phobos | b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642

Analysis

max time kernel
88s
max time network
142s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
14-07-2023 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d18c07abced7f8fc570c83dd825bb0b.exe
Size

451KB
MD5

4d18c07abced7f8fc570c83dd825bb0b
SHA1

4e1d179697ab7536ee475494b158b969963e0bf6
SHA256

b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642
SHA512

daf48720ed402be15b532a32d10dd8823b564516d5f6d6628ca646c20347f7180bf911c7b8dfd75c03826badf719534bd45e1c26c5bd4857680ec77e63f4c5a4
SSDEEP

6144:ekN8IaM0bFfBmtjlfXKG/PhjPO6odPgQ4PJsL0cVeMmhi9MdNeerB+0Vsw:V8DM0blqjl/h/97MV0cGLNZxV

Score

10^/10

phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://serverxlogs21.xyz/statweb255/

http://servxblog79.xyz/statweb255/

http://demblog289.xyz/statweb255/

http://admlogs77x.online/statweb255/

http://blogxstat38.xyz/statweb255/

http://blogxstat25.xyz/statweb255/

rc4.i32

Extracted

Family

systembc

adstat477d.xyz:4044

demstat577d.xyz:4044

Signatures

Detect rhadamanthys stealer shellcode 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1044-59-0x00000000046E0000-0x0000000004AE0000-memory.dmp	family_rhadamanthys
behavioral1/memory/1044-60-0x00000000046E0000-0x0000000004AE0000-memory.dmp	family_rhadamanthys
behavioral1/memory/1044-61-0x00000000046E0000-0x0000000004AE0000-memory.dmp	family_rhadamanthys
behavioral1/memory/1044-62-0x00000000046E0000-0x0000000004AE0000-memory.dmp	family_rhadamanthys
behavioral1/memory/1044-74-0x00000000046E0000-0x0000000004AE0000-memory.dmp	family_rhadamanthys
behavioral1/memory/1044-77-0x00000000046E0000-0x0000000004AE0000-memory.dmp	family_rhadamanthys

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

4d18c07abced7f8fc570c83dd825bb0b.exe

description pid process target process

PID 1044 created 1212 1044 4d18c07abced7f8fc570c83dd825bb0b.exe Explorer.EXE
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Renames multiple (83) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

1604 netsh.exe
2848 netsh.exe
Deletes itself 1 IoCs

Processes:

certreq.exe

pid process

2072 certreq.exe
Drops startup file 1 IoCs

Processes:

xi28sr.exe

description ioc process

File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\xi28sr.exe xi28sr.exe
Executes dropped EXE 6 IoCs

Processes:

tcIbvM8%{6.exexi28sr.exePN4[8$.exexi28sr.exetcIbvM8%{6.exe9BA3.exe

pid process

112 tcIbvM8%{6.exe
524 xi28sr.exe
472 PN4[8$.exe
1100 xi28sr.exe
2672 tcIbvM8%{6.exe
1040 9BA3.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 1044 created 1212	1044	4d18c07abced7f8fc570c83dd825bb0b.exe	Explorer.EXE

pid	process
1604	netsh.exe
2848	netsh.exe

pid	process
2072	certreq.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\xi28sr.exe	xi28sr.exe

pid	process
112	tcIbvM8%{6.exe
524	xi28sr.exe
472	PN4[8$.exe
1100	xi28sr.exe
2672	tcIbvM8%{6.exe
1040	9BA3.exe

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

Processes:

explorer.execertreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

xi28sr.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xi28sr = "C:\\Users\\Admin\\AppData\\Local\\xi28sr.exe"	xi28sr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\xi28sr = "C:\\Users\\Admin\\AppData\\Local\\xi28sr.exe"	xi28sr.exe

Drops desktop.ini file(s) 4 IoCs

Processes:

xi28sr.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-377084978-2088738870-2818360375-1000\desktop.ini	xi28sr.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-377084978-2088738870-2818360375-1000\desktop.ini	xi28sr.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	xi28sr.exe
File opened for modification	C:\Program Files\desktop.ini	xi28sr.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

tcIbvM8%{6.exe

description pid process target process

PID 112 set thread context of 2672 112 tcIbvM8%{6.exe tcIbvM8%{6.exe

description	pid	process	target process
PID 112 set thread context of 2672	112	tcIbvM8%{6.exe	tcIbvM8%{6.exe

Drops file in Program Files directory 64 IoCs

Processes:

xi28sr.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar	xi28sr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar.id[A1D1CB13-3483].[[email protected]].8base	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_zh_4.4.0.v20140623020002.jar	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\sound.properties	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Enderbury	xi28sr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-tabcontrol.jar.id[A1D1CB13-3483].[[email protected]].8base	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml	xi28sr.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	xi28sr.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll.id[A1D1CB13-3483].[[email protected]].8base	xi28sr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Regina.id[A1D1CB13-3483].[[email protected]].8base	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\ant-javafx.jar	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_ja.jar	xi28sr.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	xi28sr.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pl.jar	xi28sr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif.id[A1D1CB13-3483].[[email protected]].8base	xi28sr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-iio.dll.id[A1D1CB13-3483].[[email protected]].8base	xi28sr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\management.properties.id[A1D1CB13-3483].[[email protected]].8base	xi28sr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar.id[A1D1CB13-3483].[[email protected]].8base	xi28sr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar.id[A1D1CB13-3483].[[email protected]].8base	xi28sr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_ja.jar.id[A1D1CB13-3483].[[email protected]].8base	xi28sr.exe
File created	C:\Program Files\Java\jre7\bin\libxslt.dll.id[A1D1CB13-3483].[[email protected]].8base	xi28sr.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader_icd.json.id[A1D1CB13-3483].[[email protected]].8base	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\dt.jar	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml	xi28sr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Goose_Bay.id[A1D1CB13-3483].[[email protected]].8base	xi28sr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.id[A1D1CB13-3483].[[email protected]].8base	xi28sr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.id[A1D1CB13-3483].[[email protected]].8base	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar	xi28sr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml.id[A1D1CB13-3483].[[email protected]].8base	xi28sr.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL.id[A1D1CB13-3483].[[email protected]].8base	xi28sr.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\af.pak	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Rangoon	xi28sr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Adelaide.id[A1D1CB13-3483].[[email protected]].8base	xi28sr.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	xi28sr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\play-static.png	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\boot.jar	xi28sr.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll	xi28sr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_ja.jar	xi28sr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.identity_3.4.0.v20140827-1444.jar.id[A1D1CB13-3483].[[email protected]].8base	xi28sr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf	xi28sr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf_3.4.0.v20140827-1444.jar.id[A1D1CB13-3483].[[email protected]].8base	xi28sr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar.id[A1D1CB13-3483].[[email protected]].8base	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar	xi28sr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\orb.idl.id[A1D1CB13-3483].[[email protected]].8base	xi28sr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-text.xml.id[A1D1CB13-3483].[[email protected]].8base	xi28sr.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msadcfr.dll.mui	xi28sr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png	xi28sr.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\preloaded_data.pb.id[A1D1CB13-3483].[[email protected]].8base	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Denver	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303.id[A1D1CB13-3483].[[email protected]].8base	xi28sr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml	xi28sr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

tcIbvM8%{6.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tcIbvM8%{6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tcIbvM8%{6.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tcIbvM8%{6.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2156 vssadmin.exe

pid	process
2156	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4d18c07abced7f8fc570c83dd825bb0b.execertreq.exetcIbvM8%{6.exexi28sr.exeExplorer.EXE

pid	process
1044	4d18c07abced7f8fc570c83dd825bb0b.exe
1044	4d18c07abced7f8fc570c83dd825bb0b.exe
1044	4d18c07abced7f8fc570c83dd825bb0b.exe
1044	4d18c07abced7f8fc570c83dd825bb0b.exe
2072	certreq.exe
2072	certreq.exe
2072	certreq.exe
2072	certreq.exe
2672	tcIbvM8%{6.exe
2672	tcIbvM8%{6.exe
524	xi28sr.exe
524	xi28sr.exe
524	xi28sr.exe
1212	Explorer.EXE
1212	Explorer.EXE
524	xi28sr.exe
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
524	xi28sr.exe
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
524	xi28sr.exe
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
524	xi28sr.exe
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
524	xi28sr.exe
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
524	xi28sr.exe
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
524	xi28sr.exe
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
524	xi28sr.exe
1212	Explorer.EXE

Suspicious behavior: MapViewOfSection 23 IoCs

Processes:

tcIbvM8%{6.exeExplorer.EXE

pid	process
2672	tcIbvM8%{6.exe
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

xi28sr.exevssvc.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	524	xi28sr.exe
Token: SeBackupPrivilege	2396	vssvc.exe
Token: SeRestorePrivilege	2396	vssvc.exe
Token: SeAuditPrivilege	2396	vssvc.exe
Token: SeShutdownPrivilege	1212	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4d18c07abced7f8fc570c83dd825bb0b.exetcIbvM8%{6.exexi28sr.execmd.execmd.exeExplorer.EXE

description	pid	process	target process
PID 1044 wrote to memory of 2072	1044	4d18c07abced7f8fc570c83dd825bb0b.exe	certreq.exe
PID 1044 wrote to memory of 2072	1044	4d18c07abced7f8fc570c83dd825bb0b.exe	certreq.exe
PID 1044 wrote to memory of 2072	1044	4d18c07abced7f8fc570c83dd825bb0b.exe	certreq.exe
PID 1044 wrote to memory of 2072	1044	4d18c07abced7f8fc570c83dd825bb0b.exe	certreq.exe
PID 1044 wrote to memory of 2072	1044	4d18c07abced7f8fc570c83dd825bb0b.exe	certreq.exe
PID 1044 wrote to memory of 2072	1044	4d18c07abced7f8fc570c83dd825bb0b.exe	certreq.exe
PID 112 wrote to memory of 2672	112	tcIbvM8%{6.exe	tcIbvM8%{6.exe
PID 112 wrote to memory of 2672	112	tcIbvM8%{6.exe	tcIbvM8%{6.exe
PID 112 wrote to memory of 2672	112	tcIbvM8%{6.exe	tcIbvM8%{6.exe
PID 112 wrote to memory of 2672	112	tcIbvM8%{6.exe	tcIbvM8%{6.exe
PID 112 wrote to memory of 2672	112	tcIbvM8%{6.exe	tcIbvM8%{6.exe
PID 112 wrote to memory of 2672	112	tcIbvM8%{6.exe	tcIbvM8%{6.exe
PID 112 wrote to memory of 2672	112	tcIbvM8%{6.exe	tcIbvM8%{6.exe
PID 524 wrote to memory of 856	524	xi28sr.exe	cmd.exe
PID 524 wrote to memory of 856	524	xi28sr.exe	cmd.exe
PID 524 wrote to memory of 856	524	xi28sr.exe	cmd.exe
PID 524 wrote to memory of 856	524	xi28sr.exe	cmd.exe
PID 524 wrote to memory of 1996	524	xi28sr.exe	cmd.exe
PID 524 wrote to memory of 1996	524	xi28sr.exe	cmd.exe
PID 524 wrote to memory of 1996	524	xi28sr.exe	cmd.exe
PID 524 wrote to memory of 1996	524	xi28sr.exe	cmd.exe
PID 1996 wrote to memory of 2156	1996	cmd.exe	vssadmin.exe
PID 1996 wrote to memory of 2156	1996	cmd.exe	vssadmin.exe
PID 1996 wrote to memory of 2156	1996	cmd.exe	vssadmin.exe
PID 856 wrote to memory of 1604	856	cmd.exe	netsh.exe
PID 856 wrote to memory of 1604	856	cmd.exe	netsh.exe
PID 856 wrote to memory of 1604	856	cmd.exe	netsh.exe
PID 856 wrote to memory of 2848	856	cmd.exe	netsh.exe
PID 856 wrote to memory of 2848	856	cmd.exe	netsh.exe
PID 856 wrote to memory of 2848	856	cmd.exe	netsh.exe
PID 1212 wrote to memory of 1040	1212	Explorer.EXE	9BA3.exe
PID 1212 wrote to memory of 1040	1212	Explorer.EXE	9BA3.exe
PID 1212 wrote to memory of 1040	1212	Explorer.EXE	9BA3.exe
PID 1212 wrote to memory of 1040	1212	Explorer.EXE	9BA3.exe
PID 1212 wrote to memory of 2088	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 2088	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 2088	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 2088	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 2088	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 1728	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 1728	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 1728	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 1728	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 2608	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 2608	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 2608	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 2608	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 2608	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 1764	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 1764	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 1764	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 1764	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 1764	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 2612	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 2612	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 2612	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 2612	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 2612	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 2700	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 2700	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 2700	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 2700	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 2000	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 2000	1212	Explorer.EXE	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe
"C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Deletes itself
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2072

C:\Users\Admin\AppData\Local\Temp\9BA3.exe
C:\Users\Admin\AppData\Local\Temp\9BA3.exe
2⤵
- Executes dropped EXE
PID:1040

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2088

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1728

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2608

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1764

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2612

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:2700

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2000

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1812

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1592

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:2932

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1692

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1856

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1252

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:2808

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1164

C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe
"C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:112

C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe
"C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2672

C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe
"C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524

C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe
"C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe"
2⤵
- Executes dropped EXE
PID:1100

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2156

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:1604

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:2848

C:\Users\Admin\AppData\Local\Microsoft\PN4[8$.exe
"C:\Users\Admin\AppData\Local\Microsoft\PN4[8$.exe"
1⤵
- Executes dropped EXE
PID:472

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[A1D1CB13-3483].[[email protected]].8base
Filesize
99.8MB

MD5
c12828c173760cad7a789173f74e0f27

SHA1
41fc0e6d77aa009282cb0926eba7b8c08fe08eb0

SHA256
76e62ab74d71af12b0a8c9790dadfde3889732426ca1375c6585a44fbc69c662

SHA512
bcf917784bc6f2a654b0c52fc7ef1d00cf4ae50bae8eb57c172b1ce3e9cb3a51e19f4e731fc8ab87858915cccafa2d317570c12aa2edc6493282ecb290299252

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PN4[8$.exe
Filesize
164KB

MD5
3524139d7687147f53dc7df4f4867093

SHA1
77a6308dc4981ac164a887ed54a0e01c63c17c63

SHA256
954429625375fc965c2151a8b109c07d1f6de6fbf9c3b95660400d9b4bf79081

SHA512
48df3de51b20e20660804f92a699f9b3886406c1872c8df02e220bf23415838ada393fc540f878aad8ebe61f7023161b15152942509b63030b6fd4a458a82db3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe
Filesize
166KB

MD5
1b2b02b4b524fe02b8b96bd781c8eceb

SHA1
36e2eb7e1ae58b103b2d1cca5991786b0118534b

SHA256
e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6

SHA512
80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe
Filesize
166KB

MD5
1b2b02b4b524fe02b8b96bd781c8eceb

SHA1
36e2eb7e1ae58b103b2d1cca5991786b0118534b

SHA256
e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6

SHA512
80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe
Filesize
166KB

MD5
1b2b02b4b524fe02b8b96bd781c8eceb

SHA1
36e2eb7e1ae58b103b2d1cca5991786b0118534b

SHA256
e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6

SHA512
80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe
Filesize
165KB

MD5
65ba8303fabfb2652158af69f7124772

SHA1
e7a679c504b8f00c995da10f1fa66fb6458832a2

SHA256
3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8

SHA512
cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe
Filesize
165KB

MD5
65ba8303fabfb2652158af69f7124772

SHA1
e7a679c504b8f00c995da10f1fa66fb6458832a2

SHA256
3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8

SHA512
cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe
Filesize
165KB

MD5
65ba8303fabfb2652158af69f7124772

SHA1
e7a679c504b8f00c995da10f1fa66fb6458832a2

SHA256
3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8

SHA512
cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BA3.exe
Filesize
165KB

MD5
65ba8303fabfb2652158af69f7124772

SHA1
e7a679c504b8f00c995da10f1fa66fb6458832a2

SHA256
3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8

SHA512
cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BA3.exe
Filesize
165KB

MD5
65ba8303fabfb2652158af69f7124772

SHA1
e7a679c504b8f00c995da10f1fa66fb6458832a2

SHA256
3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8

SHA512
cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tf9bvg1t.default-release\cookies.sqlite.id[A1D1CB13-3483].[[email protected]].8base
Filesize
96KB

MD5
d3c361f7db413c3ee876d794da33e374

SHA1
92fc50208cce7280e5940692e7c2eb5ce95562c6

SHA256
a48ae5a0686ed581bcab4e76ce9a61abdc0ebaf1f26b129639f72d21b76a4ad8

SHA512
3d6cd3bed2f0933aeffcb557c1df58e3f7963c02cf6f22311e163ccbf9fbb68a8d3d038d19f649ebeb8b7941132d06946bef87aa1dedfd04ed3ba5af56af488f

Download Submit
memory/112-116-0x0000000000630000-0x0000000000730000-memory.dmp

Filesize
1024KB

Download
memory/112-118-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/472-377-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/472-392-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/472-383-0x0000000000220000-0x0000000000225000-memory.dmp

Filesize
20KB

Download
memory/472-666-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/472-667-0x0000000000220000-0x0000000000225000-memory.dmp

Filesize
20KB

Download
memory/524-644-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/524-2362-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/524-111-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/524-109-0x0000000000220000-0x000000000022F000-memory.dmp

Filesize
60KB

Download
memory/524-108-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/524-1108-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/524-164-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/524-327-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1040-2926-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1044-60-0x00000000046E0000-0x0000000004AE0000-memory.dmp

Filesize
4.0MB

Download
memory/1044-61-0x00000000046E0000-0x0000000004AE0000-memory.dmp

Filesize
4.0MB

Download
memory/1044-55-0x0000000002CC0000-0x0000000002DC0000-memory.dmp

Filesize
1024KB

Download
memory/1044-74-0x00000000046E0000-0x0000000004AE0000-memory.dmp

Filesize
4.0MB

Download
memory/1044-57-0x0000000000270000-0x00000000002E1000-memory.dmp

Filesize
452KB

Download
memory/1044-73-0x0000000002BC0000-0x0000000002BF6000-memory.dmp

Filesize
216KB

Download
memory/1044-65-0x0000000000400000-0x0000000002B7C000-memory.dmp

Filesize
39.5MB

Download
memory/1044-63-0x0000000002CC0000-0x0000000002DC0000-memory.dmp

Filesize
1024KB

Download
memory/1044-62-0x00000000046E0000-0x0000000004AE0000-memory.dmp

Filesize
4.0MB

Download
memory/1044-66-0x0000000002BC0000-0x0000000002BF6000-memory.dmp

Filesize
216KB

Download
memory/1044-56-0x0000000000400000-0x0000000002B7C000-memory.dmp

Filesize
39.5MB

Download
memory/1044-58-0x0000000000230000-0x0000000000237000-memory.dmp

Filesize
28KB

Download
memory/1044-77-0x00000000046E0000-0x0000000004AE0000-memory.dmp

Filesize
4.0MB

Download
memory/1044-76-0x0000000000400000-0x0000000002B7C000-memory.dmp

Filesize
39.5MB

Download
memory/1044-59-0x00000000046E0000-0x0000000004AE0000-memory.dmp

Filesize
4.0MB

Download
memory/1100-643-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1100-642-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/1212-204-0x0000000002580000-0x0000000002596000-memory.dmp

Filesize
88KB

Download
memory/1252-2854-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1252-2855-0x00000000000C0000-0x00000000000CB000-memory.dmp

Filesize
44KB

Download
memory/1252-2852-0x00000000000C0000-0x00000000000CB000-memory.dmp

Filesize
44KB

Download
memory/1592-2275-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1592-2927-0x0000000000090000-0x0000000000094000-memory.dmp

Filesize
16KB

Download
memory/1592-2277-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1592-2276-0x0000000000090000-0x0000000000094000-memory.dmp

Filesize
16KB

Download
memory/1692-2448-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/1692-2449-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/1692-2451-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/1728-1819-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1728-1169-0x0000000000070000-0x0000000000077000-memory.dmp

Filesize
28KB

Download
memory/1728-1170-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1728-1168-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1764-1526-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/1764-1521-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/1764-2096-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/1764-1518-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/1812-2088-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1812-2086-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1812-2087-0x0000000000070000-0x0000000000076000-memory.dmp

Filesize
24KB

Download
memory/1812-2853-0x0000000000070000-0x0000000000076000-memory.dmp

Filesize
24KB

Download
memory/1856-2481-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1856-2483-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1856-2482-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/2000-1969-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2000-2024-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2000-2023-0x00000000000E0000-0x00000000000EF000-memory.dmp

Filesize
60KB

Download
memory/2072-92-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2072-88-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2072-64-0x0000000000060000-0x0000000000063000-memory.dmp

Filesize
12KB

Download
memory/2072-78-0x0000000000060000-0x0000000000063000-memory.dmp

Filesize
12KB

Download
memory/2072-79-0x00000000020C0000-0x00000000020C7000-memory.dmp

Filesize
28KB

Download
memory/2072-81-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2072-80-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2072-82-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2072-83-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2072-84-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2072-85-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2072-87-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2072-89-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2072-90-0x00000000770F0000-0x0000000077299000-memory.dmp

Filesize
1.7MB

Download
memory/2072-91-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2072-93-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2072-94-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2072-95-0x00000000020C0000-0x00000000020C7000-memory.dmp

Filesize
28KB

Download
memory/2072-112-0x00000000770F0000-0x0000000077299000-memory.dmp

Filesize
1.7MB

Download
memory/2072-96-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2072-104-0x00000000770F0000-0x0000000077299000-memory.dmp

Filesize
1.7MB

Download
memory/2072-103-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2088-1067-0x0000000000080000-0x00000000000EB000-memory.dmp

Filesize
428KB

Download
memory/2088-1236-0x0000000000080000-0x00000000000EB000-memory.dmp

Filesize
428KB

Download
memory/2088-1030-0x00000000000F0000-0x0000000000165000-memory.dmp

Filesize
468KB

Download
memory/2088-1163-0x0000000000080000-0x00000000000EB000-memory.dmp

Filesize
428KB

Download
memory/2608-1290-0x0000000000090000-0x0000000000094000-memory.dmp

Filesize
16KB

Download
memory/2608-1292-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2608-2031-0x0000000000090000-0x0000000000094000-memory.dmp

Filesize
16KB

Download
memory/2608-1289-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2612-1768-0x00000000000D0000-0x00000000000D7000-memory.dmp

Filesize
28KB

Download
memory/2612-2363-0x00000000000D0000-0x00000000000D7000-memory.dmp

Filesize
28KB

Download
memory/2612-1765-0x00000000000C0000-0x00000000000CB000-memory.dmp

Filesize
44KB

Download
memory/2612-1769-0x00000000000C0000-0x00000000000CB000-memory.dmp

Filesize
44KB

Download
memory/2672-205-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2672-117-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2672-122-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2672-120-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2700-1818-0x00000000000E0000-0x00000000000EF000-memory.dmp

Filesize
60KB

Download
memory/2700-1849-0x00000000000E0000-0x00000000000EF000-memory.dmp

Filesize
60KB

Download
memory/2700-1844-0x00000000000C0000-0x00000000000CB000-memory.dmp

Filesize
44KB

Download
memory/2700-2443-0x00000000000C0000-0x00000000000CB000-memory.dmp

Filesize
44KB

Download
memory/2808-2969-0x0000000000060000-0x000000000006D000-memory.dmp

Filesize
52KB

Download
memory/2932-2365-0x0000000000060000-0x0000000000069000-memory.dmp

Filesize
36KB

Download
memory/2932-2364-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2932-2361-0x0000000000060000-0x0000000000069000-memory.dmp

Filesize
36KB

Download