lumma | eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771

Analysis

max time kernel
128s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2023 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771.exe
Size

164KB
MD5

1b94e6504da7365a7ac9e5f1c37ea714
SHA1

b2c784470f5400680f275943aacfcbef6cda5c88
SHA256

eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771
SHA512

6b86bdea9ed18fc11e32c0ce7e6883677fa5e3dfad053200e6757a51cc4b11a5adf0757853c9b4421796e7789d75af17c686ca513a9d442a7a0fa093920d012e
SSDEEP

3072:sSGL9TvjYP99HQjQQeTXE61nB1KpyehJqCFQUDjp5AJ:IL9jjYlaQ9E6B2yeHPOJ

Score

10^/10

lumma phobos rhadamanthys smokeloader systembc summ backdoor collection discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

summ

Extracted

Family

smokeloader

Version

2022

http://stalagmijesarl.com/

http://ukdantist-sarl.com/

http://cpcorprotationltd.com/

http://serverxlogs21.xyz/statweb255/

http://servxblog79.xyz/statweb255/

http://demblog289.xyz/statweb255/

http://admlogs77x.online/statweb255/

http://blogxstat38.xyz/statweb255/

http://blogxstat25.xyz/statweb255/

rc4.i32

Extracted

Family

lumma

gstatic-node.io

Extracted

Family

systembc

adstat477d.xyz:4044

demstat577d.xyz:4044

Signatures

Detect rhadamanthys stealer shellcode 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1904-200-0x0000000002330000-0x0000000002730000-memory.dmp	family_rhadamanthys
behavioral1/memory/1904-202-0x0000000002330000-0x0000000002730000-memory.dmp	family_rhadamanthys
behavioral1/memory/1904-203-0x0000000002330000-0x0000000002730000-memory.dmp	family_rhadamanthys
behavioral1/memory/1904-218-0x0000000002330000-0x0000000002730000-memory.dmp	family_rhadamanthys
behavioral1/memory/1904-221-0x0000000002330000-0x0000000002730000-memory.dmp	family_rhadamanthys

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

6CBF.exe

description pid process target process

PID 1904 created 3096 1904 6CBF.exe Explorer.EXE
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1700 bcdedit.exe
1496 bcdedit.exe
Renames multiple (327) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3016 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

776 netsh.exe
396 netsh.exe

description	pid	process	target process
PID 1904 created 3096	1904	6CBF.exe	Explorer.EXE

pid	process
1700	bcdedit.exe
1496	bcdedit.exe

pid	process
3016	wbadmin.exe

pid	process
776	netsh.exe
396	netsh.exe

Drops startup file 1 IoCs

Processes:

[email protected]

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\[email protected]	[email protected]

Executes dropped EXE 9 IoCs

Processes:

6CBF.exe76D2.exeg_K{pI9.exe[email protected]s3b%cr{ehH.exeg_K{pI9.exe[email protected]C75F.exeC9B2.exe

pid	process
1904	6CBF.exe
1284	76D2.exe
5084	g_K{pI9.exe
3884	[email protected]
4424	s3b%cr{ehH.exe
4928	g_K{pI9.exe
1904	[email protected]
1208	C75F.exe
904	C9B2.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

Processes:

certreq.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

[email protected]

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\N@RGU = "C:\\Users\\Admin\\AppData\\Local\\[email protected]"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\N@RGU = "C:\\Users\\Admin\\AppData\\Local\\[email protected]"	[email protected]

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

Processes:

[email protected]

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	[email protected]
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3011986978-2180659500-3669311805-1000\desktop.ini	[email protected]
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3011986978-2180659500-3669311805-1000\desktop.ini	[email protected]
File opened for modification	C:\Program Files\desktop.ini	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

g_K{pI9.exe

description pid process target process

PID 5084 set thread context of 4928 5084 g_K{pI9.exe g_K{pI9.exe

description	pid	process	target process
PID 5084 set thread context of 4928	5084	g_K{pI9.exe	g_K{pI9.exe

Drops file in Program Files directory 64 IoCs

Processes:

[email protected]

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\kn.pak	[email protected]
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\ij.bat.id[E23E0A24-3483].[[email protected]].8base	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-progress-ui.jar	[email protected]
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ppd.xrm-ms.id[E23E0A24-3483].[[email protected]].8base	[email protected]
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-pl.xrm-ms	[email protected]
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	[email protected]
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml	[email protected]
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\GRLEX.DLL	[email protected]
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\msvcr120.dll	[email protected]
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.id[E23E0A24-3483].[[email protected]].8base	[email protected]
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-pl.xrm-ms	[email protected]
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ppd.xrm-ms	[email protected]
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director_2.3.100.v20140224-1921.jar.id[E23E0A24-3483].[[email protected]].8base	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml	[email protected]
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms	[email protected]
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms	[email protected]
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\VOLTAGE.WAV	[email protected]
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationFramework.resources.dll	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	[email protected]
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\deployJava1.dll.id[E23E0A24-3483].[[email protected]].8base	[email protected]
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Outlook.dll	[email protected]
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL102.XML.id[E23E0A24-3483].[[email protected]].8base	[email protected]
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\informix.xsl.id[E23E0A24-3483].[[email protected]].8base	[email protected]
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-oob.xrm-ms	[email protected]
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms.id[E23E0A24-3483].[[email protected]].8base	[email protected]
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\msvcr100.dll.id[E23E0A24-3483].[[email protected]].8base	[email protected]
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms.id[E23E0A24-3483].[[email protected]].8base	[email protected]
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll	[email protected]
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.id[E23E0A24-3483].[[email protected]].8base	[email protected]
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin	[email protected]
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml	[email protected]
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll	[email protected]
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-processthreads-l1-1-1.dll.id[E23E0A24-3483].[[email protected]].8base	[email protected]
File created	C:\Program Files\Microsoft Office\root\vfs\SystemX86\msvcp140_1.dll.id[E23E0A24-3483].[[email protected]].8base	[email protected]
File created	C:\Program Files\Microsoft Office\root\vreg\osmux.x-none.msi.16.x-none.vreg.dat.id[E23E0A24-3483].[[email protected]].8base	[email protected]
File opened for modification	C:\Program Files\Common Files\System\ado\msado27.tlb	[email protected]
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLEX.DAT.id[E23E0A24-3483].[[email protected]].8base	[email protected]
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms	[email protected]
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL078.XML.id[E23E0A24-3483].[[email protected]].8base	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\management.properties	[email protected]
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ul-oob.xrm-ms	[email protected]
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms.id[E23E0A24-3483].[[email protected]].8base	[email protected]
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QRYINT32.DLL	[email protected]
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll.id[E23E0A24-3483].[[email protected]].8base	[email protected]
File opened for modification	C:\Program Files\Mozilla Firefox\mozwer.dll	[email protected]
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Net.Resources.dll	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_ja.jar	[email protected]
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ppd.xrm-ms.id[E23E0A24-3483].[[email protected]].8base	[email protected]
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\TEMPSITC.TTF	[email protected]
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	[email protected]
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.id[E23E0A24-3483].[[email protected]].8base	[email protected]
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ppd.xrm-ms	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\setEmbeddedCP	[email protected]
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ul-oob.xrm-ms	[email protected]
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms.id[E23E0A24-3483].[[email protected]].8base	[email protected]
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICB.TTF.id[E23E0A24-3483].[[email protected]].8base	[email protected]
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.DataSetExtensions.Resources.dll	[email protected]
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css.id[E23E0A24-3483].[[email protected]].8base	[email protected]
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\currency.data	[email protected]
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\PowerPivotExcelClientAddIn.rll.id[E23E0A24-3483].[[email protected]].8base	[email protected]
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\office.x-none.msi.16.x-none.vreg.dat.id[E23E0A24-3483].[[email protected]].8base	[email protected]
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\proof.es-es.msi.16.es-es.vreg.dat	[email protected]
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg	[email protected]

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1376	1904	WerFault.exe	6CBF.exe
1332	1284	WerFault.exe	76D2.exe
4948	1904	WerFault.exe	[email protected]
6112	1208	WerFault.exe	C75F.exe

Checks SCSI registry key(s) 3 TTPs 10 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

g_K{pI9.exevds.exeeeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	g_K{pI9.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	g_K{pI9.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	g_K{pI9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

5028 vssadmin.exe

pid	process
5028	vssadmin.exe

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771.exeExplorer.EXE

pid	process
1096	eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771.exe
1096	eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771.exe
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3096 Explorer.EXE

pid	process
3096	Explorer.EXE

Suspicious behavior: MapViewOfSection 30 IoCs

Processes:

eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771.exeExplorer.EXEg_K{pI9.exe

pid	process
1096	eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771.exe
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
4928	g_K{pI9.exe
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE
3096	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXE[email protected]vssvc.exeWMIC.exe

description	pid	process
Token: SeShutdownPrivilege	3096	Explorer.EXE
Token: SeCreatePagefilePrivilege	3096	Explorer.EXE
Token: SeShutdownPrivilege	3096	Explorer.EXE
Token: SeCreatePagefilePrivilege	3096	Explorer.EXE
Token: SeShutdownPrivilege	3096	Explorer.EXE
Token: SeCreatePagefilePrivilege	3096	Explorer.EXE
Token: SeShutdownPrivilege	3096	Explorer.EXE
Token: SeCreatePagefilePrivilege	3096	Explorer.EXE
Token: SeShutdownPrivilege	3096	Explorer.EXE
Token: SeCreatePagefilePrivilege	3096	Explorer.EXE
Token: SeShutdownPrivilege	3096	Explorer.EXE
Token: SeCreatePagefilePrivilege	3096	Explorer.EXE
Token: SeShutdownPrivilege	3096	Explorer.EXE
Token: SeCreatePagefilePrivilege	3096	Explorer.EXE
Token: SeShutdownPrivilege	3096	Explorer.EXE
Token: SeCreatePagefilePrivilege	3096	Explorer.EXE
Token: SeShutdownPrivilege	3096	Explorer.EXE
Token: SeCreatePagefilePrivilege	3096	Explorer.EXE
Token: SeDebugPrivilege	3884	[email protected]
Token: SeBackupPrivilege	5072	vssvc.exe
Token: SeRestorePrivilege	5072	vssvc.exe
Token: SeAuditPrivilege	5072	vssvc.exe
Token: SeShutdownPrivilege	3096	Explorer.EXE
Token: SeCreatePagefilePrivilege	3096	Explorer.EXE
Token: SeShutdownPrivilege	3096	Explorer.EXE
Token: SeCreatePagefilePrivilege	3096	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	652	WMIC.exe
Token: SeSecurityPrivilege	652	WMIC.exe
Token: SeTakeOwnershipPrivilege	652	WMIC.exe
Token: SeLoadDriverPrivilege	652	WMIC.exe
Token: SeSystemProfilePrivilege	652	WMIC.exe
Token: SeSystemtimePrivilege	652	WMIC.exe
Token: SeProfSingleProcessPrivilege	652	WMIC.exe
Token: SeIncBasePriorityPrivilege	652	WMIC.exe
Token: SeCreatePagefilePrivilege	652	WMIC.exe
Token: SeBackupPrivilege	652	WMIC.exe
Token: SeRestorePrivilege	652	WMIC.exe
Token: SeShutdownPrivilege	652	WMIC.exe
Token: SeDebugPrivilege	652	WMIC.exe
Token: SeSystemEnvironmentPrivilege	652	WMIC.exe
Token: SeRemoteShutdownPrivilege	652	WMIC.exe
Token: SeUndockPrivilege	652	WMIC.exe
Token: SeManageVolumePrivilege	652	WMIC.exe
Token: 33	652	WMIC.exe
Token: 34	652	WMIC.exe
Token: 35	652	WMIC.exe
Token: 36	652	WMIC.exe
Token: SeIncreaseQuotaPrivilege	652	WMIC.exe
Token: SeSecurityPrivilege	652	WMIC.exe
Token: SeTakeOwnershipPrivilege	652	WMIC.exe
Token: SeLoadDriverPrivilege	652	WMIC.exe
Token: SeSystemProfilePrivilege	652	WMIC.exe
Token: SeSystemtimePrivilege	652	WMIC.exe
Token: SeProfSingleProcessPrivilege	652	WMIC.exe
Token: SeIncBasePriorityPrivilege	652	WMIC.exe
Token: SeCreatePagefilePrivilege	652	WMIC.exe
Token: SeBackupPrivilege	652	WMIC.exe
Token: SeRestorePrivilege	652	WMIC.exe
Token: SeShutdownPrivilege	652	WMIC.exe
Token: SeDebugPrivilege	652	WMIC.exe
Token: SeSystemEnvironmentPrivilege	652	WMIC.exe
Token: SeRemoteShutdownPrivilege	652	WMIC.exe
Token: SeUndockPrivilege	652	WMIC.exe
Token: SeManageVolumePrivilege	652	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Explorer.EXE6CBF.exeg_K{pI9.exe[email protected]cmd.execmd.exe

description	pid	process	target process
PID 3096 wrote to memory of 1904	3096	Explorer.EXE	6CBF.exe
PID 3096 wrote to memory of 1904	3096	Explorer.EXE	6CBF.exe
PID 3096 wrote to memory of 1904	3096	Explorer.EXE	6CBF.exe
PID 3096 wrote to memory of 1284	3096	Explorer.EXE	76D2.exe
PID 3096 wrote to memory of 1284	3096	Explorer.EXE	76D2.exe
PID 3096 wrote to memory of 1284	3096	Explorer.EXE	76D2.exe
PID 3096 wrote to memory of 4384	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 4384	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 4384	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 4384	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 3224	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 3224	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 3224	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 988	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 988	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 988	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 988	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 3916	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 3916	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 3916	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 1316	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 1316	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 1316	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 1316	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 1408	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 1408	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 1408	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 1408	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 2872	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 2872	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 2872	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 2872	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 1800	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 1800	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 1800	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 3412	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 3412	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 3412	3096	Explorer.EXE	explorer.exe
PID 3096 wrote to memory of 3412	3096	Explorer.EXE	explorer.exe
PID 1904 wrote to memory of 4344	1904	6CBF.exe	certreq.exe
PID 1904 wrote to memory of 4344	1904	6CBF.exe	certreq.exe
PID 1904 wrote to memory of 4344	1904	6CBF.exe	certreq.exe
PID 1904 wrote to memory of 4344	1904	6CBF.exe	certreq.exe
PID 5084 wrote to memory of 4928	5084	g_K{pI9.exe	g_K{pI9.exe
PID 5084 wrote to memory of 4928	5084	g_K{pI9.exe	g_K{pI9.exe
PID 5084 wrote to memory of 4928	5084	g_K{pI9.exe	g_K{pI9.exe
PID 5084 wrote to memory of 4928	5084	g_K{pI9.exe	g_K{pI9.exe
PID 5084 wrote to memory of 4928	5084	g_K{pI9.exe	g_K{pI9.exe
PID 5084 wrote to memory of 4928	5084	g_K{pI9.exe	g_K{pI9.exe
PID 3884 wrote to memory of 1396	3884	[email protected]	cmd.exe
PID 3884 wrote to memory of 1396	3884	[email protected]	cmd.exe
PID 3884 wrote to memory of 1464	3884	[email protected]	cmd.exe
PID 3884 wrote to memory of 1464	3884	[email protected]	cmd.exe
PID 1464 wrote to memory of 396	1464	cmd.exe	netsh.exe
PID 1464 wrote to memory of 396	1464	cmd.exe	netsh.exe
PID 1396 wrote to memory of 5028	1396	cmd.exe	vssadmin.exe
PID 1396 wrote to memory of 5028	1396	cmd.exe	vssadmin.exe
PID 1464 wrote to memory of 776	1464	cmd.exe	netsh.exe
PID 1464 wrote to memory of 776	1464	cmd.exe	netsh.exe
PID 1396 wrote to memory of 652	1396	cmd.exe	WMIC.exe
PID 1396 wrote to memory of 652	1396	cmd.exe	WMIC.exe
PID 1396 wrote to memory of 1700	1396	cmd.exe	bcdedit.exe
PID 1396 wrote to memory of 1700	1396	cmd.exe	bcdedit.exe
PID 1396 wrote to memory of 1496	1396	cmd.exe	bcdedit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096

C:\Users\Admin\AppData\Local\Temp\eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771.exe
"C:\Users\Admin\AppData\Local\Temp\eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1096

C:\Users\Admin\AppData\Local\Temp\6CBF.exe
C:\Users\Admin\AppData\Local\Temp\6CBF.exe
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 952
3⤵
- Program crash
PID:1376

C:\Users\Admin\AppData\Local\Temp\76D2.exe
C:\Users\Admin\AppData\Local\Temp\76D2.exe
2⤵
- Executes dropped EXE
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 3436
3⤵
- Program crash
PID:1332

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4384

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:3224

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:988

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:3916

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1316

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1408

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2872

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1800

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3412

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
PID:4344

C:\Users\Admin\AppData\Local\Temp\C75F.exe
C:\Users\Admin\AppData\Local\Temp\C75F.exe
2⤵
- Executes dropped EXE
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 592
3⤵
- Program crash
PID:6112

C:\Users\Admin\AppData\Local\Temp\C9B2.exe
C:\Users\Admin\AppData\Local\Temp\C9B2.exe
2⤵
- Executes dropped EXE
PID:904

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4560

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:3920

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2196

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3624

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1472

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4340

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2172

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1020

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3956

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:3624

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:5252

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:5156

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2580

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1908

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:5316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1904 -ip 1904
1⤵
PID:1660

C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe
"C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5084

C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe
"C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4928

C:\Users\Admin\AppData\Local\Microsoft\[email protected]
"C:\Users\Admin\AppData\Local\Microsoft\[email protected]"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3884

C:\Users\Admin\AppData\Local\Microsoft\[email protected]
"C:\Users\Admin\AppData\Local\Microsoft\[email protected]"
2⤵
- Executes dropped EXE
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 288
3⤵
- Program crash
PID:4948

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:396

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:776

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:5028

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:1700

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:1496

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:3016

C:\Users\Admin\AppData\Local\Microsoft\s3b%cr{ehH.exe
"C:\Users\Admin\AppData\Local\Microsoft\s3b%cr{ehH.exe"
1⤵
- Executes dropped EXE
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1284 -ip 1284
1⤵
PID:2460

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:4336

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:284

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1904 -ip 1904
1⤵
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1208 -ip 1208
1⤵
PID:1500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[E23E0A24-3483].[[email protected]].8base
Filesize
3.2MB

MD5
65d85994a3ddac0f5fdb58497b4b0432

SHA1
2ab671021ff8062f4d87b9366a0cd352bfb7c4bf

SHA256
fad3b5e2c868717f2b4fc04bb968047386e59a1fd9583c51bb1498f40f9f991b

SHA512
0972f4a54cdbc1e6cc8d53978cf9d2adba8139a1b93cbbe28ac1b343b4321078f56d12bd499508ba941633803b4e5e7f901a0ac6dff44b51dbe74fc2363fa993

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\[email protected]
Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\[email protected]
Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\[email protected]
Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
Filesize
1022B

MD5
8e361d0a2847f22c1e9548bf12f94c27

SHA1
0984b528f982bd872cdb1a3eece5c14c623cdbb5

SHA256
961b71fdda8966e64d1e47fd88e3790e8d9b302c21d13ba8bd25598287352de6

SHA512
53b5f6c9dd56040e900c0874d618eea60ba8b53b00eee16c05d8d2ea1ad37322e78f0adcf13763b664598adca591dbdddd09a4f16e632b7012980472b78ece30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000026.db.id[E23E0A24-3483].[[email protected]].8base
Filesize
92KB

MD5
880a4b202cc8e647aa7458e8bb2b2237

SHA1
3e8b6086f2d7057c6c645df001284fb9f5b0a83f

SHA256
5796f5208a60d9a2f370e1e7cb35f737be00b1c3b617d9b0c8201122e1dd707d

SHA512
fc6b1c7f69a83f18523f4473cf7f8affacc43af90eeb81f9ea196d36336461a40b5ee9dfa8f1e20bfce084c6c429e00054a4efbce64c43b3738ad38a93159475

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe
Filesize
164KB

MD5
09d7f30d2f8432be6087038562a029dd

SHA1
07fc20446a03a20c191e750ef21737ec948d9544

SHA256
8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8

SHA512
abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe
Filesize
164KB

MD5
09d7f30d2f8432be6087038562a029dd

SHA1
07fc20446a03a20c191e750ef21737ec948d9544

SHA256
8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8

SHA512
abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe
Filesize
164KB

MD5
09d7f30d2f8432be6087038562a029dd

SHA1
07fc20446a03a20c191e750ef21737ec948d9544

SHA256
8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8

SHA512
abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\s3b%cr{ehH.exe
Filesize
164KB

MD5
6ac14216327dcfb60b33ebd914f62769

SHA1
d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b

SHA256
25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9

SHA512
6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\s3b%cr{ehH.exe
Filesize
164KB

MD5
6ac14216327dcfb60b33ebd914f62769

SHA1
d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b

SHA256
25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9

SHA512
6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\6CBF.exe
Filesize
374KB

MD5
aaf3d68aeea347268ede50e621ca21ce

SHA1
0e7c0e38a200a9ea3af663dfd33941cc5e1657c9

SHA256
09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416

SHA512
61416225031cbb74114ee61e3f7ce697e73423c75a0f2e96f51557b3d289ad868034e2e07ead926cd12a95b524ed37cf1626dc75dc99c47fac9cb8f843002bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\6CBF.exe
Filesize
374KB

MD5
aaf3d68aeea347268ede50e621ca21ce

SHA1
0e7c0e38a200a9ea3af663dfd33941cc5e1657c9

SHA256
09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416

SHA512
61416225031cbb74114ee61e3f7ce697e73423c75a0f2e96f51557b3d289ad868034e2e07ead926cd12a95b524ed37cf1626dc75dc99c47fac9cb8f843002bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\76D2.exe
Filesize
290KB

MD5
6d35d4cb11e99f8645441b0f1f96da3d

SHA1
3b6e12da0c1c37d38db867ab6330ace34461c56a

SHA256
9066d830ae21197499f19a044054b0ea96f5be17cbb246714e15f36f32312204

SHA512
01b5b75ce608f55f70c6471bb20f0a248116ef902f4bd602b5cf11fed747e0af9b811fbe74d393895672806f2b525900c6cef0ce889229d27032683a5e591aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\76D2.exe
Filesize
290KB

MD5
6d35d4cb11e99f8645441b0f1f96da3d

SHA1
3b6e12da0c1c37d38db867ab6330ace34461c56a

SHA256
9066d830ae21197499f19a044054b0ea96f5be17cbb246714e15f36f32312204

SHA512
01b5b75ce608f55f70c6471bb20f0a248116ef902f4bd602b5cf11fed747e0af9b811fbe74d393895672806f2b525900c6cef0ce889229d27032683a5e591aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\C75F.exe
Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Temp\C75F.exe
Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Temp\C75F.exe
Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9B2.exe
Filesize
164KB

MD5
6ac14216327dcfb60b33ebd914f62769

SHA1
d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b

SHA256
25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9

SHA512
6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9B2.exe
Filesize
164KB

MD5
6ac14216327dcfb60b33ebd914f62769

SHA1
d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b

SHA256
25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9

SHA512
6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\F43A\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll
Filesize
5.5MB

MD5
f1223e2d6945c19a9fe18589c11476e2

SHA1
ba025bccef36cbc981dc3ebf5b68d4f6d3c45150

SHA256
c91da68001ea06826f90944bead448c8e480689c5c81967c1e640c6711b9c356

SHA512
f6222a1f326e37d0cb44d49b66c344a5765eaf08fecc1af3b13914dd712b8a0dc80d57382b3f6e2032e77e9e5ff0893567bf22e4762f1bff7bf033ec77921ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\F43A\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe
Filesize
18KB

MD5
cfe72ed40a076ae4f4157940ce0c5d44

SHA1
8010f7c746a7ba4864785f798f46ec05caae7ece

SHA256
6868894ab04d08956388a94a81016f03d5b7a7b1646c8a6235057a7e1e45de32

SHA512
f002afa2131d250dd6148d8372ce45f84283b8e1209e91720cee7aff497503d0e566bae3a83cd326701458230ae5c0e200eec617889393dd46ac00ff357ff1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\F43A\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
1KB

MD5
94f90fcd2b8f7f1df69224f845d9e9b7

SHA1
a09e3072cc581cf89adaf1aa20aa89b3af7bf987

SHA256
a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0

SHA512
51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\F43A\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml
Filesize
7KB

MD5
108f130067a9df1719c590316a5245f7

SHA1
79bb9a86e7a50c85214cd7e21719f0cb4155f58a

SHA256
c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874

SHA512
d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

Download Submit
C:\Users\Admin\AppData\Local\Temp\F43A\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
1KB

MD5
94f90fcd2b8f7f1df69224f845d9e9b7

SHA1
a09e3072cc581cf89adaf1aa20aa89b3af7bf987

SHA256
a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0

SHA512
51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\F43A\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml
Filesize
7KB

MD5
108f130067a9df1719c590316a5245f7

SHA1
79bb9a86e7a50c85214cd7e21719f0cb4155f58a

SHA256
c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874

SHA512
d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

Download Submit
C:\Users\Admin\AppData\Local\Temp\F43A\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dll
Filesize
10KB

MD5
1097d1e58872f3cf58f78730a697ce4b

SHA1
96db4e4763a957b28dd80ec1e43eb27367869b86

SHA256
83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef

SHA512
b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

Download Submit
C:\Users\Admin\AppData\Local\Temp\F43A\C\Windows\SysWOW64\WalletProxy.dll
Filesize
36KB

MD5
d09724c29a8f321f2f9c552de6ef6afa

SHA1
d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3

SHA256
23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c

SHA512
cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\F43A\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dll
Filesize
402KB

MD5
02557c141c9e153c2b7987b79a3a2dd7

SHA1
a054761382ee68608b6a3b62b68138dc205f576b

SHA256
207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4

SHA512
a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\F43A\C\Windows\System32\WalletBackgroundServiceProxy.dll
Filesize
10KB

MD5
1097d1e58872f3cf58f78730a697ce4b

SHA1
96db4e4763a957b28dd80ec1e43eb27367869b86

SHA256
83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef

SHA512
b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

Download Submit
C:\Users\Admin\AppData\Local\Temp\F43A\C\Windows\System32\WalletProxy.dll
Filesize
36KB

MD5
d09724c29a8f321f2f9c552de6ef6afa

SHA1
d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3

SHA256
23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c

SHA512
cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\F43A\C\Windows\System32\Windows.ApplicationModel.Wallet.dll
Filesize
402KB

MD5
02557c141c9e153c2b7987b79a3a2dd7

SHA1
a054761382ee68608b6a3b62b68138dc205f576b

SHA256
207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4

SHA512
a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hw21aoqh.default-release\cookies.sqlite.id[E23E0A24-3483].[[email protected]].8base
Filesize
96KB

MD5
215f00a6efaffe691769e01b90666ead

SHA1
2f5b65ed36614a6447df7e8f7dfe1ee9f71edeed

SHA256
4fce73a651415b930b4c9e42c6c37b16779cfa2c1235a124ccda1520f9fc7d82

SHA512
0a77341d387737e0c145804c9c39ac0b6a9da8b707116d79603c0c35fb391d90a3b4a0a8a921c4e4ea29ef9e2495d0f8e83061c2c7fce59088ca94f8a01b1ab5

Download Submit
C:\Users\Admin\AppData\Roaming\fhhebau
Filesize
157KB

MD5
e43d1dd874f3202ff1baabca8a1d2170

SHA1
3ffa9db0985b82f07fcdf174c877f712825ad544

SHA256
d11e8d1ec3ab840915963d65be91d0b5e5e29840469d0dac33c020be99161cbc

SHA512
22cf518e3a635f7dcf0aeb69923afa156f181eb746b4837afd020fff8c1dda8e62ea80111272e766872ea4899dc32d947c63cad48df4b498a4516d20b2a0fb05

Download Submit
C:\Users\Admin\AppData\Roaming\fjhirug
Filesize
438KB

MD5
7fec436708c150a9a0b7927c9775f7d1

SHA1
3f50ed0da6610205251cbf99acfaf08c62da8e8c

SHA256
8e93810e44af88a8e8cfe5ede34764eda39f0244fcc7c963ca484efa6264be20

SHA512
b5bf05cb44d32848d52216f206268d75bb221767bcf3896af4ca67d42a3a0afb4ae98d63860e6212b6463a07289381d1f04d79befe641b14e11522291892b1fd

Download Submit
C:\Users\Admin\AppData\Roaming\gcvcdva
Filesize
164KB

MD5
09d7f30d2f8432be6087038562a029dd

SHA1
07fc20446a03a20c191e750ef21737ec948d9544

SHA256
8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8

SHA512
abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

Download Submit
C:\Users\Admin\AppData\Roaming\jivcdva
Filesize
164KB

MD5
1b94e6504da7365a7ac9e5f1c37ea714

SHA1
b2c784470f5400680f275943aacfcbef6cda5c88

SHA256
eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771

SHA512
6b86bdea9ed18fc11e32c0ce7e6883677fa5e3dfad053200e6757a51cc4b11a5adf0757853c9b4421796e7789d75af17c686ca513a9d442a7a0fa093920d012e

Download Submit
memory/988-166-0x0000000000AB0000-0x0000000000AB9000-memory.dmp

Filesize
36KB

Download
memory/988-183-0x0000000000AC0000-0x0000000000AC5000-memory.dmp

Filesize
20KB

Download
memory/988-167-0x0000000000AC0000-0x0000000000AC5000-memory.dmp

Filesize
20KB

Download
memory/988-168-0x0000000000AB0000-0x0000000000AB9000-memory.dmp

Filesize
36KB

Download
memory/1096-140-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1096-135-0x0000000000540000-0x0000000000549000-memory.dmp

Filesize
36KB

Download
memory/1096-142-0x0000000000540000-0x0000000000549000-memory.dmp

Filesize
36KB

Download
memory/1096-134-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/1096-137-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1096-136-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1284-196-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/1284-197-0x0000000002160000-0x00000000021B5000-memory.dmp

Filesize
340KB

Download
memory/1284-198-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1284-216-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/1284-223-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1284-259-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1316-173-0x0000000000B50000-0x0000000000B72000-memory.dmp

Filesize
136KB

Download
memory/1316-172-0x0000000000B20000-0x0000000000B47000-memory.dmp

Filesize
156KB

Download
memory/1316-174-0x0000000000B20000-0x0000000000B47000-memory.dmp

Filesize
156KB

Download
memory/1316-189-0x0000000000B50000-0x0000000000B72000-memory.dmp

Filesize
136KB

Download
memory/1408-194-0x0000000000430000-0x0000000000439000-memory.dmp

Filesize
36KB

Download
memory/1408-177-0x0000000000440000-0x0000000000445000-memory.dmp

Filesize
20KB

Download
memory/1408-176-0x0000000000430000-0x0000000000439000-memory.dmp

Filesize
36KB

Download
memory/1472-5927-0x0000000000D20000-0x0000000000D2B000-memory.dmp

Filesize
44KB

Download
memory/1800-201-0x00000000009D0000-0x00000000009D7000-memory.dmp

Filesize
28KB

Download
memory/1800-182-0x00000000009C0000-0x00000000009CD000-memory.dmp

Filesize
52KB

Download
memory/1800-184-0x00000000009D0000-0x00000000009D7000-memory.dmp

Filesize
28KB

Download
memory/1800-185-0x00000000009C0000-0x00000000009CD000-memory.dmp

Filesize
52KB

Download
memory/1904-188-0x0000000002070000-0x00000000020E1000-memory.dmp

Filesize
452KB

Download
memory/1904-199-0x0000000000770000-0x0000000000777000-memory.dmp

Filesize
28KB

Download
memory/1904-206-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1904-205-0x0000000002070000-0x00000000020E1000-memory.dmp

Filesize
452KB

Download
memory/1904-204-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/1904-203-0x0000000002330000-0x0000000002730000-memory.dmp

Filesize
4.0MB

Download
memory/1904-202-0x0000000002330000-0x0000000002730000-memory.dmp

Filesize
4.0MB

Download
memory/1904-221-0x0000000002330000-0x0000000002730000-memory.dmp

Filesize
4.0MB

Download
memory/1904-200-0x0000000002330000-0x0000000002730000-memory.dmp

Filesize
4.0MB

Download
memory/1904-209-0x0000000003130000-0x0000000003166000-memory.dmp

Filesize
216KB

Download
memory/1904-2492-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1904-217-0x0000000003130000-0x0000000003166000-memory.dmp

Filesize
216KB

Download
memory/1904-220-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1904-2495-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1904-190-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1904-187-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/1904-218-0x0000000002330000-0x0000000002730000-memory.dmp

Filesize
4.0MB

Download
memory/2196-5540-0x0000000000B20000-0x0000000000B29000-memory.dmp

Filesize
36KB

Download
memory/2872-181-0x0000000000D80000-0x0000000000D8B000-memory.dmp

Filesize
44KB

Download
memory/2872-195-0x0000000000D90000-0x0000000000D96000-memory.dmp

Filesize
24KB

Download
memory/2872-178-0x0000000000D80000-0x0000000000D8B000-memory.dmp

Filesize
44KB

Download
memory/2872-180-0x0000000000D90000-0x0000000000D96000-memory.dmp

Filesize
24KB

Download
memory/3096-271-0x0000000008E90000-0x0000000008EA6000-memory.dmp

Filesize
88KB

Download
memory/3096-138-0x0000000002E80000-0x0000000002E96000-memory.dmp

Filesize
88KB

Download
memory/3224-164-0x0000000000790000-0x0000000000799000-memory.dmp

Filesize
36KB

Download
memory/3224-179-0x0000000000790000-0x0000000000799000-memory.dmp

Filesize
36KB

Download
memory/3224-163-0x0000000000780000-0x000000000078F000-memory.dmp

Filesize
60KB

Download
memory/3224-165-0x0000000000780000-0x000000000078F000-memory.dmp

Filesize
60KB

Download
memory/3412-208-0x0000000000B30000-0x0000000000B38000-memory.dmp

Filesize
32KB

Download
memory/3412-192-0x0000000000B30000-0x0000000000B38000-memory.dmp

Filesize
32KB

Download
memory/3412-193-0x0000000000B20000-0x0000000000B2B000-memory.dmp

Filesize
44KB

Download
memory/3412-191-0x0000000000B20000-0x0000000000B2B000-memory.dmp

Filesize
44KB

Download
memory/3624-5731-0x00000000004F0000-0x00000000004FB000-memory.dmp

Filesize
44KB

Download
memory/3884-734-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3884-266-0x0000000000510000-0x0000000000610000-memory.dmp

Filesize
1024KB

Download
memory/3884-267-0x0000000000630000-0x000000000063F000-memory.dmp

Filesize
60KB

Download
memory/3884-268-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3884-4657-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3884-576-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3884-2657-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3884-725-0x0000000000510000-0x0000000000610000-memory.dmp

Filesize
1024KB

Download
memory/3916-169-0x0000000000E30000-0x0000000000E3C000-memory.dmp

Filesize
48KB

Download
memory/3916-170-0x0000000000E40000-0x0000000000E46000-memory.dmp

Filesize
24KB

Download
memory/3916-171-0x0000000000E30000-0x0000000000E3C000-memory.dmp

Filesize
48KB

Download
memory/3916-186-0x0000000000E40000-0x0000000000E46000-memory.dmp

Filesize
24KB

Download
memory/3920-5401-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/4344-229-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

Filesize
1.2MB

Download
memory/4344-228-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

Filesize
1.2MB

Download
memory/4344-207-0x000002050F590000-0x000002050F593000-memory.dmp

Filesize
12KB

Download
memory/4344-224-0x000002050F590000-0x000002050F593000-memory.dmp

Filesize
12KB

Download
memory/4344-225-0x000002050F950000-0x000002050F957000-memory.dmp

Filesize
28KB

Download
memory/4344-226-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

Filesize
1.2MB

Download
memory/4344-227-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

Filesize
1.2MB

Download
memory/4344-230-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

Filesize
1.2MB

Download
memory/4344-232-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

Filesize
1.2MB

Download
memory/4344-234-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

Filesize
1.2MB

Download
memory/4344-235-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

Filesize
1.2MB

Download
memory/4344-260-0x00007FFA8C6B0000-0x00007FFA8C8A5000-memory.dmp

Filesize
2.0MB

Download
memory/4344-258-0x000002050F950000-0x000002050F955000-memory.dmp

Filesize
20KB

Download
memory/4344-252-0x00007FFA8C6B0000-0x00007FFA8C8A5000-memory.dmp

Filesize
2.0MB

Download
memory/4344-243-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

Filesize
1.2MB

Download
memory/4344-241-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

Filesize
1.2MB

Download
memory/4344-240-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

Filesize
1.2MB

Download
memory/4344-239-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

Filesize
1.2MB

Download
memory/4344-238-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

Filesize
1.2MB

Download
memory/4344-237-0x00007FFA8C6B0000-0x00007FFA8C8A5000-memory.dmp

Filesize
2.0MB

Download
memory/4344-236-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

Filesize
1.2MB

Download
memory/4384-161-0x0000000001000000-0x000000000100B000-memory.dmp

Filesize
44KB

Download
memory/4384-160-0x0000000001010000-0x0000000001017000-memory.dmp

Filesize
28KB

Download
memory/4384-162-0x0000000001000000-0x000000000100B000-memory.dmp

Filesize
44KB

Download
memory/4384-175-0x0000000001010000-0x0000000001017000-memory.dmp

Filesize
28KB

Download
memory/4424-2493-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/4424-774-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4424-699-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/4424-716-0x0000000000720000-0x0000000000725000-memory.dmp

Filesize
20KB

Download
memory/4560-5138-0x0000000000380000-0x00000000003EB000-memory.dmp

Filesize
428KB

Download
memory/4928-263-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4928-272-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4928-265-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5084-261-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/5084-262-0x0000000000580000-0x0000000000589000-memory.dmp

Filesize
36KB

Download