProfSingleProcessPrivilege	4508	WMIC.exe
Token: SeIncBasePriorityPrivilege	4508	WMIC.exe
Token: SeCreatePagefilePrivilege	4508	WMIC.exe
Token: SeBackupPrivilege	4508	WMIC.exe
Token: SeRestorePrivilege	4508	WMIC.exe
Token: SeShutdownPrivilege	4508	WMIC.exe
Token: SeDebugPrivilege	4508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4508	WMIC.exe
Token: SeRemoteShutdownPrivilege	4508	WMIC.exe
Token: SeUndockPrivilege	4508	WMIC.exe
Token: SeManageVolumePrivilege	4508	WMIC.exe
Token: 33	4508	WMIC.exe
Token: 34	4508	WMIC.exe
Token: 35	4508	WMIC.exe
Token: 36	4508	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4508	WMIC.exe
Token: SeSecurityPrivilege	4508	WMIC.exe
Token: SeTakeOwnershipPrivilege	4508	WMIC.exe
Token: SeLoadDriverPrivilege	4508	WMIC.exe
Token: SeSystemProfilePrivilege	4508	WMIC.exe
Token: SeSystemtimePrivilege	4508	WMIC.exe
Token: SeProfSingleProcessPrivilege	4508	WMIC.exe
Token: SeIncBasePriorityPrivilege	4508	WMIC.exe
Token: SeCreatePagefilePrivilege	4508	WMIC.exe
Token: SeBackupPrivilege	4508	WMIC.exe
Token: SeRestorePrivilege	4508	WMIC.exe
Token: SeShutdownPrivilege	4508	WMIC.exe
Token: SeDebugPrivilege	4508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4508	WMIC.exe
Token: SeRemoteShutdownPrivilege	4508	WMIC.exe
Token: SeUndockPrivilege	4508	WMIC.exe
Token: SeManageVolumePrivilege	4508	WMIC.exe
Token: 33	4508	WMIC.exe
Token: 34	4508	WMIC.exe
Token: 35	4508	WMIC.exe
Token: 36	4508	WMIC.exe
Token: SeBackupPrivilege	980	wbengine.exe
Token: SeRestorePrivilege	980	wbengine.exe
Token: SeSecurityPrivilege	980	wbengine.exe
Token: SeShutdownPrivilege	3128	Explorer.EXE
Token: SeCreatePagefilePrivilege	3128	Explorer.EXE
Token: SeShutdownPrivilege	3128	Explorer.EXE
Token: SeCreatePagefilePrivilege	3128	Explorer.EXE
Token: SeShutdownPrivilege	3128	Explorer.EXE
Token: SeCreatePagefilePrivilege	3128	Explorer.EXE
Token: SeShutdownPrivilege	3128	Explorer.EXE
Token: SeCreatePagefilePrivilege	3128	Explorer.EXE
Token: SeShutdownPrivilege	3128	Explorer.EXE
Token: SeCreatePagefilePrivilege	3128	Explorer.EXE
Token: SeShutdownPrivilege	3128	Explorer.EXE
Token: SeCreatePagefilePrivilege	3128	Explorer.EXE
Token: SeShutdownPrivilege	3128	Explorer.EXE
Token: SeCreatePagefilePrivilege	3128	Explorer.EXE
Token: SeShutdownPrivilege	3128	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe24CF.exeU85-i%aI2.execmd.execmd.exeExplorer.EXE

description	pid	process	target process
PID 500 wrote to memory of 2148	500	09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe	certreq.exe
PID 500 wrote to memory of 2148	500	09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe	certreq.exe
PID 500 wrote to memory of 2148	500	09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe	certreq.exe
PID 500 wrote to memory of 2148	500	09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe	certreq.exe
PID 1976 wrote to memory of 4592	1976	24CF.exe	24CF.exe
PID 1976 wrote to memory of 4592	1976	24CF.exe	24CF.exe
PID 1976 wrote to memory of 4592	1976	24CF.exe	24CF.exe
PID 1976 wrote to memory of 4592	1976	24CF.exe	24CF.exe
PID 1976 wrote to memory of 4592	1976	24CF.exe	24CF.exe
PID 1976 wrote to memory of 4592	1976	24CF.exe	24CF.exe
PID 2060 wrote to memory of 1720	2060	U85-i%aI2.exe	cmd.exe
PID 2060 wrote to memory of 1720	2060	U85-i%aI2.exe	cmd.exe
PID 2060 wrote to memory of 824	2060	U85-i%aI2.exe	cmd.exe
PID 2060 wrote to memory of 824	2060	U85-i%aI2.exe	cmd.exe
PID 824 wrote to memory of 2144	824	cmd.exe	netsh.exe
PID 824 wrote to memory of 2144	824	cmd.exe	netsh.exe
PID 1720 wrote to memory of 828	1720	cmd.exe	vssadmin.exe
PID 1720 wrote to memory of 828	1720	cmd.exe	vssadmin.exe
PID 1720 wrote to memory of 4508	1720	cmd.exe	WMIC.exe
PID 1720 wrote to memory of 4508	1720	cmd.exe	WMIC.exe
PID 824 wrote to memory of 932	824	cmd.exe	netsh.exe
PID 824 wrote to memory of 932	824	cmd.exe	netsh.exe
PID 1720 wrote to memory of 388	1720	cmd.exe	bcdedit.exe
PID 1720 wrote to memory of 388	1720	cmd.exe	bcdedit.exe
PID 1720 wrote to memory of 4356	1720	cmd.exe	bcdedit.exe
PID 1720 wrote to memory of 4356	1720	cmd.exe	bcdedit.exe
PID 1720 wrote to memory of 2672	1720	cmd.exe	wbadmin.exe
PID 1720 wrote to memory of 2672	1720	cmd.exe	wbadmin.exe
PID 3128 wrote to memory of 4724	3128	Explorer.EXE	C8F8.exe
PID 3128 wrote to memory of 4724	3128	Explorer.EXE	C8F8.exe
PID 3128 wrote to memory of 4724	3128	Explorer.EXE	C8F8.exe
PID 3128 wrote to memory of 3900	3128	Explorer.EXE	CA80.exe
PID 3128 wrote to memory of 3900	3128	Explorer.EXE	CA80.exe
PID 3128 wrote to memory of 3900	3128	Explorer.EXE	CA80.exe
PID 3128 wrote to memory of 3448	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 3448	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 3448	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 3448	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 4168	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 4168	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 4168	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 4684	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 4684	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 4684	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 4684	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 3800	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 3800	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 3800	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 3800	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 1572	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 1572	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 1572	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 1572	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 1956	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 1956	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 1956	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 992	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 992	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 992	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 992	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 3504	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 3504	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 3504	3128	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 1520	3128	Explorer.EXE	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128

C:\Users\Admin\AppData\Local\Temp\09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe
"C:\Users\Admin\AppData\Local\Temp\09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 500 -s 792
3⤵
- Program crash
PID:4872

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2148

C:\Users\Admin\AppData\Local\Temp\C8F8.exe
C:\Users\Admin\AppData\Local\Temp\C8F8.exe
2⤵
- Executes dropped EXE
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 492
3⤵
- Program crash
PID:3268

C:\Users\Admin\AppData\Local\Temp\CA80.exe
C:\Users\Admin\AppData\Local\Temp\CA80.exe
2⤵
- Executes dropped EXE
PID:3900

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3448

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4168

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4684

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3800

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1572

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1956

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:992

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:3504

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1520

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1908

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:5016

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:5040

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3276

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4660

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 500 -ip 500
1⤵
PID:4356

C:\Users\Admin\AppData\Local\Microsoft\24CF.exe
"C:\Users\Admin\AppData\Local\Microsoft\24CF.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Local\Microsoft\24CF.exe
"C:\Users\Admin\AppData\Local\Microsoft\24CF.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4592

C:\Users\Admin\AppData\Local\Microsoft\U85-i%aI2.exe
"C:\Users\Admin\AppData\Local\Microsoft\U85-i%aI2.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060

C:\Users\Admin\AppData\Local\Microsoft\U85-i%aI2.exe
"C:\Users\Admin\AppData\Local\Microsoft\U85-i%aI2.exe"
2⤵
- Executes dropped EXE
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 468
3⤵
- Program crash
PID:3240

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:2144

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:932

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:828

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:388

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:4356

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:2672

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:556

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:4704

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:4404

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:3912

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:2268

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4624

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
PID:3280

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:4316

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:412

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:5044

C:\Users\Admin\AppData\Local\Microsoft\425j0S.exe
"C:\Users\Admin\AppData\Local\Microsoft\425j0S.exe"
1⤵
- Executes dropped EXE
PID:4172

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3232

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3172 -ip 3172
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4724 -ip 4724
1⤵
PID:2380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[2C79BA2A-3483].[[email protected]].8base
Filesize
3.2MB

MD5
44a08337b9206a29e4c37349121218e9

SHA1
e312def6a63f4c70e1c57ea1e2c4b74951d8aa38

SHA256
b433a147230252e676306dd5a53ae3f8793b6a704ec09c6203da13963ed41d75

SHA512
f62cc2903c2fe0f822a65191c43f35d5d4f8ed1462036ae322ec2a51fb92cdd79e9634aabfe7c97d72233c30b45ed0d4a5934790e82aaf04ce7736c8e8efa56d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\24CF.exe
Filesize
164KB

MD5
09d7f30d2f8432be6087038562a029dd

SHA1
07fc20446a03a20c191e750ef21737ec948d9544

SHA256
8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8

SHA512
abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\24CF.exe
Filesize
164KB

MD5
09d7f30d2f8432be6087038562a029dd

SHA1
07fc20446a03a20c191e750ef21737ec948d9544

SHA256
8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8

SHA512
abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\24CF.exe
Filesize
164KB

MD5
09d7f30d2f8432be6087038562a029dd

SHA1
07fc20446a03a20c191e750ef21737ec948d9544

SHA256
8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8

SHA512
abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\425j0S.exe
Filesize
164KB

MD5
6ac14216327dcfb60b33ebd914f62769

SHA1
d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b

SHA256
25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9

SHA512
6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\425j0S.exe
Filesize
164KB

MD5
6ac14216327dcfb60b33ebd914f62769

SHA1
d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b

SHA256
25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9

SHA512
6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
Filesize
1022B

MD5
8e361d0a2847f22c1e9548bf12f94c27

SHA1
0984b528f982bd872cdb1a3eece5c14c623cdbb5

SHA256
961b71fdda8966e64d1e47fd88e3790e8d9b302c21d13ba8bd25598287352de6

SHA512
53b5f6c9dd56040e900c0874d618eea60ba8b53b00eee16c05d8d2ea1ad37322e78f0adcf13763b664598adca591dbdddd09a4f16e632b7012980472b78ece30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\U85-i%aI2.exe
Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\U85-i%aI2.exe
Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\U85-i%aI2.exe
Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000026.db.id[2C79BA2A-3483].[[email protected]].8base
Filesize
92KB

MD5
385723d35188faa21f941336ba7e74dd

SHA1
6e5a479c4b986dd1f89962913acc0ed3fa6a8643

SHA256
de20b2fe5dff56099187832c83e9c96dcb0c913ed43300ea1d09b775f5a0f429

SHA512
cb028bd944369b46e42e869035db3a88d0562a27351b33c4742da65e5aaba8471983a8379167f214cb417f70ab646db088b9c687a5800783183a8ac55a565f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\C8F8.exe
Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Temp\C8F8.exe
Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Temp\C8F8.exe
Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA80.exe
Filesize
164KB

MD5
6ac14216327dcfb60b33ebd914f62769

SHA1
d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b

SHA256
25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9

SHA512
6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA80.exe
Filesize
164KB

MD5
6ac14216327dcfb60b33ebd914f62769

SHA1
d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b

SHA256
25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9

SHA512
6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\F519\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll
Filesize
5.5MB

MD5
872d02e73930e4553468d82340a11871

SHA1
75108449838ca4ba75f6b51980945dec31de5889

SHA256
ed517d013ceb532e17c940f738810159db20e6e4db6063d788df33ebc48596ea

SHA512
0136b48ecef29fc990ea25280d02450867253b0719cbee0ff48f3505c2cd6612f7dd5b6ba8bd3f80fa1cf18d9a1b40e459e0b0db46e5de047879ccaa0863bad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\F519\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe
Filesize
18KB

MD5
cfe72ed40a076ae4f4157940ce0c5d44

SHA1
8010f7c746a7ba4864785f798f46ec05caae7ece

SHA256
6868894ab04d08956388a94a81016f03d5b7a7b1646c8a6235057a7e1e45de32

SHA512
f002afa2131d250dd6148d8372ce45f84283b8e1209e91720cee7aff497503d0e566bae3a83cd326701458230ae5c0e200eec617889393dd46ac00ff357ff1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\F519\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
1KB

MD5
94f90fcd2b8f7f1df69224f845d9e9b7

SHA1
a09e3072cc581cf89adaf1aa20aa89b3af7bf987

SHA256
a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0

SHA512
51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\F519\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml
Filesize
7KB

MD5
108f130067a9df1719c590316a5245f7

SHA1
79bb9a86e7a50c85214cd7e21719f0cb4155f58a

SHA256
c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874

SHA512
d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

Download Submit
C:\Users\Admin\AppData\Local\Temp\F519\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
1KB

MD5
94f90fcd2b8f7f1df69224f845d9e9b7

SHA1
a09e3072cc581cf89adaf1aa20aa89b3af7bf987

SHA256
a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0

SHA512
51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\F519\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml
Filesize
7KB

MD5
108f130067a9df1719c590316a5245f7

SHA1
79bb9a86e7a50c85214cd7e21719f0cb4155f58a

SHA256
c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874

SHA512
d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

Download Submit
C:\Users\Admin\AppData\Local\Temp\F519\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dll
Filesize
10KB

MD5
1097d1e58872f3cf58f78730a697ce4b

SHA1
96db4e4763a957b28dd80ec1e43eb27367869b86

SHA256
83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef

SHA512
b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

Download Submit
C:\Users\Admin\AppData\Local\Temp\F519\C\Windows\SysWOW64\WalletProxy.dll
Filesize
36KB

MD5
d09724c29a8f321f2f9c552de6ef6afa

SHA1
d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3

SHA256
23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c

SHA512
cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\F519\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dll
Filesize
402KB

MD5
02557c141c9e153c2b7987b79a3a2dd7

SHA1
a054761382ee68608b6a3b62b68138dc205f576b

SHA256
207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4

SHA512
a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\F519\C\Windows\System32\WalletBackgroundServiceProxy.dll
Filesize
10KB

MD5
1097d1e58872f3cf58f78730a697ce4b

SHA1
96db4e4763a957b28dd80ec1e43eb27367869b86

SHA256
83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef

SHA512
b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

Download Submit
C:\Users\Admin\AppData\Local\Temp\F519\C\Windows\System32\WalletProxy.dll
Filesize
36KB

MD5
d09724c29a8f321f2f9c552de6ef6afa

SHA1
d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3

SHA256
23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c

SHA512
cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\F519\C\Windows\System32\Windows.ApplicationModel.Wallet.dll
Filesize
402KB

MD5
02557c141c9e153c2b7987b79a3a2dd7

SHA1
a054761382ee68608b6a3b62b68138dc205f576b

SHA256
207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4

SHA512
a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hw21aoqh.default-release\cookies.sqlite.id[2C79BA2A-3483].[[email protected]].8base
Filesize
96KB

MD5
0eae1e2ea448ef1b37d414074ae08c3a

SHA1
8a0565a0dfd716a8eaf44687404435998278ddac

SHA256
295de4a97c04a0ab7b4930118b3621f84feb442afb40a26c72facbbf79f36e8e

SHA512
8507e00bc6d6917490fe99f0b2dbee8eb46e4a02765c0beb812f215c1aa5dbb5ccdb2c960d8c89ac8952387e2d8792b7762523f99e1159f46438682727d8fe70

Download Submit
C:\Users\Admin\AppData\Roaming\cscrsaj
Filesize
438KB

MD5
13d5275e9447e5b2f86c6b8bafc34e1e

SHA1
aa3b5f83cbacb5b864869a1f7a5d506a81675c6a

SHA256
c4ecf1fddb23b0f49405cc82147e1def6ad2965ba8a89e99af2578a0da29620b

SHA512
3274d55467b234f2618cab588ed6ff27478039da8f75f58c4576a7bc96397870b58ba85fb1dfd55ee2e02f97348eec7f3c3253f6dc03bf63b72af99b0f37604d

Download Submit
C:\Users\Admin\AppData\Roaming\udcthjs
Filesize
164KB

MD5
09d7f30d2f8432be6087038562a029dd

SHA1
07fc20446a03a20c191e750ef21737ec948d9544

SHA256
8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8

SHA512
abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

Download Submit
C:\Users\Admin\Desktop\info.hta
Filesize
5KB

MD5
ca175ee03c12f572db1e0fbaf1c77c89

SHA1
91a162fd1daa54623d9c90221853a39e60a70dc4

SHA256
dfb5927098d1682a2e205f052216b7ea4d48a68e15da7371aa47ddfd4f6ad8fb

SHA512
a804eee6f3703011d9cd3a1ef0745bc6ed22ddefbf54a59ac508b591f139c6d71e80017d2481d6dfde489184fc2405de2ccd4169b72b657bd7fee4253fac13b0

Download Submit
C:\info.hta
Filesize
5KB

MD5
ca175ee03c12f572db1e0fbaf1c77c89

SHA1
91a162fd1daa54623d9c90221853a39e60a70dc4

SHA256
dfb5927098d1682a2e205f052216b7ea4d48a68e15da7371aa47ddfd4f6ad8fb

SHA512
a804eee6f3703011d9cd3a1ef0745bc6ed22ddefbf54a59ac508b591f139c6d71e80017d2481d6dfde489184fc2405de2ccd4169b72b657bd7fee4253fac13b0

Download Submit
C:\info.hta
Filesize
5KB

MD5
ca175ee03c12f572db1e0fbaf1c77c89

SHA1
91a162fd1daa54623d9c90221853a39e60a70dc4

SHA256
dfb5927098d1682a2e205f052216b7ea4d48a68e15da7371aa47ddfd4f6ad8fb

SHA512
a804eee6f3703011d9cd3a1ef0745bc6ed22ddefbf54a59ac508b591f139c6d71e80017d2481d6dfde489184fc2405de2ccd4169b72b657bd7fee4253fac13b0

Download Submit
C:\users\public\desktop\info.hta
Filesize
5KB

MD5
ca175ee03c12f572db1e0fbaf1c77c89

SHA1
91a162fd1daa54623d9c90221853a39e60a70dc4

SHA256
dfb5927098d1682a2e205f052216b7ea4d48a68e15da7371aa47ddfd4f6ad8fb

SHA512
a804eee6f3703011d9cd3a1ef0745bc6ed22ddefbf54a59ac508b591f139c6d71e80017d2481d6dfde489184fc2405de2ccd4169b72b657bd7fee4253fac13b0

Download Submit
F:\info.hta
Filesize
5KB

MD5
ca175ee03c12f572db1e0fbaf1c77c89

SHA1
91a162fd1daa54623d9c90221853a39e60a70dc4

SHA256
dfb5927098d1682a2e205f052216b7ea4d48a68e15da7371aa47ddfd4f6ad8fb

SHA512
a804eee6f3703011d9cd3a1ef0745bc6ed22ddefbf54a59ac508b591f139c6d71e80017d2481d6dfde489184fc2405de2ccd4169b72b657bd7fee4253fac13b0

Download Submit
memory/500-137-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/500-140-0x00000000024D0000-0x00000000028D0000-memory.dmp

Filesize
4.0MB

Download
memory/500-141-0x00000000024D0000-0x00000000028D0000-memory.dmp

Filesize
4.0MB

Download
memory/500-152-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/500-138-0x00000000021D0000-0x00000000021D7000-memory.dmp

Filesize
28KB

Download
memory/500-145-0x0000000002140000-0x00000000021B1000-memory.dmp

Filesize
452KB

Download
memory/500-156-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/500-143-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/500-154-0x00000000024D0000-0x00000000028D0000-memory.dmp

Filesize
4.0MB

Download
memory/500-142-0x00000000024D0000-0x00000000028D0000-memory.dmp

Filesize
4.0MB

Download
memory/500-139-0x00000000024D0000-0x00000000028D0000-memory.dmp

Filesize
4.0MB

Download
memory/500-135-0x0000000002140000-0x00000000021B1000-memory.dmp

Filesize
452KB

Download
memory/500-157-0x00000000024D0000-0x00000000028D0000-memory.dmp

Filesize
4.0MB

Download
memory/500-136-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/500-153-0x0000000003250000-0x0000000003286000-memory.dmp

Filesize
216KB

Download
memory/500-146-0x0000000003250000-0x0000000003286000-memory.dmp

Filesize
216KB

Download
memory/500-134-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/880-6638-0x0000000000500000-0x000000000050B000-memory.dmp

Filesize
44KB

Download
memory/880-6640-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/992-5545-0x0000000001470000-0x0000000001479000-memory.dmp

Filesize
36KB

Download
memory/992-5521-0x0000000001480000-0x0000000001485000-memory.dmp

Filesize
20KB

Download
memory/992-5518-0x0000000001470000-0x0000000001479000-memory.dmp

Filesize
36KB

Download
memory/992-6444-0x0000000001480000-0x0000000001485000-memory.dmp

Filesize
20KB

Download
memory/1520-5747-0x0000000001470000-0x0000000001479000-memory.dmp

Filesize
36KB

Download
memory/1520-5746-0x0000000001480000-0x0000000001484000-memory.dmp

Filesize
16KB

Download
memory/1520-5745-0x0000000001470000-0x0000000001479000-memory.dmp

Filesize
36KB

Download
memory/1572-5032-0x0000000000BE0000-0x0000000000BE7000-memory.dmp

Filesize
28KB

Download
memory/1572-5040-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

Filesize
44KB

Download
memory/1572-5023-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

Filesize
44KB

Download
memory/1908-5882-0x00000000008B0000-0x00000000008B5000-memory.dmp

Filesize
20KB

Download
memory/1908-5874-0x00000000008A0000-0x00000000008A9000-memory.dmp

Filesize
36KB

Download
memory/1908-5886-0x00000000008A0000-0x00000000008A9000-memory.dmp

Filesize
36KB

Download
memory/1908-6639-0x00000000008B0000-0x00000000008B5000-memory.dmp

Filesize
20KB

Download
memory/1956-5394-0x0000000001100000-0x0000000001109000-memory.dmp

Filesize
36KB

Download
memory/1956-5429-0x00000000010F0000-0x00000000010FF000-memory.dmp

Filesize
60KB

Download
memory/1956-6354-0x0000000001100000-0x0000000001109000-memory.dmp

Filesize
36KB

Download
memory/1956-5393-0x00000000010F0000-0x00000000010FF000-memory.dmp

Filesize
60KB

Download
memory/1976-195-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/1976-196-0x0000000000640000-0x0000000000649000-memory.dmp

Filesize
36KB

Download
memory/2060-6259-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2060-4713-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2060-192-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2060-9245-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2060-191-0x0000000000570000-0x000000000057F000-memory.dmp

Filesize
60KB

Download
memory/2060-203-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2060-285-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2060-190-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2060-2327-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2148-689-0x00007FFFF2610000-0x00007FFFF2805000-memory.dmp

Filesize
2.0MB

Download
memory/2148-172-0x00007FF472B40000-0x00007FF472C6D000-memory.dmp

Filesize
1.2MB

Download
memory/2148-144-0x000001EF17CD0000-0x000001EF17CD3000-memory.dmp

Filesize
12KB

Download
memory/2148-177-0x00007FFFF2610000-0x00007FFFF2805000-memory.dmp

Filesize
2.0MB

Download
memory/2148-176-0x00007FF472B40000-0x00007FF472C6D000-memory.dmp

Filesize
1.2MB

Download
memory/2148-175-0x00007FF472B40000-0x00007FF472C6D000-memory.dmp

Filesize
1.2MB

Download
memory/2148-174-0x00007FF472B40000-0x00007FF472C6D000-memory.dmp

Filesize
1.2MB

Download
memory/2148-166-0x00007FF472B40000-0x00007FF472C6D000-memory.dmp

Filesize
1.2MB

Download
memory/2148-164-0x00007FF472B40000-0x00007FF472C6D000-memory.dmp

Filesize
1.2MB

Download
memory/2148-173-0x00007FF472B40000-0x00007FF472C6D000-memory.dmp

Filesize
1.2MB

Download
memory/2148-161-0x00007FF472B40000-0x00007FF472C6D000-memory.dmp

Filesize
1.2MB

Download
memory/2148-168-0x00007FF472B40000-0x00007FF472C6D000-memory.dmp

Filesize
1.2MB

Download
memory/2148-160-0x00007FF472B40000-0x00007FF472C6D000-memory.dmp

Filesize
1.2MB

Download
memory/2148-171-0x00007FFFF2610000-0x00007FFFF2805000-memory.dmp

Filesize
2.0MB

Download
memory/2148-170-0x00007FF472B40000-0x00007FF472C6D000-memory.dmp

Filesize
1.2MB

Download
memory/2148-670-0x000001EF17E70000-0x000001EF17E75000-memory.dmp

Filesize
20KB

Download
memory/2148-169-0x00007FF472B40000-0x00007FF472C6D000-memory.dmp

Filesize
1.2MB

Download
memory/2148-163-0x00007FF472B40000-0x00007FF472C6D000-memory.dmp

Filesize
1.2MB

Download
memory/2148-162-0x00007FF472B40000-0x00007FF472C6D000-memory.dmp

Filesize
1.2MB

Download
memory/2148-159-0x000001EF17E70000-0x000001EF17E77000-memory.dmp

Filesize
28KB

Download
memory/2148-158-0x000001EF17CD0000-0x000001EF17CD3000-memory.dmp

Filesize
12KB

Download
memory/3128-338-0x0000000002F60000-0x0000000002F76000-memory.dmp

Filesize
88KB

Download
memory/3172-1950-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/3172-1984-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3276-6488-0x0000000000570000-0x000000000057B000-memory.dmp

Filesize
44KB

Download
memory/3276-6486-0x0000000000570000-0x000000000057B000-memory.dmp

Filesize
44KB

Download
memory/3448-4732-0x00000000006E0000-0x000000000074B000-memory.dmp

Filesize
428KB

Download
memory/3448-4719-0x0000000000750000-0x00000000007C5000-memory.dmp

Filesize
468KB

Download
memory/3448-4667-0x00000000006E0000-0x000000000074B000-memory.dmp

Filesize
428KB

Download
memory/3448-4949-0x00000000006E0000-0x000000000074B000-memory.dmp

Filesize
428KB

Download
memory/3504-6487-0x0000000000180000-0x0000000000186000-memory.dmp

Filesize
24KB

Download
memory/3504-5626-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/3504-5632-0x0000000000180000-0x0000000000186000-memory.dmp

Filesize
24KB

Download
memory/3504-5644-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/3800-4922-0x0000000000490000-0x000000000049B000-memory.dmp

Filesize
44KB

Download
memory/3800-4923-0x00000000004A0000-0x00000000004AA000-memory.dmp

Filesize
40KB

Download
memory/3800-4924-0x0000000000490000-0x000000000049B000-memory.dmp

Filesize
44KB

Download
memory/3900-8779-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4168-4858-0x00000000009C0000-0x00000000009CC000-memory.dmp

Filesize
48KB

Download
memory/4168-4918-0x00000000009C0000-0x00000000009CC000-memory.dmp

Filesize
48KB

Download
memory/4168-4833-0x00000000009D0000-0x00000000009D7000-memory.dmp

Filesize
28KB

Download
memory/4172-1365-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/4172-201-0x0000000000530000-0x0000000000535000-memory.dmp

Filesize
20KB

Download
memory/4172-830-0x0000000000530000-0x0000000000535000-memory.dmp

Filesize
20KB

Download
memory/4172-202-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4172-200-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/4592-197-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4592-199-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4592-388-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4660-6493-0x00000000008C0000-0x00000000008CD000-memory.dmp

Filesize
52KB

Download
memory/4660-6497-0x00000000008C0000-0x00000000008CD000-memory.dmp

Filesize
52KB

Download
memory/4660-6494-0x00000000008D0000-0x00000000008D7000-memory.dmp

Filesize
28KB

Download
memory/4684-4919-0x0000000000600000-0x0000000000609000-memory.dmp

Filesize
36KB

Download
memory/4684-4920-0x0000000000610000-0x0000000000614000-memory.dmp

Filesize
16KB

Download
memory/4684-5627-0x0000000000610000-0x0000000000614000-memory.dmp

Filesize
16KB

Download
memory/4684-4921-0x0000000000600000-0x0000000000609000-memory.dmp

Filesize
36KB

Download
memory/5016-6393-0x00000000014A0000-0x00000000014C1000-memory.dmp

Filesize
132KB

Download
memory/5016-6290-0x0000000001470000-0x0000000001497000-memory.dmp

Filesize
156KB

Download
memory/5016-6255-0x0000000001470000-0x0000000001497000-memory.dmp

Filesize
156KB

Download
memory/5040-6443-0x0000000000BD0000-0x0000000000BD9000-memory.dmp

Filesize
36KB

Download
memory/5040-6445-0x0000000000BD0000-0x0000000000BD9000-memory.dmp

Filesize
36KB

Download