phobos | 2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5

Analysis

max time kernel
114s
max time network
140s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
14-07-2023 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a85fc38903152fcf020fb5ac1d90aa10.exe
Size

164KB
MD5

a85fc38903152fcf020fb5ac1d90aa10
SHA1

caab463070bc5b97431e19344541f01fb06a0883
SHA256

2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5
SHA512

6f591a5f75fad096dff024b745a5ca0219a149a93f38e47ebeaebfaa70a2694f524611fbfbeb559ade7818a6fcf16151b5521c720dec3472e2127c3c6fba87a2
SSDEEP

3072:yCLITMy2+o6bVAR9PMfBMbsIFD9T3WUNztymtohPwM5AJY:HLIgy7refNPFRWUptJR9O

Score

10^/10

phobos rhadamanthys smokeloader systembc summ backdoor collection evasion persistence ransomware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

summ

Extracted

Family

smokeloader

Version

2022

http://stalagmijesarl.com/

http://ukdantist-sarl.com/

http://cpcorprotationltd.com/

http://serverxlogs21.xyz/statweb255/

http://servxblog79.xyz/statweb255/

http://demblog289.xyz/statweb255/

http://admlogs77x.online/statweb255/

http://blogxstat38.xyz/statweb255/

http://blogxstat25.xyz/statweb255/

rc4.i32

Extracted

Family

systembc

adstat477d.xyz:4044

demstat577d.xyz:4044

Signatures

Detect rhadamanthys stealer shellcode 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1540-110-0x0000000001D80000-0x0000000002180000-memory.dmp	family_rhadamanthys
behavioral1/memory/1540-111-0x0000000001D80000-0x0000000002180000-memory.dmp	family_rhadamanthys
behavioral1/memory/1540-112-0x0000000001D80000-0x0000000002180000-memory.dmp	family_rhadamanthys
behavioral1/memory/1540-113-0x0000000001D80000-0x0000000002180000-memory.dmp	family_rhadamanthys
behavioral1/memory/1540-126-0x0000000001D80000-0x0000000002180000-memory.dmp	family_rhadamanthys
behavioral1/memory/1540-129-0x0000000001D80000-0x0000000002180000-memory.dmp	family_rhadamanthys

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

2CAC.exe

description pid process target process

PID 1540 created 1308 1540 2CAC.exe Explorer.EXE
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

640 bcdedit.exe
664 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1444 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

2640 netsh.exe
2172 netsh.exe
Deletes itself 1 IoCs

Processes:

Explorer.EXE

pid process

1308 Explorer.EXE
Drops startup file 1 IoCs

Processes:

R4x%wa8d~-.exe

description ioc process

File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\R4x%wa8d~-.exe R4x%wa8d~-.exe
Executes dropped EXE 6 IoCs

Processes:

2CAC.exe(%pbQt_y3J.exeR4x%wa8d~-.exezlT.exeR4x%wa8d~-.exe(%pbQt_y3J.exe

pid process

1540 2CAC.exe
592 (%pbQt_y3J.exe
2768 R4x%wa8d~-.exe
3020 zlT.exe
944 R4x%wa8d~-.exe
1712 (%pbQt_y3J.exe

description	pid	process	target process
PID 1540 created 1308	1540	2CAC.exe	Explorer.EXE

pid	process
640	bcdedit.exe
664	bcdedit.exe

pid	process
1444	wbadmin.exe

pid	process
2640	netsh.exe
2172	netsh.exe

pid	process
1308	Explorer.EXE

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\R4x%wa8d~-.exe	R4x%wa8d~-.exe

pid	process
1540	2CAC.exe
592	(%pbQt_y3J.exe
2768	R4x%wa8d~-.exe
3020	zlT.exe
944	R4x%wa8d~-.exe
1712	(%pbQt_y3J.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

R4x%wa8d~-.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\R4x%wa8d~- = "C:\\Users\\Admin\\AppData\\Local\\R4x%wa8d~-.exe"	R4x%wa8d~-.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\R4x%wa8d~- = "C:\\Users\\Admin\\AppData\\Local\\R4x%wa8d~-.exe"	R4x%wa8d~-.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

R4x%wa8d~-.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-722410544-1258951091-1992882075-1000\desktop.ini	R4x%wa8d~-.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-722410544-1258951091-1992882075-1000\desktop.ini	R4x%wa8d~-.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

(%pbQt_y3J.exe

description pid process target process

PID 592 set thread context of 1712 592 (%pbQt_y3J.exe (%pbQt_y3J.exe

description	pid	process	target process
PID 592 set thread context of 1712	592	(%pbQt_y3J.exe	(%pbQt_y3J.exe

Drops file in Program Files directory 22 IoCs

Processes:

R4x%wa8d~-.exe

description	ioc	process
File created	C:\Program Files\7-Zip\7-zip.chm.id[AD71426D-3483].[[email protected]].8base	R4x%wa8d~-.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	R4x%wa8d~-.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	R4x%wa8d~-.exe
File created	C:\Program Files\7-Zip\7zFM.exe.id[AD71426D-3483].[[email protected]].8base	R4x%wa8d~-.exe
File created	C:\Program Files\7-Zip\History.txt.id[AD71426D-3483].[[email protected]].8base	R4x%wa8d~-.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll.id[AD71426D-3483].[[email protected]].8base	R4x%wa8d~-.exe
File created	C:\Program Files\7-Zip\7z.exe.id[AD71426D-3483].[[email protected]].8base	R4x%wa8d~-.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.id[AD71426D-3483].[[email protected]].8base	R4x%wa8d~-.exe
File created	C:\Program Files\7-Zip\7zG.exe.id[AD71426D-3483].[[email protected]].8base	R4x%wa8d~-.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	R4x%wa8d~-.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	R4x%wa8d~-.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	R4x%wa8d~-.exe
File created	C:\Program Files\7-Zip\descript.ion.id[AD71426D-3483].[[email protected]].8base	R4x%wa8d~-.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	R4x%wa8d~-.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	R4x%wa8d~-.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.id[AD71426D-3483].[[email protected]].8base	R4x%wa8d~-.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	R4x%wa8d~-.exe
File created	C:\Program Files\7-Zip\7z.sfx.id[AD71426D-3483].[[email protected]].8base	R4x%wa8d~-.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	R4x%wa8d~-.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	R4x%wa8d~-.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	R4x%wa8d~-.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.id[AD71426D-3483].[[email protected]].8base	R4x%wa8d~-.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a85fc38903152fcf020fb5ac1d90aa10.exe(%pbQt_y3J.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a85fc38903152fcf020fb5ac1d90aa10.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a85fc38903152fcf020fb5ac1d90aa10.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a85fc38903152fcf020fb5ac1d90aa10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	(%pbQt_y3J.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	(%pbQt_y3J.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	(%pbQt_y3J.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1340 vssadmin.exe

pid	process
1340	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a85fc38903152fcf020fb5ac1d90aa10.exeExplorer.EXE

pid	process
2000	a85fc38903152fcf020fb5ac1d90aa10.exe
2000	a85fc38903152fcf020fb5ac1d90aa10.exe
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1308 Explorer.EXE

pid	process
1308	Explorer.EXE

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

a85fc38903152fcf020fb5ac1d90aa10.exeExplorer.EXE

pid	process
2000	a85fc38903152fcf020fb5ac1d90aa10.exe
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

R4x%wa8d~-.exe

description pid process

Token: SeDebugPrivilege 2768 R4x%wa8d~-.exe

description	pid	process
Token: SeDebugPrivilege	2768	R4x%wa8d~-.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Explorer.EXE2CAC.exe(%pbQt_y3J.exeR4x%wa8d~-.exe

description	pid	process	target process
PID 1308 wrote to memory of 1540	1308	Explorer.EXE	2CAC.exe
PID 1308 wrote to memory of 1540	1308	Explorer.EXE	2CAC.exe
PID 1308 wrote to memory of 1540	1308	Explorer.EXE	2CAC.exe
PID 1308 wrote to memory of 1540	1308	Explorer.EXE	2CAC.exe
PID 1308 wrote to memory of 2424	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2424	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2424	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2424	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2424	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 1344	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 1344	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 1344	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 1344	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2408	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2408	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2408	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2408	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2408	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2864	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2864	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2864	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2864	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2924	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2924	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2924	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2924	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2924	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2320	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2320	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2320	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2320	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2320	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 3060	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 3060	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 3060	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 3060	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 3060	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 3064	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 3064	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 3064	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 3064	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2724	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2724	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2724	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2724	1308	Explorer.EXE	explorer.exe
PID 1308 wrote to memory of 2724	1308	Explorer.EXE	explorer.exe
PID 1540 wrote to memory of 2840	1540	2CAC.exe	certreq.exe
PID 1540 wrote to memory of 2840	1540	2CAC.exe	certreq.exe
PID 1540 wrote to memory of 2840	1540	2CAC.exe	certreq.exe
PID 1540 wrote to memory of 2840	1540	2CAC.exe	certreq.exe
PID 1540 wrote to memory of 2840	1540	2CAC.exe	certreq.exe
PID 1540 wrote to memory of 2840	1540	2CAC.exe	certreq.exe
PID 592 wrote to memory of 1712	592	(%pbQt_y3J.exe	(%pbQt_y3J.exe
PID 592 wrote to memory of 1712	592	(%pbQt_y3J.exe	(%pbQt_y3J.exe
PID 592 wrote to memory of 1712	592	(%pbQt_y3J.exe	(%pbQt_y3J.exe
PID 592 wrote to memory of 1712	592	(%pbQt_y3J.exe	(%pbQt_y3J.exe
PID 592 wrote to memory of 1712	592	(%pbQt_y3J.exe	(%pbQt_y3J.exe
PID 592 wrote to memory of 1712	592	(%pbQt_y3J.exe	(%pbQt_y3J.exe
PID 592 wrote to memory of 1712	592	(%pbQt_y3J.exe	(%pbQt_y3J.exe
PID 2768 wrote to memory of 2552	2768	R4x%wa8d~-.exe	cmd.exe
PID 2768 wrote to memory of 2552	2768	R4x%wa8d~-.exe	cmd.exe
PID 2768 wrote to memory of 2552	2768	R4x%wa8d~-.exe	cmd.exe
PID 2768 wrote to memory of 2552	2768	R4x%wa8d~-.exe	cmd.exe
PID 2768 wrote to memory of 2540	2768	R4x%wa8d~-.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

outlook_win_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Admin\AppData\Local\Temp\a85fc38903152fcf020fb5ac1d90aa10.exe
"C:\Users\Admin\AppData\Local\Temp\a85fc38903152fcf020fb5ac1d90aa10.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2000

C:\Users\Admin\AppData\Local\Temp\2CAC.exe
C:\Users\Admin\AppData\Local\Temp\2CAC.exe
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2424

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1344

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2408

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:2864

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2924

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2320

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3060

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:3064

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2724

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
PID:2840

C:\Users\Admin\AppData\Local\Temp\AFEF.exe
C:\Users\Admin\AppData\Local\Temp\AFEF.exe
2⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\B1E3.exe
C:\Users\Admin\AppData\Local\Temp\B1E3.exe
2⤵
PID:468

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:776

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1076

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2256

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2992

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2788

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:2472

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2908

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1196

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2980

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:2764

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1896

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1744

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2500

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:2236

C:\Users\Admin\AppData\Local\Microsoft\(%pbQt_y3J.exe
"C:\Users\Admin\AppData\Local\Microsoft\(%pbQt_y3J.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:592

C:\Users\Admin\AppData\Local\Microsoft\(%pbQt_y3J.exe
"C:\Users\Admin\AppData\Local\Microsoft\(%pbQt_y3J.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1712

C:\Users\Admin\AppData\Local\Microsoft\R4x%wa8d~-.exe
"C:\Users\Admin\AppData\Local\Microsoft\R4x%wa8d~-.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768

C:\Users\Admin\AppData\Local\Microsoft\R4x%wa8d~-.exe
"C:\Users\Admin\AppData\Local\Microsoft\R4x%wa8d~-.exe"
2⤵
- Executes dropped EXE
PID:944

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:2540

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:2172

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:2640

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:2552

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1340

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
PID:1548

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:640

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:664

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:1444

C:\Users\Admin\AppData\Local\Microsoft\zlT.exe
"C:\Users\Admin\AppData\Local\Microsoft\zlT.exe"
1⤵
- Executes dropped EXE
PID:3020

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:940

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:3008

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1984

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[AD71426D-3483].[[email protected]].8base
Filesize
104.6MB

MD5
ae65977c672aa0868f3a2314f560d8e1

SHA1
5e0e770560ba9c78f9413bfa6d90a27cbe1be209

SHA256
5f17c6dc9f3d06f60d6334ca23ef5ca168e2313d722ff52e624cdd929b5ce5ac

SHA512
c081d4aef47c386ca5f5f93a636a83fbe68e11087d6beaad9fd9f7b8252b2a9a62bcd004838ac62f3589cab8bad322907199aa0491882db8c54c95c73b3043ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\(%pbQt_y3J.exe
Filesize
164KB

MD5
09d7f30d2f8432be6087038562a029dd

SHA1
07fc20446a03a20c191e750ef21737ec948d9544

SHA256
8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8

SHA512
abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\(%pbQt_y3J.exe
Filesize
164KB

MD5
09d7f30d2f8432be6087038562a029dd

SHA1
07fc20446a03a20c191e750ef21737ec948d9544

SHA256
8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8

SHA512
abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\(%pbQt_y3J.exe
Filesize
164KB

MD5
09d7f30d2f8432be6087038562a029dd

SHA1
07fc20446a03a20c191e750ef21737ec948d9544

SHA256
8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8

SHA512
abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\R4x%wa8d~-.exe
Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\R4x%wa8d~-.exe
Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\R4x%wa8d~-.exe
Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\zlT.exe
Filesize
164KB

MD5
6ac14216327dcfb60b33ebd914f62769

SHA1
d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b

SHA256
25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9

SHA512
6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CAC.exe
Filesize
374KB

MD5
aaf3d68aeea347268ede50e621ca21ce

SHA1
0e7c0e38a200a9ea3af663dfd33941cc5e1657c9

SHA256
09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416

SHA512
61416225031cbb74114ee61e3f7ce697e73423c75a0f2e96f51557b3d289ad868034e2e07ead926cd12a95b524ed37cf1626dc75dc99c47fac9cb8f843002bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CAC.exe
Filesize
374KB

MD5
aaf3d68aeea347268ede50e621ca21ce

SHA1
0e7c0e38a200a9ea3af663dfd33941cc5e1657c9

SHA256
09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416

SHA512
61416225031cbb74114ee61e3f7ce697e73423c75a0f2e96f51557b3d289ad868034e2e07ead926cd12a95b524ed37cf1626dc75dc99c47fac9cb8f843002bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CAC.exe
Filesize
374KB

MD5
aaf3d68aeea347268ede50e621ca21ce

SHA1
0e7c0e38a200a9ea3af663dfd33941cc5e1657c9

SHA256
09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416

SHA512
61416225031cbb74114ee61e3f7ce697e73423c75a0f2e96f51557b3d289ad868034e2e07ead926cd12a95b524ed37cf1626dc75dc99c47fac9cb8f843002bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AFEF.exe
Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Temp\AFEF.exe
Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1E3.exe
Filesize
164KB

MD5
6ac14216327dcfb60b33ebd914f62769

SHA1
d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b

SHA256
25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9

SHA512
6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1E3.exe
Filesize
164KB

MD5
6ac14216327dcfb60b33ebd914f62769

SHA1
d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b

SHA256
25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9

SHA512
6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g1epp91b.default-release\cookies.sqlite.id[AD71426D-3483].[[email protected]].8base
Filesize
96KB

MD5
a7f33ff4cc6ee1a5780f4f331f225425

SHA1
a017f8557467b81cbfb0912e0cdd4c5f48a93dd9

SHA256
7ccbe0db1203efb774481ce02128d81098a5b147fb27ac77f6c020b42c72cedf

SHA512
9c4553dff6c917c73d833c314800bed2b140052faef4fe3a3dfd1cbb18294332de5f84a6d5135fc0d5c4117b23de250a346175f1caedc5e4171e82f8954e5970

Download Submit
memory/592-167-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/592-168-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/776-3264-0x0000000000080000-0x00000000000EB000-memory.dmp

Filesize
428KB

Download
memory/776-3258-0x00000000001D0000-0x0000000000245000-memory.dmp

Filesize
468KB

Download
memory/776-3292-0x0000000000080000-0x00000000000EB000-memory.dmp

Filesize
428KB

Download
memory/776-3257-0x0000000000080000-0x00000000000EB000-memory.dmp

Filesize
428KB

Download
memory/944-3034-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/944-3035-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/1076-3323-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1076-3302-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1076-3307-0x0000000000070000-0x0000000000077000-memory.dmp

Filesize
28KB

Download
memory/1308-58-0x0000000002590000-0x00000000025A6000-memory.dmp

Filesize
88KB

Download
memory/1308-417-0x0000000002CB0000-0x0000000002CC6000-memory.dmp

Filesize
88KB

Download
memory/1344-80-0x00000000000F0000-0x00000000000F9000-memory.dmp

Filesize
36KB

Download
memory/1344-94-0x00000000000F0000-0x00000000000F9000-memory.dmp

Filesize
36KB

Download
memory/1344-79-0x00000000000E0000-0x00000000000EF000-memory.dmp

Filesize
60KB

Download
memory/1344-81-0x00000000000E0000-0x00000000000EF000-memory.dmp

Filesize
60KB

Download
memory/1540-112-0x0000000001D80000-0x0000000002180000-memory.dmp

Filesize
4.0MB

Download
memory/1540-111-0x0000000001D80000-0x0000000002180000-memory.dmp

Filesize
4.0MB

Download
memory/1540-125-0x0000000002870000-0x00000000028A6000-memory.dmp

Filesize
216KB

Download
memory/1540-105-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1540-106-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1540-107-0x0000000000250000-0x00000000002C1000-memory.dmp

Filesize
452KB

Download
memory/1540-126-0x0000000001D80000-0x0000000002180000-memory.dmp

Filesize
4.0MB

Download
memory/1540-109-0x00000000002E0000-0x00000000002E7000-memory.dmp

Filesize
28KB

Download
memory/1540-110-0x0000000001D80000-0x0000000002180000-memory.dmp

Filesize
4.0MB

Download
memory/1540-118-0x0000000002870000-0x00000000028A6000-memory.dmp

Filesize
216KB

Download
memory/1540-117-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1540-113-0x0000000001D80000-0x0000000002180000-memory.dmp

Filesize
4.0MB

Download
memory/1540-128-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1540-129-0x0000000001D80000-0x0000000002180000-memory.dmp

Filesize
4.0MB

Download
memory/1540-116-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1712-418-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1712-174-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1712-170-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1712-172-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2000-55-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/2000-56-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2000-57-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/2000-59-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2256-3440-0x0000000000090000-0x0000000000094000-memory.dmp

Filesize
16KB

Download
memory/2256-3445-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2256-3415-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2320-108-0x00000000000C0000-0x00000000000C9000-memory.dmp

Filesize
36KB

Download
memory/2320-92-0x00000000000D0000-0x00000000000D5000-memory.dmp

Filesize
20KB

Download
memory/2320-91-0x00000000000C0000-0x00000000000C9000-memory.dmp

Filesize
36KB

Download
memory/2408-82-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2408-83-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/2408-97-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2424-77-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/2424-78-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/2424-76-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/2424-89-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/2472-3673-0x0000000000060000-0x000000000006F000-memory.dmp

Filesize
60KB

Download
memory/2724-114-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/2724-100-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/2724-102-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/2724-103-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/2768-1378-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2768-3890-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2768-161-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/2768-162-0x0000000000220000-0x000000000022F000-memory.dmp

Filesize
60KB

Download
memory/2768-164-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2768-175-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/2768-3031-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2768-375-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2768-377-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2788-3545-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/2840-140-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2840-131-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2840-159-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2840-156-0x00000000775F0000-0x0000000077799000-memory.dmp

Filesize
1.7MB

Download
memory/2840-148-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2840-147-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2840-146-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2840-145-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2840-144-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2840-143-0x00000000775F0000-0x0000000077799000-memory.dmp

Filesize
1.7MB

Download
memory/2840-142-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2840-160-0x00000000775F0000-0x0000000077799000-memory.dmp

Filesize
1.7MB

Download
memory/2840-115-0x0000000000060000-0x0000000000063000-memory.dmp

Filesize
12KB

Download
memory/2840-130-0x0000000000060000-0x0000000000063000-memory.dmp

Filesize
12KB

Download
memory/2840-141-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2840-133-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2840-134-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2840-138-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2840-136-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2840-135-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2864-84-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/2864-86-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/2864-85-0x0000000000070000-0x0000000000076000-memory.dmp

Filesize
24KB

Download
memory/2864-101-0x0000000000070000-0x0000000000076000-memory.dmp

Filesize
24KB

Download
memory/2924-87-0x00000000000B0000-0x00000000000D2000-memory.dmp

Filesize
136KB

Download
memory/2924-104-0x00000000000B0000-0x00000000000D2000-memory.dmp

Filesize
136KB

Download
memory/2924-90-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/2924-88-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/2992-3487-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/2992-3488-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/2992-3486-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/3020-439-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/3020-1964-0x00000000002B0000-0x00000000002B5000-memory.dmp

Filesize
20KB

Download
memory/3020-1963-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/3020-460-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3020-440-0x00000000002B0000-0x00000000002B5000-memory.dmp

Filesize
20KB

Download
memory/3060-93-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/3060-95-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/3064-96-0x0000000000060000-0x000000000006D000-memory.dmp

Filesize
52KB

Download
memory/3064-98-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/3064-99-0x0000000000060000-0x000000000006D000-memory.dmp

Filesize
52KB

Download