phobos | c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94

Analysis

max time kernel
138s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2023 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a662ba3492a7d218908f5d851841ed96.exe
Size

374KB
MD5

a662ba3492a7d218908f5d851841ed96
SHA1

d292b20fd69fc5eb70075fb8ed3e7da940ca0b41
SHA256

c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94
SHA512

38d41c8d44ab23c5cb6ea384404592f5dde3b3707bb8d3e3bf75d6e858b0c2d18e1fe27ba963ef2cefd6dad06ed1e4fd394a5f065bd5aa03b5f91b28201f72a5
SSDEEP

6144:eLXTm1bNgmdZQBEaR73L/RqEb+xms6DuPa25QkI/7qi2PKuDYDYm1kThqBAtmaqz:ezoOmdZy33zRqESYluPPmkIl2iwmYBh+

Score

10^/10

phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

systembc

adstat477d.xyz:4044

demstat577d.xyz:4044

Extracted

Family

smokeloader

Version

2022

http://serverxlogs21.xyz/statweb255/

http://servxblog79.xyz/statweb255/

http://demblog289.xyz/statweb255/

http://admlogs77x.online/statweb255/

http://blogxstat38.xyz/statweb255/

http://blogxstat25.xyz/statweb255/

rc4.i32

Extracted

Path

C:\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>cartilage</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #C6B5C4; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #B5CC8E; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #e6ecf2; border-left: 10px solid #B58CB2; } .alert { background: #FFE4E4; border-left: 10px solid #FFA07A; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC.</div> <div class='bold'>If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Or write us to the Tox: <span class='mark'>78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>4E633C4D-3483</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Extracted

Path

C:\users\public\desktop\info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Or write us to the Tox: 78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074 Write this ID in the title of your message 4E633C4D-3483 You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Detect rhadamanthys stealer shellcode 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1940-139-0x0000000002570000-0x0000000002970000-memory.dmp	family_rhadamanthys
behavioral2/memory/1940-140-0x0000000002570000-0x0000000002970000-memory.dmp	family_rhadamanthys
behavioral2/memory/1940-141-0x0000000002570000-0x0000000002970000-memory.dmp	family_rhadamanthys
behavioral2/memory/1940-142-0x0000000002570000-0x0000000002970000-memory.dmp	family_rhadamanthys
behavioral2/memory/1940-154-0x0000000002570000-0x0000000002970000-memory.dmp	family_rhadamanthys
behavioral2/memory/1940-157-0x0000000002570000-0x0000000002970000-memory.dmp	family_rhadamanthys

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

a662ba3492a7d218908f5d851841ed96.exe

description pid process target process

PID 1940 created 3088 1940 a662ba3492a7d218908f5d851841ed96.exe Explorer.EXE
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

3220 bcdedit.exe
3408 bcdedit.exe
2772 bcdedit.exe
1892 bcdedit.exe
Renames multiple (491) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

3692 wbadmin.exe
4412 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

1360 netsh.exe
2720 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

XfLd%9.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation XfLd%9.exe

description	pid	process	target process
PID 1940 created 3088	1940	a662ba3492a7d218908f5d851841ed96.exe	Explorer.EXE

pid	process
3220	bcdedit.exe
3408	bcdedit.exe
2772	bcdedit.exe
1892	bcdedit.exe

pid	process
3692	wbadmin.exe
4412	wbadmin.exe

pid	process
1360	netsh.exe
2720	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	XfLd%9.exe

Drops startup file 3 IoCs

Processes:

XfLd%9.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\XfLd%9.exe	XfLd%9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	XfLd%9.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe

Executes dropped EXE 6 IoCs

Processes:

XfLd%9.exeZ69s9.exeK5UnDT.exeK5UnDT.exeXfLd%9.exe29D5.exe

pid process

3392 XfLd%9.exe
1812 Z69s9.exe
4736 K5UnDT.exe
3864 K5UnDT.exe
4608 XfLd%9.exe
2836 29D5.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3392	XfLd%9.exe
1812	Z69s9.exe
4736	K5UnDT.exe
3864	K5UnDT.exe
4608	XfLd%9.exe
2836	29D5.exe

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

Processes:

certreq.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

XfLd%9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XfLd%9 = "C:\\Users\\Admin\\AppData\\Local\\XfLd%9.exe"	XfLd%9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XfLd%9 = "C:\\Users\\Admin\\AppData\\Local\\XfLd%9.exe"	XfLd%9.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

XfLd%9.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	XfLd%9.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	XfLd%9.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	XfLd%9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	XfLd%9.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	XfLd%9.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	XfLd%9.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Public\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	XfLd%9.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	XfLd%9.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	XfLd%9.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1420546310-613437930-2990200354-1000\desktop.ini	XfLd%9.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	XfLd%9.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	XfLd%9.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1420546310-613437930-2990200354-1000\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	XfLd%9.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	XfLd%9.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	XfLd%9.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	XfLd%9.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

K5UnDT.exe

description pid process target process

PID 4736 set thread context of 3864 4736 K5UnDT.exe K5UnDT.exe

description	pid	process	target process
PID 4736 set thread context of 3864	4736	K5UnDT.exe	K5UnDT.exe

Drops file in Program Files directory 64 IoCs

Processes:

XfLd%9.exe

description	ioc	process
File created	C:\Program Files\Java\jre1.8.0_66\bin\j2pcsc.dll.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-pl.xrm-ms.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-phn.xrm-ms.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Printing.resources.dll	XfLd%9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\3px.png	XfLd%9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-disabled_32.svg	XfLd%9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\StudentReport.dotx	XfLd%9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_StoreLogo.scale-200.png	XfLd%9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter_18.svg	XfLd%9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nb-no\ui-strings.js	XfLd%9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll	XfLd%9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ul-oob.xrm-ms.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-convert-l1-1-0.dll.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_48.png	XfLd%9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ja-jp\ui-strings.js.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Runtime.Serialization.Xml.dll	XfLd%9.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\mpvis.dll.mui	XfLd%9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\System\mfcm140u.dll	XfLd%9.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\iheart-radio.scale-125_contrast-black.png	XfLd%9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\duplicate.svg	XfLd%9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-cn\ui-strings.js.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_zh_4.4.0.v20140623020002.jar.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\psfont.properties.ja.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\IFDPINTL.DLL	XfLd%9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-sl\ui-strings.js	XfLd%9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\ui-strings.js.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_sse2_plugin.dll.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\PlaceholderCollectionHero.png	XfLd%9.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-200.HCWhite.png	XfLd%9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-40_altform-unplated.png	XfLd%9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ppd.xrm-ms.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libscreen_plugin.dll	XfLd%9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\mfc140kor.dll	XfLd%9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_zh_4.4.0.v20140623020002.jar.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml	XfLd%9.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\PREVIEW.GIF.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-48.png	XfLd%9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-80_altform-unplated.png	XfLd%9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Security.Cryptography.Cng.dll	XfLd%9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalSplashScreen.scale-200_contrast-white.png	XfLd%9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\AppStore_icon.svg.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\msmdsrvi_xl.rll.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_120.png	XfLd%9.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1	XfLd%9.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-40_altform-unplated.png	XfLd%9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_k_col.hxk	XfLd%9.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-200.png	XfLd%9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-si\ui-strings.js.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\koreus.luac.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.ValueTuple.dll.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\proof.es-es.msi.16.es-es.boot.tree.dat	XfLd%9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libhttp_plugin.dll	XfLd%9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui	XfLd%9.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSWDS_FR.LEX.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_radio_unselected_18.svg	XfLd%9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\zh-cn_get.svg.id[4E633C4D-3483].[[email protected]].8base	XfLd%9.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\en_US.aff	XfLd%9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4424	1940	WerFault.exe	a662ba3492a7d218908f5d851841ed96.exe
3052	4608	WerFault.exe	XfLd%9.exe
5064	4608	WerFault.exe	XfLd%9.exe
2356	4608	WerFault.exe	XfLd%9.exe
5056	2836	WerFault.exe	29D5.exe
216	2836	WerFault.exe	29D5.exe
2008	2836	WerFault.exe	29D5.exe

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exeK5UnDT.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	K5UnDT.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	K5UnDT.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	K5UnDT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

4040 vssadmin.exe
184 vssadmin.exe

pid	process
4040	vssadmin.exe
184	vssadmin.exe

Modifies registry class 3 IoCs

Processes:

Explorer.EXEXfLd%9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	XfLd%9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a662ba3492a7d218908f5d851841ed96.execertreq.exeK5UnDT.exeExplorer.EXEXfLd%9.exe

pid	process
1940	a662ba3492a7d218908f5d851841ed96.exe
1940	a662ba3492a7d218908f5d851841ed96.exe
1940	a662ba3492a7d218908f5d851841ed96.exe
1940	a662ba3492a7d218908f5d851841ed96.exe
1332	certreq.exe
1332	certreq.exe
1332	certreq.exe
1332	certreq.exe
3864	K5UnDT.exe
3864	K5UnDT.exe
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3392	XfLd%9.exe
3392	XfLd%9.exe
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3392	XfLd%9.exe
3392	XfLd%9.exe
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3392	XfLd%9.exe
3392	XfLd%9.exe
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3392	XfLd%9.exe
3392	XfLd%9.exe
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3088 Explorer.EXE

pid	process
3088	Explorer.EXE

Suspicious behavior: MapViewOfSection 31 IoCs

Processes:

K5UnDT.exeExplorer.EXE

pid	process
3864	K5UnDT.exe
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

XfLd%9.exevssvc.exeWMIC.exewbengine.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3392	XfLd%9.exe
Token: SeBackupPrivilege	2548	vssvc.exe
Token: SeRestorePrivilege	2548	vssvc.exe
Token: SeAuditPrivilege	2548	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3780	WMIC.exe
Token: SeSecurityPrivilege	3780	WMIC.exe
Token: SeTakeOwnershipPrivilege	3780	WMIC.exe
Token: SeLoadDriverPrivilege	3780	WMIC.exe
Token: SeSystemProfilePrivilege	3780	WMIC.exe
Token: SeSystemtimePrivilege	3780	WMIC.exe
Token: SeProfSingleProcessPrivilege	3780	WMIC.exe
Token: SeIncBasePriorityPrivilege	3780	WMIC.exe
Token: SeCreatePagefilePrivilege	3780	WMIC.exe
Token: SeBackupPrivilege	3780	WMIC.exe
Token: SeRestorePrivilege	3780	WMIC.exe
Token: SeShutdownPrivilege	3780	WMIC.exe
Token: SeDebugPrivilege	3780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3780	WMIC.exe
Token: SeRemoteShutdownPrivilege	3780	WMIC.exe
Token: SeUndockPrivilege	3780	WMIC.exe
Token: SeManageVolumePrivilege	3780	WMIC.exe
Token: 33	3780	WMIC.exe
Token: 34	3780	WMIC.exe
Token: 35	3780	WMIC.exe
Token: 36	3780	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3780	WMIC.exe
Token: SeSecurityPrivilege	3780	WMIC.exe
Token: SeTakeOwnershipPrivilege	3780	WMIC.exe
Token: SeLoadDriverPrivilege	3780	WMIC.exe
Token: SeSystemProfilePrivilege	3780	WMIC.exe
Token: SeSystemtimePrivilege	3780	WMIC.exe
Token: SeProfSingleProcessPrivilege	3780	WMIC.exe
Token: SeIncBasePriorityPrivilege	3780	WMIC.exe
Token: SeCreatePagefilePrivilege	3780	WMIC.exe
Token: SeBackupPrivilege	3780	WMIC.exe
Token: SeRestorePrivilege	3780	WMIC.exe
Token: SeShutdownPrivilege	3780	WMIC.exe
Token: SeDebugPrivilege	3780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3780	WMIC.exe
Token: SeRemoteShutdownPrivilege	3780	WMIC.exe
Token: SeUndockPrivilege	3780	WMIC.exe
Token: SeManageVolumePrivilege	3780	WMIC.exe
Token: 33	3780	WMIC.exe
Token: 34	3780	WMIC.exe
Token: 35	3780	WMIC.exe
Token: 36	3780	WMIC.exe
Token: SeBackupPrivilege	2544	wbengine.exe
Token: SeRestorePrivilege	2544	wbengine.exe
Token: SeSecurityPrivilege	2544	wbengine.exe
Token: SeShutdownPrivilege	3088	Explorer.EXE
Token: SeCreatePagefilePrivilege	3088	Explorer.EXE
Token: SeShutdownPrivilege	3088	Explorer.EXE
Token: SeCreatePagefilePrivilege	3088	Explorer.EXE
Token: SeShutdownPrivilege	3088	Explorer.EXE
Token: SeCreatePagefilePrivilege	3088	Explorer.EXE
Token: SeShutdownPrivilege	3088	Explorer.EXE
Token: SeCreatePagefilePrivilege	3088	Explorer.EXE
Token: SeShutdownPrivilege	3088	Explorer.EXE
Token: SeCreatePagefilePrivilege	3088	Explorer.EXE
Token: SeShutdownPrivilege	3088	Explorer.EXE
Token: SeCreatePagefilePrivilege	3088	Explorer.EXE
Token: SeShutdownPrivilege	3088	Explorer.EXE
Token: SeCreatePagefilePrivilege	3088	Explorer.EXE
Token: SeShutdownPrivilege	3088	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3088 Explorer.EXE

pid	process
3088	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a662ba3492a7d218908f5d851841ed96.exeK5UnDT.exeXfLd%9.execmd.execmd.exeExplorer.EXE

description	pid	process	target process
PID 1940 wrote to memory of 1332	1940	a662ba3492a7d218908f5d851841ed96.exe	certreq.exe
PID 1940 wrote to memory of 1332	1940	a662ba3492a7d218908f5d851841ed96.exe	certreq.exe
PID 1940 wrote to memory of 1332	1940	a662ba3492a7d218908f5d851841ed96.exe	certreq.exe
PID 1940 wrote to memory of 1332	1940	a662ba3492a7d218908f5d851841ed96.exe	certreq.exe
PID 4736 wrote to memory of 3864	4736	K5UnDT.exe	K5UnDT.exe
PID 4736 wrote to memory of 3864	4736	K5UnDT.exe	K5UnDT.exe
PID 4736 wrote to memory of 3864	4736	K5UnDT.exe	K5UnDT.exe
PID 4736 wrote to memory of 3864	4736	K5UnDT.exe	K5UnDT.exe
PID 4736 wrote to memory of 3864	4736	K5UnDT.exe	K5UnDT.exe
PID 4736 wrote to memory of 3864	4736	K5UnDT.exe	K5UnDT.exe
PID 3392 wrote to memory of 4520	3392	XfLd%9.exe	cmd.exe
PID 3392 wrote to memory of 4520	3392	XfLd%9.exe	cmd.exe
PID 3392 wrote to memory of 4700	3392	XfLd%9.exe	cmd.exe
PID 3392 wrote to memory of 4700	3392	XfLd%9.exe	cmd.exe
PID 4700 wrote to memory of 1360	4700	cmd.exe	netsh.exe
PID 4700 wrote to memory of 1360	4700	cmd.exe	netsh.exe
PID 4520 wrote to memory of 4040	4520	cmd.exe	vssadmin.exe
PID 4520 wrote to memory of 4040	4520	cmd.exe	vssadmin.exe
PID 4520 wrote to memory of 3780	4520	cmd.exe	WMIC.exe
PID 4520 wrote to memory of 3780	4520	cmd.exe	WMIC.exe
PID 4520 wrote to memory of 3220	4520	cmd.exe	bcdedit.exe
PID 4520 wrote to memory of 3220	4520	cmd.exe	bcdedit.exe
PID 4520 wrote to memory of 3408	4520	cmd.exe	bcdedit.exe
PID 4520 wrote to memory of 3408	4520	cmd.exe	bcdedit.exe
PID 4520 wrote to memory of 3692	4520	cmd.exe	wbadmin.exe
PID 4520 wrote to memory of 3692	4520	cmd.exe	wbadmin.exe
PID 4700 wrote to memory of 2720	4700	cmd.exe	netsh.exe
PID 4700 wrote to memory of 2720	4700	cmd.exe	netsh.exe
PID 3088 wrote to memory of 2836	3088	Explorer.EXE	29D5.exe
PID 3088 wrote to memory of 2836	3088	Explorer.EXE	29D5.exe
PID 3088 wrote to memory of 2836	3088	Explorer.EXE	29D5.exe
PID 3088 wrote to memory of 3708	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 3708	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 3708	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 3708	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 396	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 396	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 396	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 1132	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 1132	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 1132	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 1132	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 3708	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 3708	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 3708	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 3708	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 1436	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 1436	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 1436	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 1436	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 1940	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 1940	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 1940	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 3856	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 3856	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 3856	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 3856	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 4424	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 4424	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 4424	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 4736	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 4736	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 4736	3088	Explorer.EXE	explorer.exe
PID 3088 wrote to memory of 4736	3088	Explorer.EXE	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3088

C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe
"C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 952
3⤵
- Program crash
PID:4424

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1332

C:\Users\Admin\AppData\Local\Temp\29D5.exe
C:\Users\Admin\AppData\Local\Temp\29D5.exe
2⤵
- Executes dropped EXE
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 496
3⤵
- Program crash
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 500
3⤵
- Program crash
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 528
3⤵
- Program crash
PID:2008

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3708

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:396

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1132

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3708

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1436

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1940

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3856

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4424

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4736

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1360

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4868

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1308

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1916

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:2104

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1940 -ip 1940
1⤵
PID:3012

C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe
"C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392

C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe
"C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe"
2⤵
- Executes dropped EXE
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 460
3⤵
- Program crash
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 468
3⤵
- Program crash
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 476
3⤵
- Program crash
PID:2356

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:1360

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:2720

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4040

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:3220

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:3408

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:3692

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:1392

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:3316

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:4196

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:648

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:4604

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:184

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
PID:3704

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:2772

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:1892

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:4412

C:\Users\Admin\AppData\Local\Microsoft\Z69s9.exe
"C:\Users\Admin\AppData\Local\Microsoft\Z69s9.exe"
1⤵
- Executes dropped EXE
PID:1812

C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe
"C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4736

C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe
"C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3864

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4060

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4608 -ip 4608
1⤵
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4608 -ip 4608
1⤵
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4608 -ip 4608
1⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2836 -ip 2836
1⤵
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2836 -ip 2836
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2836 -ip 2836
1⤵
PID:2088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[4E633C4D-3483].[[email protected]].8base
Filesize
3.2MB

MD5
4886df6a96daab23ee35f6697d9065e8

SHA1
f8e26bdf7ccc4a7984de2f0dfb18cd4a9b4b9006

SHA256
f54bd062618e502a4cc90bd8667494be2056e3df360c801bef27e668aa9f89e7

SHA512
f4a1ba1d3a607f6d114df42967a9eec34911bba43c474ead4a39742acd1db3919eaba7b960e3eca2fcd3d5d59ea408328c57f43cd958e3ede0d222314bc8b22d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe
Filesize
165KB

MD5
d8a652141be195333dd68e662b04c523

SHA1
266363bf92a157ca769f3cce33f13363cf94eb3f

SHA256
82e21c96880af14b90e7d8a688ec83c41bddcaa29ee05557b763795d1416ad39

SHA512
ce0d269674d139358b5068b3df7ccbae1e5470a031d3e59ac1ab68493438e51dc733a6be5d36854257d8d5d5e822a9ad421398cc0a2f3c783d5d33b04af484ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe
Filesize
165KB

MD5
d8a652141be195333dd68e662b04c523

SHA1
266363bf92a157ca769f3cce33f13363cf94eb3f

SHA256
82e21c96880af14b90e7d8a688ec83c41bddcaa29ee05557b763795d1416ad39

SHA512
ce0d269674d139358b5068b3df7ccbae1e5470a031d3e59ac1ab68493438e51dc733a6be5d36854257d8d5d5e822a9ad421398cc0a2f3c783d5d33b04af484ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe
Filesize
165KB

MD5
d8a652141be195333dd68e662b04c523

SHA1
266363bf92a157ca769f3cce33f13363cf94eb3f

SHA256
82e21c96880af14b90e7d8a688ec83c41bddcaa29ee05557b763795d1416ad39

SHA512
ce0d269674d139358b5068b3df7ccbae1e5470a031d3e59ac1ab68493438e51dc733a6be5d36854257d8d5d5e822a9ad421398cc0a2f3c783d5d33b04af484ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000027.db.id[4E633C4D-3483].[[email protected]].8base
Filesize
92KB

MD5
68d6cc7909349b771788724c64341518

SHA1
266150f70fc9dc8b5b61b4abd28443982047ea60

SHA256
3d345e237e08e2045f7e142ced77edbb1e8ba6b92c365527e5e1d5c98dc13c4f

SHA512
d8445a8645f7a8cf9f8c69c03f7653bde308204d3727c91ba7f79db97292ab94136fad5c920be93a5fcf57da2c9487b480d3a3a0d89b6247281f7e76d6167cab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe
Filesize
165KB

MD5
a2f3d796dc2c2f474188db58d5ca7593

SHA1
dc88893abba370aab576dcc9bd60b5fc7bb5dd4e

SHA256
408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c

SHA512
9a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe
Filesize
165KB

MD5
a2f3d796dc2c2f474188db58d5ca7593

SHA1
dc88893abba370aab576dcc9bd60b5fc7bb5dd4e

SHA256
408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c

SHA512
9a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe
Filesize
165KB

MD5
a2f3d796dc2c2f474188db58d5ca7593

SHA1
dc88893abba370aab576dcc9bd60b5fc7bb5dd4e

SHA256
408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c

SHA512
9a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Z69s9.exe
Filesize
165KB

MD5
771e03d1211a93261e4b5686aa911243

SHA1
d0b249fe34b8bdeac98712ac9dd37f340f287b4c

SHA256
18cbb36da4425cd9d142d75e9e07b02fddeede075bf6f4c9297d014a9163e342

SHA512
8aa08956338fbb5fe9f04126e09123e3fb5c512a73b00b843c517d9cd05695ff7d6df7e1bdea5621b1b660cec3e2a191ff68d10a1a12789a870dd8d49ad52ed5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Z69s9.exe
Filesize
165KB

MD5
771e03d1211a93261e4b5686aa911243

SHA1
d0b249fe34b8bdeac98712ac9dd37f340f287b4c

SHA256
18cbb36da4425cd9d142d75e9e07b02fddeede075bf6f4c9297d014a9163e342

SHA512
8aa08956338fbb5fe9f04126e09123e3fb5c512a73b00b843c517d9cd05695ff7d6df7e1bdea5621b1b660cec3e2a191ff68d10a1a12789a870dd8d49ad52ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\29D5.exe
Filesize
165KB

MD5
a2f3d796dc2c2f474188db58d5ca7593

SHA1
dc88893abba370aab576dcc9bd60b5fc7bb5dd4e

SHA256
408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c

SHA512
9a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\29D5.exe
Filesize
165KB

MD5
a2f3d796dc2c2f474188db58d5ca7593

SHA1
dc88893abba370aab576dcc9bd60b5fc7bb5dd4e

SHA256
408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c

SHA512
9a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\29D5.exe
Filesize
165KB

MD5
a2f3d796dc2c2f474188db58d5ca7593

SHA1
dc88893abba370aab576dcc9bd60b5fc7bb5dd4e

SHA256
408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c

SHA512
9a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5366\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll
Filesize
5.5MB

MD5
d220973f7c8ca6e1ae835eca6e547df2

SHA1
bfaba046457e3278bf7f4d45d5436df10df92681

SHA256
632d2eae353347497600a2322db7073194c3eefa7394505d458df23071bb8b53

SHA512
266c995f635e07f272189fa0e9e44739dee23a8a17f3e9ae4dfa09c762cb5a0fafcf094e309620c6c217495be6169bc3407fdf864dcbd139f77e606f2db2a680

Download Submit
C:\Users\Admin\AppData\Local\Temp\5366\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe
Filesize
18KB

MD5
cfe72ed40a076ae4f4157940ce0c5d44

SHA1
8010f7c746a7ba4864785f798f46ec05caae7ece

SHA256
6868894ab04d08956388a94a81016f03d5b7a7b1646c8a6235057a7e1e45de32

SHA512
f002afa2131d250dd6148d8372ce45f84283b8e1209e91720cee7aff497503d0e566bae3a83cd326701458230ae5c0e200eec617889393dd46ac00ff357ff1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5366\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
1KB

MD5
94f90fcd2b8f7f1df69224f845d9e9b7

SHA1
a09e3072cc581cf89adaf1aa20aa89b3af7bf987

SHA256
a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0

SHA512
51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5366\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml
Filesize
7KB

MD5
108f130067a9df1719c590316a5245f7

SHA1
79bb9a86e7a50c85214cd7e21719f0cb4155f58a

SHA256
c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874

SHA512
d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

Download Submit
C:\Users\Admin\AppData\Local\Temp\5366\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
1KB

MD5
94f90fcd2b8f7f1df69224f845d9e9b7

SHA1
a09e3072cc581cf89adaf1aa20aa89b3af7bf987

SHA256
a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0

SHA512
51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5366\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml
Filesize
7KB

MD5
108f130067a9df1719c590316a5245f7

SHA1
79bb9a86e7a50c85214cd7e21719f0cb4155f58a

SHA256
c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874

SHA512
d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

Download Submit
C:\Users\Admin\AppData\Local\Temp\5366\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dll
Filesize
10KB

MD5
1097d1e58872f3cf58f78730a697ce4b

SHA1
96db4e4763a957b28dd80ec1e43eb27367869b86

SHA256
83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef

SHA512
b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

Download Submit
C:\Users\Admin\AppData\Local\Temp\5366\C\Windows\SysWOW64\WalletProxy.dll
Filesize
36KB

MD5
d09724c29a8f321f2f9c552de6ef6afa

SHA1
d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3

SHA256
23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c

SHA512
cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\5366\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dll
Filesize
402KB

MD5
02557c141c9e153c2b7987b79a3a2dd7

SHA1
a054761382ee68608b6a3b62b68138dc205f576b

SHA256
207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4

SHA512
a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5366\C\Windows\System32\WalletBackgroundServiceProxy.dll
Filesize
10KB

MD5
1097d1e58872f3cf58f78730a697ce4b

SHA1
96db4e4763a957b28dd80ec1e43eb27367869b86

SHA256
83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef

SHA512
b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

Download Submit
C:\Users\Admin\AppData\Local\Temp\5366\C\Windows\System32\WalletProxy.dll
Filesize
36KB

MD5
d09724c29a8f321f2f9c552de6ef6afa

SHA1
d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3

SHA256
23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c

SHA512
cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\5366\C\Windows\System32\Windows.ApplicationModel.Wallet.dll
Filesize
402KB

MD5
02557c141c9e153c2b7987b79a3a2dd7

SHA1
a054761382ee68608b6a3b62b68138dc205f576b

SHA256
207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4

SHA512
a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.id[4E633C4D-3483].[[email protected]].8base
Filesize
52KB

MD5
26ec9f000816efe09f4f967ff56ab076

SHA1
5ebec883b5f4d5e77432672c271c3e3714cadb0e

SHA256
22cafb077954e220e107287359febf214c275ba24e56b5ab405cd355d37a120a

SHA512
ab98bd0145ca2365d9fd421dac444bba38b286074193eb38d8d02ed8a37c460c288795b697d038d443c808f84df0d21f8839ee6b41335eb873bcd990042d33b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\cookies.sqlite.id[4E633C4D-3483].[[email protected]].8base
Filesize
96KB

MD5
6640124557dc9a6cfc91acac6c726474

SHA1
ca4f00d0cba5adbbdca6d8c571949201350e025f

SHA256
61806e7cd53233de610add652627e221bf6532487d196581955ef05df69aaf83

SHA512
d5c0c24111faf604f4e0edcbc68a394809c9404d2942027ee29f712c1d3fdb2ebcb1f5d1e7623bca3476c22ee4a8b435120f3748f667d32dd0c1e656b30a57a9

Download Submit
C:\Users\Admin\AppData\Roaming\rcevgdd
Filesize
165KB

MD5
d8a652141be195333dd68e662b04c523

SHA1
266363bf92a157ca769f3cce33f13363cf94eb3f

SHA256
82e21c96880af14b90e7d8a688ec83c41bddcaa29ee05557b763795d1416ad39

SHA512
ce0d269674d139358b5068b3df7ccbae1e5470a031d3e59ac1ab68493438e51dc733a6be5d36854257d8d5d5e822a9ad421398cc0a2f3c783d5d33b04af484ea

Download Submit
C:\Users\Admin\AppData\Roaming\wfiahug
Filesize
438KB

MD5
650e2e3933ba7e005d71842aaf5b9bac

SHA1
8d31ce06a3c18a51ac135efda58dc3f6e587c215

SHA256
5d34c5d975766f27555e683ccfabb662886fbb1b9da42ea4670f176c5f04e105

SHA512
45e437d8040cbfc574cca4d1f752561c18735f4066e59cf2e0180588a8ab8db5400a23cbf6e067f1098c35923861bc73fa5246a70bc98bff134b01bb958d775a

Download Submit
C:\Users\Admin\Desktop\info.hta
Filesize
5KB

MD5
af4ead8c4b4ec6ee70a6614b9d196038

SHA1
35b084940f356f79a45ec2f3f743d048cf6e5aa4

SHA256
d7fdc29f4c08bf477e68d3fb396088f5108fbad8a72879188952c63fcec146fa

SHA512
b810cd96404b1554c4b0c06de999dfe51200e38d0b5604bc1f848e74b5cc22e5310d24e3c3e0f553d1154749724cfa0cd96e29ef0aee7bb4597eaf90981b3b47

Download Submit
C:\info.hta
Filesize
5KB

MD5
af4ead8c4b4ec6ee70a6614b9d196038

SHA1
35b084940f356f79a45ec2f3f743d048cf6e5aa4

SHA256
d7fdc29f4c08bf477e68d3fb396088f5108fbad8a72879188952c63fcec146fa

SHA512
b810cd96404b1554c4b0c06de999dfe51200e38d0b5604bc1f848e74b5cc22e5310d24e3c3e0f553d1154749724cfa0cd96e29ef0aee7bb4597eaf90981b3b47

Download Submit
C:\info.hta
Filesize
5KB

MD5
af4ead8c4b4ec6ee70a6614b9d196038

SHA1
35b084940f356f79a45ec2f3f743d048cf6e5aa4

SHA256
d7fdc29f4c08bf477e68d3fb396088f5108fbad8a72879188952c63fcec146fa

SHA512
b810cd96404b1554c4b0c06de999dfe51200e38d0b5604bc1f848e74b5cc22e5310d24e3c3e0f553d1154749724cfa0cd96e29ef0aee7bb4597eaf90981b3b47

Download Submit
C:\users\public\desktop\info.hta
Filesize
5KB

MD5
af4ead8c4b4ec6ee70a6614b9d196038

SHA1
35b084940f356f79a45ec2f3f743d048cf6e5aa4

SHA256
d7fdc29f4c08bf477e68d3fb396088f5108fbad8a72879188952c63fcec146fa

SHA512
b810cd96404b1554c4b0c06de999dfe51200e38d0b5604bc1f848e74b5cc22e5310d24e3c3e0f553d1154749724cfa0cd96e29ef0aee7bb4597eaf90981b3b47

Download Submit
F:\info.hta
Filesize
5KB

MD5
af4ead8c4b4ec6ee70a6614b9d196038

SHA1
35b084940f356f79a45ec2f3f743d048cf6e5aa4

SHA256
d7fdc29f4c08bf477e68d3fb396088f5108fbad8a72879188952c63fcec146fa

SHA512
b810cd96404b1554c4b0c06de999dfe51200e38d0b5604bc1f848e74b5cc22e5310d24e3c3e0f553d1154749724cfa0cd96e29ef0aee7bb4597eaf90981b3b47

Download Submit
memory/396-4319-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

Filesize
48KB

Download
memory/396-4320-0x0000000000BB0000-0x0000000000BB7000-memory.dmp

Filesize
28KB

Download
memory/396-4321-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

Filesize
48KB

Download
memory/860-6386-0x0000000000DF0000-0x0000000000DFB000-memory.dmp

Filesize
44KB

Download
memory/1132-4401-0x0000000000A70000-0x0000000000A74000-memory.dmp

Filesize
16KB

Download
memory/1132-5405-0x0000000000A70000-0x0000000000A74000-memory.dmp

Filesize
16KB

Download
memory/1132-4397-0x0000000000A60000-0x0000000000A69000-memory.dmp

Filesize
36KB

Download
memory/1132-4408-0x0000000000A60000-0x0000000000A69000-memory.dmp

Filesize
36KB

Download
memory/1308-5869-0x0000000000FC0000-0x0000000000FC9000-memory.dmp

Filesize
36KB

Download
memory/1308-5851-0x0000000000FC0000-0x0000000000FC9000-memory.dmp

Filesize
36KB

Download
memory/1332-168-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

Filesize
1.2MB

Download
memory/1332-164-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

Filesize
1.2MB

Download
memory/1332-169-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

Filesize
1.2MB

Download
memory/1332-190-0x00007FFDDD3F0000-0x00007FFDDD5E5000-memory.dmp

Filesize
2.0MB

Download
memory/1332-188-0x00007FFDDD3F0000-0x00007FFDDD5E5000-memory.dmp

Filesize
2.0MB

Download
memory/1332-175-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

Filesize
1.2MB

Download
memory/1332-174-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

Filesize
1.2MB

Download
memory/1332-173-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

Filesize
1.2MB

Download
memory/1332-172-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

Filesize
1.2MB

Download
memory/1332-144-0x000002316DF40000-0x000002316DF43000-memory.dmp

Filesize
12KB

Download
memory/1332-171-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

Filesize
1.2MB

Download
memory/1332-158-0x000002316DF40000-0x000002316DF43000-memory.dmp

Filesize
12KB

Download
memory/1332-170-0x00007FFDDD3F0000-0x00007FFDDD5E5000-memory.dmp

Filesize
2.0MB

Download
memory/1332-159-0x000002316E300000-0x000002316E307000-memory.dmp

Filesize
28KB

Download
memory/1332-161-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

Filesize
1.2MB

Download
memory/1332-160-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

Filesize
1.2MB

Download
memory/1332-162-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

Filesize
1.2MB

Download
memory/1332-189-0x000002316E300000-0x000002316E305000-memory.dmp

Filesize
20KB

Download
memory/1332-163-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

Filesize
1.2MB

Download
memory/1332-166-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

Filesize
1.2MB

Download
memory/1332-167-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

Filesize
1.2MB

Download
memory/1360-5633-0x0000000000EA0000-0x0000000000EA9000-memory.dmp

Filesize
36KB

Download
memory/1360-5667-0x0000000000EB0000-0x0000000000EB5000-memory.dmp

Filesize
20KB

Download
memory/1360-6409-0x0000000000EB0000-0x0000000000EB5000-memory.dmp

Filesize
20KB

Download
memory/1360-5668-0x0000000000EA0000-0x0000000000EA9000-memory.dmp

Filesize
36KB

Download
memory/1436-4822-0x00000000012A0000-0x00000000012A7000-memory.dmp

Filesize
28KB

Download
memory/1436-4821-0x0000000001290000-0x000000000129B000-memory.dmp

Filesize
44KB

Download
memory/1436-5642-0x00000000012A0000-0x00000000012A7000-memory.dmp

Filesize
28KB

Download
memory/1436-4823-0x0000000001290000-0x000000000129B000-memory.dmp

Filesize
44KB

Download
memory/1812-192-0x00000000005C0000-0x00000000005C5000-memory.dmp

Filesize
20KB

Download
memory/1812-193-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1812-205-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1812-191-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1916-5972-0x0000000000B50000-0x0000000000B5B000-memory.dmp

Filesize
44KB

Download
memory/1916-5987-0x0000000000B60000-0x0000000000B66000-memory.dmp

Filesize
24KB

Download
memory/1916-6028-0x0000000000B50000-0x0000000000B5B000-memory.dmp

Filesize
44KB

Download
memory/1940-5846-0x0000000000920000-0x0000000000929000-memory.dmp

Filesize
36KB

Download
memory/1940-140-0x0000000002570000-0x0000000002970000-memory.dmp

Filesize
4.0MB

Download
memory/1940-153-0x0000000003300000-0x0000000003336000-memory.dmp

Filesize
216KB

Download
memory/1940-156-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1940-157-0x0000000002570000-0x0000000002970000-memory.dmp

Filesize
4.0MB

Download
memory/1940-152-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1940-146-0x0000000003300000-0x0000000003336000-memory.dmp

Filesize
216KB

Download
memory/1940-154-0x0000000002570000-0x0000000002970000-memory.dmp

Filesize
4.0MB

Download
memory/1940-4824-0x0000000000910000-0x000000000091F000-memory.dmp

Filesize
60KB

Download
memory/1940-4829-0x0000000000920000-0x0000000000929000-memory.dmp

Filesize
36KB

Download
memory/1940-4837-0x0000000000910000-0x000000000091F000-memory.dmp

Filesize
60KB

Download
memory/1940-145-0x0000000002210000-0x0000000002281000-memory.dmp

Filesize
452KB

Download
memory/1940-143-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1940-134-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1940-135-0x0000000002210000-0x0000000002281000-memory.dmp

Filesize
452KB

Download
memory/1940-142-0x0000000002570000-0x0000000002970000-memory.dmp

Filesize
4.0MB

Download
memory/1940-141-0x0000000002570000-0x0000000002970000-memory.dmp

Filesize
4.0MB

Download
memory/1940-136-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1940-137-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1940-138-0x00000000022B0000-0x00000000022B7000-memory.dmp

Filesize
28KB

Download
memory/1940-139-0x0000000002570000-0x0000000002970000-memory.dmp

Filesize
4.0MB

Download
memory/2104-6353-0x0000000000AE0000-0x0000000000AE7000-memory.dmp

Filesize
28KB

Download
memory/2104-6356-0x0000000000AD0000-0x0000000000ADD000-memory.dmp

Filesize
52KB

Download
memory/2104-6342-0x0000000000AD0000-0x0000000000ADD000-memory.dmp

Filesize
52KB

Download
memory/3088-208-0x0000000002F60000-0x0000000002F76000-memory.dmp

Filesize
88KB

Download
memory/3392-663-0x0000000000600000-0x000000000060F000-memory.dmp

Filesize
60KB

Download
memory/3392-1868-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3392-4051-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3392-8567-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3392-200-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/3392-5852-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3392-201-0x0000000000600000-0x000000000060F000-memory.dmp

Filesize
60KB

Download
memory/3392-506-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/3392-785-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3392-202-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3708-4044-0x0000000000AC0000-0x0000000000B2B000-memory.dmp

Filesize
428KB

Download
memory/3708-4582-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/3708-4015-0x0000000000AC0000-0x0000000000B2B000-memory.dmp

Filesize
428KB

Download
memory/3708-4586-0x0000000000B60000-0x0000000000B6B000-memory.dmp

Filesize
44KB

Download
memory/3708-4634-0x0000000000B60000-0x0000000000B6B000-memory.dmp

Filesize
44KB

Download
memory/3708-4336-0x0000000000AC0000-0x0000000000B2B000-memory.dmp

Filesize
428KB

Download
memory/3708-4030-0x0000000000B30000-0x0000000000BA5000-memory.dmp

Filesize
468KB

Download
memory/3856-5070-0x0000000000B50000-0x0000000000B59000-memory.dmp

Filesize
36KB

Download
memory/3856-5088-0x0000000000B50000-0x0000000000B59000-memory.dmp

Filesize
36KB

Download
memory/3856-5868-0x0000000000B60000-0x0000000000B65000-memory.dmp

Filesize
20KB

Download
memory/3856-5079-0x0000000000B60000-0x0000000000B65000-memory.dmp

Filesize
20KB

Download
memory/3864-199-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3864-196-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3864-198-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3864-209-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4424-5407-0x0000000000780000-0x000000000078C000-memory.dmp

Filesize
48KB

Download
memory/4424-5406-0x0000000000790000-0x0000000000796000-memory.dmp

Filesize
24KB

Download
memory/4424-5404-0x0000000000780000-0x000000000078C000-memory.dmp

Filesize
48KB

Download
memory/4608-1980-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/4608-2045-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4736-195-0x00000000005F0000-0x00000000005F9000-memory.dmp

Filesize
36KB

Download
memory/4736-194-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/4736-5445-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/4736-5436-0x0000000000600000-0x0000000000604000-memory.dmp

Filesize
16KB

Download
memory/4736-5433-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/4868-5847-0x00000000005A0000-0x00000000005C7000-memory.dmp

Filesize
156KB

Download
memory/4868-5848-0x00000000005D0000-0x00000000005F1000-memory.dmp

Filesize
132KB

Download
memory/4868-5845-0x00000000005A0000-0x00000000005C7000-memory.dmp

Filesize
156KB

Download