phobos | c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482

Analysis

max time kernel
75s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2023 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exe
Size

374KB
MD5

11715c27335a026129dfc1695ebc8888
SHA1

0ffaa4f65fbf2bc0750b972621f37c787b0231e2
SHA256

c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482
SHA512

f7743e16fa619a90cb2c216bc46e2f3b10973e2d3aeb81be27d284e52758cc6fd204dc0babef2bfd01e8bfdc12e70c35dd0f50472f06635f489d2db8060b1220
SSDEEP

6144:QtLsBkjsroZJCTfQtzrmGaLOLn10TCvDuNcwnkOrpbMfBjiOQDvFp:ggAsrowTfQFrLdLWYecxqpmuOQv7

Score

10^/10

phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://serverxlogs21.xyz/statweb255/

http://servxblog79.xyz/statweb255/

http://demblog289.xyz/statweb255/

http://admlogs77x.online/statweb255/

http://blogxstat38.xyz/statweb255/

http://blogxstat25.xyz/statweb255/

rc4.i32

Extracted

Family

systembc

adstat477d.xyz:4044

demstat577d.xyz:4044

Signatures

Detect rhadamanthys stealer shellcode 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2708-139-0x0000000002370000-0x0000000002770000-memory.dmp	family_rhadamanthys
behavioral1/memory/2708-140-0x0000000002370000-0x0000000002770000-memory.dmp	family_rhadamanthys
behavioral1/memory/2708-141-0x0000000002370000-0x0000000002770000-memory.dmp	family_rhadamanthys
behavioral1/memory/2708-142-0x0000000002370000-0x0000000002770000-memory.dmp	family_rhadamanthys
behavioral1/memory/2708-154-0x0000000002370000-0x0000000002770000-memory.dmp	family_rhadamanthys
behavioral1/memory/2708-157-0x0000000002370000-0x0000000002770000-memory.dmp	family_rhadamanthys

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exe

description pid process target process

PID 2708 created 3140 2708 c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exe Explorer.EXE
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

3716 bcdedit.exe
4432 bcdedit.exe
Renames multiple (87) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

552 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

2620 netsh.exe
4320 netsh.exe
Drops startup file 1 IoCs

Processes:

E~M.exe

description ioc process

File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\E~M.exe E~M.exe
Executes dropped EXE 5 IoCs

Processes:

oeE3.exeE~M.exe2jU6fH.exeoeE3.exeE~M.exe

pid process

3820 oeE3.exe
3048 E~M.exe
2260 2jU6fH.exe
3516 oeE3.exe
2652 E~M.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 2708 created 3140	2708	c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exe	Explorer.EXE

pid	process
3716	bcdedit.exe
4432	bcdedit.exe

pid	process
552	wbadmin.exe

pid	process
2620	netsh.exe
4320	netsh.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\E~M.exe	E~M.exe

pid	process
3820	oeE3.exe
3048	E~M.exe
2260	2jU6fH.exe
3516	oeE3.exe
2652	E~M.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

E~M.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E~M = "C:\\Users\\Admin\\AppData\\Local\\E~M.exe"	E~M.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E~M = "C:\\Users\\Admin\\AppData\\Local\\E~M.exe"	E~M.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

E~M.exe

description	ioc	process
File opened for modification	C:\Program Files\desktop.ini	E~M.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-618519468-4027732583-1827558364-1000\desktop.ini	E~M.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-618519468-4027732583-1827558364-1000\desktop.ini	E~M.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

oeE3.exe

description pid process target process

PID 3820 set thread context of 3516 3820 oeE3.exe oeE3.exe

description	pid	process	target process
PID 3820 set thread context of 3516	3820	oeE3.exe	oeE3.exe

Drops file in Program Files directory 64 IoCs

Processes:

E~M.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.zh_CN_5.5.0.165303.jar	E~M.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml	E~M.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar	E~M.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar	E~M.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bg.pak.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\classfile_constants.h.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_ja.jar	E~M.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_ja.jar.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	E~M.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_zh_CN.jar.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll	E~M.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\uk.pak.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\prism_d3d.dll.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	E~M.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\ij	E~M.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	E~M.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui	E~M.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core_0.10.100.v20140424-2042.jar.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_zh_4.4.0.v20140623020002.jar.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-modules.jar	E~M.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png	E~M.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_zh_CN.jar	E~M.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\splashscreen.dll	E~M.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadce.dll	E~M.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_ja.jar.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml	E~M.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\management-agent.jar.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbynet.jar	E~M.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\MANIFEST.MF.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-actions_zh_CN.jar.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\jfluid-server_ja.jar	E~M.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml	E~M.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar	E~M.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_ja.jar	E~M.exe
File created	C:\Program Files\Java\jre1.8.0_66\release.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	E~M.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\flavormap.properties.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.emf.ecore.xmi_2.10.1.v20140901-1043.jar	E~M.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.rcp_4.3.100.v20141007-2301.jar.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-dialogs_ja.jar	E~M.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\fxplugins.dll	E~M.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jsse.jar	E~M.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\preloaded_data.pb.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	E~M.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.css.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-ui.jar.id[3107CCA1-3483].[[email protected]].8base	E~M.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css	E~M.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_zh_CN.jar.id[3107CCA1-3483].[[email protected]].8base	E~M.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2184 2708 WerFault.exe c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exe
284 2652 WerFault.exe E~M.exe

pid	pid_target	process	target process
2184	2708	WerFault.exe	c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exe
284	2652	WerFault.exe	E~M.exe

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

oeE3.exevds.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	oeE3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	oeE3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	oeE3.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3544 vssadmin.exe

pid	process
3544	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.execertreq.exeoeE3.exeExplorer.EXEE~M.exe

pid	process
2708	c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exe
2708	c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exe
2708	c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exe
2708	c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exe
1796	certreq.exe
1796	certreq.exe
1796	certreq.exe
1796	certreq.exe
3516	oeE3.exe
3516	oeE3.exe
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3048	E~M.exe
3048	E~M.exe
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3048	E~M.exe
3048	E~M.exe
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3048	E~M.exe
3048	E~M.exe
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3048	E~M.exe
3048	E~M.exe
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

oeE3.exe

pid process

3516 oeE3.exe

pid	process
3516	oeE3.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

E~M.exevssvc.exeExplorer.EXEWMIC.exewbengine.exe

description	pid	process
Token: SeDebugPrivilege	3048	E~M.exe
Token: SeBackupPrivilege	1548	vssvc.exe
Token: SeRestorePrivilege	1548	vssvc.exe
Token: SeAuditPrivilege	1548	vssvc.exe
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	3412	WMIC.exe
Token: SeSecurityPrivilege	3412	WMIC.exe
Token: SeTakeOwnershipPrivilege	3412	WMIC.exe
Token: SeLoadDriverPrivilege	3412	WMIC.exe
Token: SeSystemProfilePrivilege	3412	WMIC.exe
Token: SeSystemtimePrivilege	3412	WMIC.exe
Token: SeProfSingleProcessPrivilege	3412	WMIC.exe
Token: SeIncBasePriorityPrivilege	3412	WMIC.exe
Token: SeCreatePagefilePrivilege	3412	WMIC.exe
Token: SeBackupPrivilege	3412	WMIC.exe
Token: SeRestorePrivilege	3412	WMIC.exe
Token: SeShutdownPrivilege	3412	WMIC.exe
Token: SeDebugPrivilege	3412	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3412	WMIC.exe
Token: SeRemoteShutdownPrivilege	3412	WMIC.exe
Token: SeUndockPrivilege	3412	WMIC.exe
Token: SeManageVolumePrivilege	3412	WMIC.exe
Token: 33	3412	WMIC.exe
Token: 34	3412	WMIC.exe
Token: 35	3412	WMIC.exe
Token: 36	3412	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3412	WMIC.exe
Token: SeSecurityPrivilege	3412	WMIC.exe
Token: SeTakeOwnershipPrivilege	3412	WMIC.exe
Token: SeLoadDriverPrivilege	3412	WMIC.exe
Token: SeSystemProfilePrivilege	3412	WMIC.exe
Token: SeSystemtimePrivilege	3412	WMIC.exe
Token: SeProfSingleProcessPrivilege	3412	WMIC.exe
Token: SeIncBasePriorityPrivilege	3412	WMIC.exe
Token: SeCreatePagefilePrivilege	3412	WMIC.exe
Token: SeBackupPrivilege	3412	WMIC.exe
Token: SeRestorePrivilege	3412	WMIC.exe
Token: SeShutdownPrivilege	3412	WMIC.exe
Token: SeDebugPrivilege	3412	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3412	WMIC.exe
Token: SeRemoteShutdownPrivilege	3412	WMIC.exe
Token: SeUndockPrivilege	3412	WMIC.exe
Token: SeManageVolumePrivilege	3412	WMIC.exe
Token: 33	3412	WMIC.exe
Token: 34	3412	WMIC.exe
Token: 35	3412	WMIC.exe
Token: 36	3412	WMIC.exe
Token: SeBackupPrivilege	2184	wbengine.exe
Token: SeRestorePrivilege	2184	wbengine.exe
Token: SeSecurityPrivilege	2184	wbengine.exe
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exeoeE3.exeE~M.execmd.execmd.exe

description	pid	process	target process
PID 2708 wrote to memory of 1796	2708	c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exe	certreq.exe
PID 2708 wrote to memory of 1796	2708	c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exe	certreq.exe
PID 2708 wrote to memory of 1796	2708	c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exe	certreq.exe
PID 2708 wrote to memory of 1796	2708	c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exe	certreq.exe
PID 3820 wrote to memory of 3516	3820	oeE3.exe	oeE3.exe
PID 3820 wrote to memory of 3516	3820	oeE3.exe	oeE3.exe
PID 3820 wrote to memory of 3516	3820	oeE3.exe	oeE3.exe
PID 3820 wrote to memory of 3516	3820	oeE3.exe	oeE3.exe
PID 3820 wrote to memory of 3516	3820	oeE3.exe	oeE3.exe
PID 3820 wrote to memory of 3516	3820	oeE3.exe	oeE3.exe
PID 3048 wrote to memory of 3740	3048	E~M.exe	cmd.exe
PID 3048 wrote to memory of 3740	3048	E~M.exe	cmd.exe
PID 3048 wrote to memory of 3556	3048	E~M.exe	cmd.exe
PID 3048 wrote to memory of 3556	3048	E~M.exe	cmd.exe
PID 3556 wrote to memory of 2620	3556	cmd.exe	netsh.exe
PID 3556 wrote to memory of 2620	3556	cmd.exe	netsh.exe
PID 3740 wrote to memory of 3544	3740	cmd.exe	vssadmin.exe
PID 3740 wrote to memory of 3544	3740	cmd.exe	vssadmin.exe
PID 3556 wrote to memory of 4320	3556	cmd.exe	netsh.exe
PID 3556 wrote to memory of 4320	3556	cmd.exe	netsh.exe
PID 3740 wrote to memory of 3412	3740	cmd.exe	WMIC.exe
PID 3740 wrote to memory of 3412	3740	cmd.exe	WMIC.exe
PID 3740 wrote to memory of 3716	3740	cmd.exe	bcdedit.exe
PID 3740 wrote to memory of 3716	3740	cmd.exe	bcdedit.exe
PID 3740 wrote to memory of 4432	3740	cmd.exe	bcdedit.exe
PID 3740 wrote to memory of 4432	3740	cmd.exe	bcdedit.exe
PID 3740 wrote to memory of 552	3740	cmd.exe	wbadmin.exe
PID 3740 wrote to memory of 552	3740	cmd.exe	wbadmin.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

outlook_win_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Users\Admin\AppData\Local\Temp\c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exe
"C:\Users\Admin\AppData\Local\Temp\c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 944
3⤵
- Program crash
PID:2184

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:1796

C:\Users\Admin\AppData\Local\Temp\C1C.exe
C:\Users\Admin\AppData\Local\Temp\C1C.exe
2⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\DE2.exe
C:\Users\Admin\AppData\Local\Temp\DE2.exe
2⤵
PID:3928

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4948

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4320

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:180

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3812

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4916

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:5088

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2708 -ip 2708
1⤵
PID:2864

C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe
"C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3820

C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe
"C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3516

C:\Users\Admin\AppData\Local\Microsoft\E~M.exe
"C:\Users\Admin\AppData\Local\Microsoft\E~M.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Microsoft\E~M.exe
"C:\Users\Admin\AppData\Local\Microsoft\E~M.exe"
2⤵
- Executes dropped EXE
PID:2652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 460
3⤵
- Program crash
PID:284

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3556

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:2620

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:4320

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3740

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3544

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3412

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:3716

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:4432

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:552

C:\Users\Admin\AppData\Local\Microsoft\2jU6fH.exe
"C:\Users\Admin\AppData\Local\Microsoft\2jU6fH.exe"
1⤵
- Executes dropped EXE
PID:2260

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:788

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2652 -ip 2652
1⤵
PID:1068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[3107CCA1-3483].[[email protected]].8base
Filesize
3.2MB

MD5
5ecbd8ddbbba5cc06367444108d0fc8a

SHA1
1d5041be2b9a23b29f57930b212ebdd397a0f9d7

SHA256
9d08a8a25dde9e9b323703bd93e3f09519d1ff30bd9c721b8981eab0db1a3399

SHA512
7a12442ca15822951da40d6fa0114bba5964d1793cf8693b0fed6d52e23eaef8f36c91c5f71893ad6d200371d18ddedbafd009ea628526bd7bd6f67ff6145404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\2jU6fH.exe
Filesize
164KB

MD5
6ac14216327dcfb60b33ebd914f62769

SHA1
d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b

SHA256
25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9

SHA512
6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\E~M.exe
Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\E~M.exe
Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\E~M.exe
Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe
Filesize
164KB

MD5
09d7f30d2f8432be6087038562a029dd

SHA1
07fc20446a03a20c191e750ef21737ec948d9544

SHA256
8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8

SHA512
abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe
Filesize
164KB

MD5
09d7f30d2f8432be6087038562a029dd

SHA1
07fc20446a03a20c191e750ef21737ec948d9544

SHA256
8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8

SHA512
abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe
Filesize
164KB

MD5
09d7f30d2f8432be6087038562a029dd

SHA1
07fc20446a03a20c191e750ef21737ec948d9544

SHA256
8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8

SHA512
abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1C.exe
Filesize
164KB

MD5
7166d39e9c1cb17e1728d316531242b1

SHA1
d05810943685bcd70999ff0926215f5d6fe2637a

SHA256
8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7

SHA512
b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1C.exe
Filesize
164KB

MD5
7166d39e9c1cb17e1728d316531242b1

SHA1
d05810943685bcd70999ff0926215f5d6fe2637a

SHA256
8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7

SHA512
b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE2.exe
Filesize
164KB

MD5
16bab536f93bbf833bca053e355402ee

SHA1
8b7ccbef0fcb0edab800b6ddc0c9d302b0a03374

SHA256
b8c302a27f96d81723dae52638784519772a968b84533a793e69aab74ef08ba4

SHA512
c7f9b1f0a6034e22b61febcab103482dc613f861a987e53569a2526aba56826fd06f98fe357506fd4f2806abc7f84c3d86e2e046cdfac3539eea6e67ff9c603f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE2.exe
Filesize
164KB

MD5
16bab536f93bbf833bca053e355402ee

SHA1
8b7ccbef0fcb0edab800b6ddc0c9d302b0a03374

SHA256
b8c302a27f96d81723dae52638784519772a968b84533a793e69aab74ef08ba4

SHA512
c7f9b1f0a6034e22b61febcab103482dc613f861a987e53569a2526aba56826fd06f98fe357506fd4f2806abc7f84c3d86e2e046cdfac3539eea6e67ff9c603f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\cookies.sqlite.id[3107CCA1-3483].[[email protected]].8base
Filesize
96KB

MD5
4a943e0588a5d8525175daed17208b07

SHA1
92cff8ce40e3beb4827ecc6306c2f3d89f803115

SHA256
17ffea8f66dace54c102d958e0a2682c4712bb5f04f91b1b11d49ab8a70c7f04

SHA512
7f90bd892865b131dca2dd86a5dbe2535f1fcd385a5f930c3265746169bec239bfc6b60d06f4f89d7bb620bb25f7ee5c0980277a12a560dbca1b63ad02139c59

Download Submit
memory/180-4431-0x0000000000EF0000-0x0000000000EF4000-memory.dmp

Filesize
16KB

Download
memory/180-4425-0x0000000000EE0000-0x0000000000EE9000-memory.dmp

Filesize
36KB

Download
memory/180-4443-0x0000000000EE0000-0x0000000000EE9000-memory.dmp

Filesize
36KB

Download
memory/1796-162-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

Filesize
1.2MB

Download
memory/1796-171-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmp

Filesize
2.0MB

Download
memory/1796-158-0x00000148EF180000-0x00000148EF183000-memory.dmp

Filesize
12KB

Download
memory/1796-159-0x00000148EF320000-0x00000148EF327000-memory.dmp

Filesize
28KB

Download
memory/1796-161-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

Filesize
1.2MB

Download
memory/1796-160-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

Filesize
1.2MB

Download
memory/1796-193-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmp

Filesize
2.0MB

Download
memory/1796-163-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

Filesize
1.2MB

Download
memory/1796-164-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

Filesize
1.2MB

Download
memory/1796-166-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

Filesize
1.2MB

Download
memory/1796-168-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

Filesize
1.2MB

Download
memory/1796-169-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

Filesize
1.2MB

Download
memory/1796-170-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

Filesize
1.2MB

Download
memory/1796-190-0x00000148EF320000-0x00000148EF325000-memory.dmp

Filesize
20KB

Download
memory/1796-172-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

Filesize
1.2MB

Download
memory/1796-173-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

Filesize
1.2MB

Download
memory/1796-174-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

Filesize
1.2MB

Download
memory/1796-175-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

Filesize
1.2MB

Download
memory/1796-176-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

Filesize
1.2MB

Download
memory/1796-178-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmp

Filesize
2.0MB

Download
memory/1796-144-0x00000148EF180000-0x00000148EF183000-memory.dmp

Filesize
12KB

Download
memory/2260-207-0x0000000002710000-0x00000000027EB000-memory.dmp

Filesize
876KB

Download
memory/2260-205-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2260-206-0x0000000002630000-0x000000000270B000-memory.dmp

Filesize
876KB

Download
memory/2652-2304-0x0000000000780000-0x0000000000880000-memory.dmp

Filesize
1024KB

Download
memory/2652-2306-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2708-146-0x0000000003210000-0x0000000003246000-memory.dmp

Filesize
216KB

Download
memory/2708-139-0x0000000002370000-0x0000000002770000-memory.dmp

Filesize
4.0MB

Download
memory/2708-135-0x0000000000680000-0x00000000006F1000-memory.dmp

Filesize
452KB

Download
memory/2708-145-0x0000000000680000-0x00000000006F1000-memory.dmp

Filesize
452KB

Download
memory/2708-136-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2708-140-0x0000000002370000-0x0000000002770000-memory.dmp

Filesize
4.0MB

Download
memory/2708-141-0x0000000002370000-0x0000000002770000-memory.dmp

Filesize
4.0MB

Download
memory/2708-142-0x0000000002370000-0x0000000002770000-memory.dmp

Filesize
4.0MB

Download
memory/2708-137-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2708-156-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2708-157-0x0000000002370000-0x0000000002770000-memory.dmp

Filesize
4.0MB

Download
memory/2708-138-0x00000000022D0000-0x00000000022D7000-memory.dmp

Filesize
28KB

Download
memory/2708-152-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2708-153-0x0000000003210000-0x0000000003246000-memory.dmp

Filesize
216KB

Download
memory/2708-154-0x0000000002370000-0x0000000002770000-memory.dmp

Filesize
4.0MB

Download
memory/2708-143-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2708-134-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/3048-4732-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3048-771-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/3048-877-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3048-768-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3048-518-0x0000000000640000-0x000000000064F000-memory.dmp

Filesize
60KB

Download
memory/3048-2978-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3048-191-0x0000000000640000-0x000000000064F000-memory.dmp

Filesize
60KB

Download
memory/3048-194-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/3048-197-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3140-200-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/3516-201-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3516-192-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3516-196-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3812-4567-0x0000000000F80000-0x0000000000F8A000-memory.dmp

Filesize
40KB

Download
memory/3812-4568-0x0000000000F70000-0x0000000000F7B000-memory.dmp

Filesize
44KB

Download
memory/3812-4566-0x0000000000F70000-0x0000000000F7B000-memory.dmp

Filesize
44KB

Download
memory/3820-189-0x0000000000580000-0x0000000000589000-memory.dmp

Filesize
36KB

Download
memory/3820-188-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/4320-4243-0x0000000000180000-0x000000000018C000-memory.dmp

Filesize
48KB

Download
memory/4320-4245-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/4320-4362-0x0000000000180000-0x000000000018C000-memory.dmp

Filesize
48KB

Download
memory/4916-4580-0x00000000005F0000-0x00000000005F7000-memory.dmp

Filesize
28KB

Download
memory/4916-4573-0x00000000005E0000-0x00000000005EB000-memory.dmp

Filesize
44KB

Download
memory/4916-4584-0x00000000005E0000-0x00000000005EB000-memory.dmp

Filesize
44KB

Download
memory/4948-4563-0x0000000000410000-0x000000000047B000-memory.dmp

Filesize
428KB

Download
memory/4948-4318-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/4948-4310-0x0000000000410000-0x000000000047B000-memory.dmp

Filesize
428KB

Download
memory/4948-4276-0x0000000000410000-0x000000000047B000-memory.dmp

Filesize
428KB

Download
memory/5088-4668-0x0000000000D50000-0x0000000000D5F000-memory.dmp

Filesize
60KB

Download
memory/5088-4740-0x0000000000D60000-0x0000000000D69000-memory.dmp

Filesize
36KB

Download
memory/5088-4758-0x0000000000D50000-0x0000000000D5F000-memory.dmp

Filesize
60KB

Download