lumma | 5bbcdfba8af427d876d09a5aae8fbfae449d8a596cfbdfdda0bb3afdea7f6cde

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2023 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bbcdfba8af427d876d09a5aae8fbfae449d8a596cfbdfdda0bb3afdea7f6cde.exe
Size

165KB
MD5

9c256e1bdd0b987fd125a73a474bce47
SHA1

0ca3df633e8f46b7d4414b23ff338a6c736adf0f
SHA256

5bbcdfba8af427d876d09a5aae8fbfae449d8a596cfbdfdda0bb3afdea7f6cde
SHA512

8087152e4171025e75783b19a4becdb2e067d0db0ad6eddb583eaa189c6544850f3e889aff184477144596d82510b5038182c4bd8c9088817e6f67d9a90b7034
SSDEEP

1536:mKz2SNhA41gJLNuAAwTcqD0+iUzEykFQdynzBJLbyAmeZY6CbmpCv/FPzkXhxkYf:m/L5TtMUzvkmG8ALq6AJkXhF5AZp4

Score

10^/10

lumma phobos rhadamanthys smokeloader systembc summ backdoor collection discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

summ

Extracted

Family

smokeloader

Version

2022

http://stalagmijesarl.com/

http://ukdantist-sarl.com/

http://cpcorprotationltd.com/

http://serverxlogs21.xyz/statweb255/

http://servxblog79.xyz/statweb255/

http://demblog289.xyz/statweb255/

http://admlogs77x.online/statweb255/

http://blogxstat38.xyz/statweb255/

http://blogxstat25.xyz/statweb255/

rc4.i32

Extracted

Family

lumma

gstatic-node.io

Extracted

Family

systembc

adstat477d.xyz:4044

demstat577d.xyz:4044

Signatures

Detect rhadamanthys stealer shellcode 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3116-196-0x00000000024E0000-0x00000000028E0000-memory.dmp	family_rhadamanthys
behavioral1/memory/3116-197-0x00000000024E0000-0x00000000028E0000-memory.dmp	family_rhadamanthys
behavioral1/memory/3116-198-0x00000000024E0000-0x00000000028E0000-memory.dmp	family_rhadamanthys
behavioral1/memory/3116-200-0x00000000024E0000-0x00000000028E0000-memory.dmp	family_rhadamanthys
behavioral1/memory/3116-217-0x00000000024E0000-0x00000000028E0000-memory.dmp	family_rhadamanthys
behavioral1/memory/3116-218-0x00000000024E0000-0x00000000028E0000-memory.dmp	family_rhadamanthys
behavioral1/memory/3116-221-0x00000000024E0000-0x00000000028E0000-memory.dmp	family_rhadamanthys

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

DA7.exe

description pid process target process

PID 3116 created 3156 3116 DA7.exe Explorer.EXE
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1508 bcdedit.exe
1940 bcdedit.exe
Renames multiple (317) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2160 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

3424 netsh.exe
1564 netsh.exe
Drops startup file 1 IoCs

Processes:

p8[{jcb007.exe

description ioc process

File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\p8[{jcb007.exe p8[{jcb007.exe
Executes dropped EXE 10 IoCs

Processes:

DA7.exe19AE.exe9B).exep8[{jcb007.exe$VK.exe9B).exep8[{jcb007.exe8B6F.exe8E01.exe95C2.exe

pid process

3116 DA7.exe
2244 19AE.exe
228 9B).exe
4828 p8[{jcb007.exe
3052 $VK.exe
760 9B).exe
4520 p8[{jcb007.exe
1232 8B6F.exe
1656 8E01.exe
1228 95C2.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 3116 created 3156	3116	DA7.exe	Explorer.EXE

pid	process
1508	bcdedit.exe
1940	bcdedit.exe

pid	process
2160	wbadmin.exe

pid	process
3424	netsh.exe
1564	netsh.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\p8[{jcb007.exe	p8[{jcb007.exe

pid	process
3116	DA7.exe
2244	19AE.exe
228	9B).exe
4828	p8[{jcb007.exe
3052	$VK.exe
760	9B).exe
4520	p8[{jcb007.exe
1232	8B6F.exe
1656	8E01.exe
1228	95C2.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

p8[{jcb007.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\p8[{jcb007 = "C:\\Users\\Admin\\AppData\\Local\\p8[{jcb007.exe"	p8[{jcb007.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\p8[{jcb007 = "C:\\Users\\Admin\\AppData\\Local\\p8[{jcb007.exe"	p8[{jcb007.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

Processes:

p8[{jcb007.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3195054982-4292022746-1467505928-1000\desktop.ini	p8[{jcb007.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3195054982-4292022746-1467505928-1000\desktop.ini	p8[{jcb007.exe
File opened for modification	C:\Program Files\desktop.ini	p8[{jcb007.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	p8[{jcb007.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

9B).exe

description pid process target process

PID 228 set thread context of 760 228 9B).exe 9B).exe

description	pid	process	target process
PID 228 set thread context of 760	228	9B).exe	9B).exe

Drops file in Program Files directory 64 IoCs

Processes:

p8[{jcb007.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui	p8[{jcb007.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-pl.xrm-ms	p8[{jcb007.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-pl.xrm-ms	p8[{jcb007.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui	p8[{jcb007.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	p8[{jcb007.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	p8[{jcb007.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-pl.xrm-ms	p8[{jcb007.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-pl.xrm-ms	p8[{jcb007.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\vccorlib140.dll.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\dcf.x-none.msi.16.x-none.vreg.dat	p8[{jcb007.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzdb.dat.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\help.gif.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-phn.xrm-ms.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PPSLAX.DLL.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\officemui.msi.16.en-us.tree.dat	p8[{jcb007.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml	p8[{jcb007.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-private-l1-1-0.dll.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ppd.xrm-ms	p8[{jcb007.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms	p8[{jcb007.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONPPTAddin.dll.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\WidescreenPresentation.potx	p8[{jcb007.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll	p8[{jcb007.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\cldrdata.jar.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar	p8[{jcb007.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms	p8[{jcb007.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\msipc.dll.mui.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.png	p8[{jcb007.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\javafx.properties.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL097.XML.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\System\msvcp140_1.dll	p8[{jcb007.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll	p8[{jcb007.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\README.TXT	p8[{jcb007.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-phn.xrm-ms.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected][63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui	p8[{jcb007.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar	p8[{jcb007.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt	p8[{jcb007.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN090.XML.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll	p8[{jcb007.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms	p8[{jcb007.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ppd.xrm-ms.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-pl.xrm-ms	p8[{jcb007.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare.HxS.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_zh_4.4.0.v20140623020002.jar.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005	p8[{jcb007.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-100.png.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBCN6.CHM	p8[{jcb007.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-conio-l1-1-0.dll	p8[{jcb007.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml	p8[{jcb007.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms	p8[{jcb007.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-ms.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINSHELL.DLL.id[63449BD6-3483].[[email protected]].8base	p8[{jcb007.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\MSIPCEvents.man	p8[{jcb007.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4456	3116	WerFault.exe	DA7.exe
4612	4520	WerFault.exe	p8[{jcb007.exe
5084	2244	WerFault.exe	19AE.exe
872	1228	WerFault.exe	95C2.exe

Checks SCSI registry key(s) 3 TTPs 10 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5bbcdfba8af427d876d09a5aae8fbfae449d8a596cfbdfdda0bb3afdea7f6cde.exe9B).exevds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5bbcdfba8af427d876d09a5aae8fbfae449d8a596cfbdfdda0bb3afdea7f6cde.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9B).exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9B).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5bbcdfba8af427d876d09a5aae8fbfae449d8a596cfbdfdda0bb3afdea7f6cde.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5bbcdfba8af427d876d09a5aae8fbfae449d8a596cfbdfdda0bb3afdea7f6cde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9B).exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4896 vssadmin.exe

pid	process
4896	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5bbcdfba8af427d876d09a5aae8fbfae449d8a596cfbdfdda0bb3afdea7f6cde.exeExplorer.EXE

pid	process
1212	5bbcdfba8af427d876d09a5aae8fbfae449d8a596cfbdfdda0bb3afdea7f6cde.exe
1212	5bbcdfba8af427d876d09a5aae8fbfae449d8a596cfbdfdda0bb3afdea7f6cde.exe
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3156 Explorer.EXE

pid	process
3156	Explorer.EXE

Suspicious behavior: MapViewOfSection 22 IoCs

Processes:

5bbcdfba8af427d876d09a5aae8fbfae449d8a596cfbdfdda0bb3afdea7f6cde.exeExplorer.EXE9B).exe

pid	process
1212	5bbcdfba8af427d876d09a5aae8fbfae449d8a596cfbdfdda0bb3afdea7f6cde.exe
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
760	9B).exe
3156	Explorer.EXE
3156	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXEp8[{jcb007.exevssvc.exeWMIC.exewbengine.exe

description	pid	process
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeDebugPrivilege	4828	p8[{jcb007.exe
Token: SeBackupPrivilege	3984	vssvc.exe
Token: SeRestorePrivilege	3984	vssvc.exe
Token: SeAuditPrivilege	3984	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2836	WMIC.exe
Token: SeSecurityPrivilege	2836	WMIC.exe
Token: SeTakeOwnershipPrivilege	2836	WMIC.exe
Token: SeLoadDriverPrivilege	2836	WMIC.exe
Token: SeSystemProfilePrivilege	2836	WMIC.exe
Token: SeSystemtimePrivilege	2836	WMIC.exe
Token: SeProfSingleProcessPrivilege	2836	WMIC.exe
Token: SeIncBasePriorityPrivilege	2836	WMIC.exe
Token: SeCreatePagefilePrivilege	2836	WMIC.exe
Token: SeBackupPrivilege	2836	WMIC.exe
Token: SeRestorePrivilege	2836	WMIC.exe
Token: SeShutdownPrivilege	2836	WMIC.exe
Token: SeDebugPrivilege	2836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2836	WMIC.exe
Token: SeRemoteShutdownPrivilege	2836	WMIC.exe
Token: SeUndockPrivilege	2836	WMIC.exe
Token: SeManageVolumePrivilege	2836	WMIC.exe
Token: 33	2836	WMIC.exe
Token: 34	2836	WMIC.exe
Token: 35	2836	WMIC.exe
Token: 36	2836	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2836	WMIC.exe
Token: SeSecurityPrivilege	2836	WMIC.exe
Token: SeTakeOwnershipPrivilege	2836	WMIC.exe
Token: SeLoadDriverPrivilege	2836	WMIC.exe
Token: SeSystemProfilePrivilege	2836	WMIC.exe
Token: SeSystemtimePrivilege	2836	WMIC.exe
Token: SeProfSingleProcessPrivilege	2836	WMIC.exe
Token: SeIncBasePriorityPrivilege	2836	WMIC.exe
Token: SeCreatePagefilePrivilege	2836	WMIC.exe
Token: SeBackupPrivilege	2836	WMIC.exe
Token: SeRestorePrivilege	2836	WMIC.exe
Token: SeShutdownPrivilege	2836	WMIC.exe
Token: SeDebugPrivilege	2836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2836	WMIC.exe
Token: SeRemoteShutdownPrivilege	2836	WMIC.exe
Token: SeUndockPrivilege	2836	WMIC.exe
Token: SeManageVolumePrivilege	2836	WMIC.exe
Token: 33	2836	WMIC.exe
Token: 34	2836	WMIC.exe
Token: 35	2836	WMIC.exe
Token: 36	2836	WMIC.exe
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeBackupPrivilege	2544	wbengine.exe
Token: SeRestorePrivilege	2544	wbengine.exe
Token: SeSecurityPrivilege	2544	wbengine.exe
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Explorer.EXEDA7.exe9B).exep8[{jcb007.execmd.execmd.exe

description	pid	process	target process
PID 3156 wrote to memory of 3116	3156	Explorer.EXE	DA7.exe
PID 3156 wrote to memory of 3116	3156	Explorer.EXE	DA7.exe
PID 3156 wrote to memory of 3116	3156	Explorer.EXE	DA7.exe
PID 3156 wrote to memory of 2244	3156	Explorer.EXE	19AE.exe
PID 3156 wrote to memory of 2244	3156	Explorer.EXE	19AE.exe
PID 3156 wrote to memory of 2244	3156	Explorer.EXE	19AE.exe
PID 3156 wrote to memory of 956	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 956	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 956	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 956	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 4388	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 4388	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 4388	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 2272	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 2272	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 2272	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 2272	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 5028	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 5028	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 5028	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 544	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 544	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 544	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 544	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 64	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 64	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 64	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 64	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 4840	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 4840	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 4840	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 4840	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 1872	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 1872	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 1872	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 2784	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 2784	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 2784	3156	Explorer.EXE	explorer.exe
PID 3156 wrote to memory of 2784	3156	Explorer.EXE	explorer.exe
PID 3116 wrote to memory of 4068	3116	DA7.exe	certreq.exe
PID 3116 wrote to memory of 4068	3116	DA7.exe	certreq.exe
PID 3116 wrote to memory of 4068	3116	DA7.exe	certreq.exe
PID 3116 wrote to memory of 4068	3116	DA7.exe	certreq.exe
PID 228 wrote to memory of 760	228	9B).exe	9B).exe
PID 228 wrote to memory of 760	228	9B).exe	9B).exe
PID 228 wrote to memory of 760	228	9B).exe	9B).exe
PID 228 wrote to memory of 760	228	9B).exe	9B).exe
PID 228 wrote to memory of 760	228	9B).exe	9B).exe
PID 228 wrote to memory of 760	228	9B).exe	9B).exe
PID 4828 wrote to memory of 4244	4828	p8[{jcb007.exe	cmd.exe
PID 4828 wrote to memory of 4244	4828	p8[{jcb007.exe	cmd.exe
PID 4828 wrote to memory of 1664	4828	p8[{jcb007.exe	cmd.exe
PID 4828 wrote to memory of 1664	4828	p8[{jcb007.exe	cmd.exe
PID 1664 wrote to memory of 1564	1664	cmd.exe	netsh.exe
PID 1664 wrote to memory of 1564	1664	cmd.exe	netsh.exe
PID 4244 wrote to memory of 4896	4244	cmd.exe	vssadmin.exe
PID 4244 wrote to memory of 4896	4244	cmd.exe	vssadmin.exe
PID 4244 wrote to memory of 2836	4244	cmd.exe	WMIC.exe
PID 4244 wrote to memory of 2836	4244	cmd.exe	WMIC.exe
PID 1664 wrote to memory of 3424	1664	cmd.exe	netsh.exe
PID 1664 wrote to memory of 3424	1664	cmd.exe	netsh.exe
PID 4244 wrote to memory of 1508	4244	cmd.exe	bcdedit.exe
PID 4244 wrote to memory of 1508	4244	cmd.exe	bcdedit.exe
PID 4244 wrote to memory of 1940	4244	cmd.exe	bcdedit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

outlook_win_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3156

C:\Users\Admin\AppData\Local\Temp\5bbcdfba8af427d876d09a5aae8fbfae449d8a596cfbdfdda0bb3afdea7f6cde.exe
"C:\Users\Admin\AppData\Local\Temp\5bbcdfba8af427d876d09a5aae8fbfae449d8a596cfbdfdda0bb3afdea7f6cde.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1212

C:\Users\Admin\AppData\Local\Temp\DA7.exe
C:\Users\Admin\AppData\Local\Temp\DA7.exe
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 704
3⤵
- Program crash
PID:4456

C:\Users\Admin\AppData\Local\Temp\19AE.exe
C:\Users\Admin\AppData\Local\Temp\19AE.exe
2⤵
- Executes dropped EXE
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1228
3⤵
- Program crash
PID:5084

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:956

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4388

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2272

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:5028

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:544

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:64

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4840

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1872

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2784

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
PID:4068

C:\Users\Admin\AppData\Local\Temp\8B6F.exe
C:\Users\Admin\AppData\Local\Temp\8B6F.exe
2⤵
- Executes dropped EXE
PID:1232

C:\Users\Admin\AppData\Local\Temp\8E01.exe
C:\Users\Admin\AppData\Local\Temp\8E01.exe
2⤵
- Executes dropped EXE
PID:1656

C:\Users\Admin\AppData\Local\Temp\95C2.exe
C:\Users\Admin\AppData\Local\Temp\95C2.exe
2⤵
- Executes dropped EXE
PID:1228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 164
3⤵
- Program crash
PID:872

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:280

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1328

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3936

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:468

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4564

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:944

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4476

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4244

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:5024

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1064

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2128

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3056

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3116 -ip 3116
1⤵
PID:4212

C:\Users\Admin\AppData\Local\Microsoft\9B).exe
"C:\Users\Admin\AppData\Local\Microsoft\9B).exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:228

C:\Users\Admin\AppData\Local\Microsoft\9B).exe
"C:\Users\Admin\AppData\Local\Microsoft\9B).exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:760

C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe
"C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828

C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe
"C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe"
2⤵
- Executes dropped EXE
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 460
3⤵
- Program crash
PID:4612

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4896

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:1508

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:1940

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:2160

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:1564

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:3424

C:\Users\Admin\AppData\Local\Microsoft\$VK.exe
"C:\Users\Admin\AppData\Local\Microsoft\$VK.exe"
1⤵
- Executes dropped EXE
PID:3052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3484

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4520 -ip 4520
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2244 -ip 2244
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1228 -ip 1228
1⤵
PID:3364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[63449BD6-3483].[[email protected]].8base
Filesize
3.2MB

MD5
78cfd4772d616d3693de3b210961d17f

SHA1
3ca8352bcb7d30713aa84a5956198f616c3281d2

SHA256
6bf2544950a63ee05c645467a8af59b9be55f59517b68cb732aaf337951fedb8

SHA512
6abbf02043c8db7924bf44856310b888c08b5b13bf16e87483e97cd9c65c40b6c89a0bce5074a525694a1c45248c14dabf8bb0fc7ae70d8c430b606132a88bd4

Download Submit
C:\ProgramData\AAAAECGH
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\JKJECBAA
Filesize
92KB

MD5
da6f6947237f7f9902d3b9ee78c045c0

SHA1
492a79734456f81be28b4875feb107420a840a46

SHA256
603604a1810fac25ae925cbddbc1c0bf212a7fbbfefa95fec40e09bff96f70c6

SHA512
fd76772b420b13eee0c783ff042eec6145237f6a186c7a843c837781bfbffa772fafb9eef24e1b9202f4b95d93b7865c25a2dc51b98a87a716bc2679c8db6ab0

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\$VK.exe
Filesize
164KB

MD5
16bab536f93bbf833bca053e355402ee

SHA1
8b7ccbef0fcb0edab800b6ddc0c9d302b0a03374

SHA256
b8c302a27f96d81723dae52638784519772a968b84533a793e69aab74ef08ba4

SHA512
c7f9b1f0a6034e22b61febcab103482dc613f861a987e53569a2526aba56826fd06f98fe357506fd4f2806abc7f84c3d86e2e046cdfac3539eea6e67ff9c603f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\$VK.exe
Filesize
164KB

MD5
16bab536f93bbf833bca053e355402ee

SHA1
8b7ccbef0fcb0edab800b6ddc0c9d302b0a03374

SHA256
b8c302a27f96d81723dae52638784519772a968b84533a793e69aab74ef08ba4

SHA512
c7f9b1f0a6034e22b61febcab103482dc613f861a987e53569a2526aba56826fd06f98fe357506fd4f2806abc7f84c3d86e2e046cdfac3539eea6e67ff9c603f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\9B).exe
Filesize
163KB

MD5
7d39a3778ad4a5d5e6c7e78fc9e05a00

SHA1
2b030e3180efb06721404fa0de1fbe4998618225

SHA256
21a3bdc28c80ad2f590418c95fa8ff8c21f2e8b80166c7dea43ddc70c16bfaf9

SHA512
1a0693245d226de50eacd2c8ae0081cea3c20e8b9f6f0f0dff69468aba294c402fba321920129346528bc1d5512e6db31f551f049b95177add129dae6148cc2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\9B).exe
Filesize
163KB

MD5
7d39a3778ad4a5d5e6c7e78fc9e05a00

SHA1
2b030e3180efb06721404fa0de1fbe4998618225

SHA256
21a3bdc28c80ad2f590418c95fa8ff8c21f2e8b80166c7dea43ddc70c16bfaf9

SHA512
1a0693245d226de50eacd2c8ae0081cea3c20e8b9f6f0f0dff69468aba294c402fba321920129346528bc1d5512e6db31f551f049b95177add129dae6148cc2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\9B).exe
Filesize
163KB

MD5
7d39a3778ad4a5d5e6c7e78fc9e05a00

SHA1
2b030e3180efb06721404fa0de1fbe4998618225

SHA256
21a3bdc28c80ad2f590418c95fa8ff8c21f2e8b80166c7dea43ddc70c16bfaf9

SHA512
1a0693245d226de50eacd2c8ae0081cea3c20e8b9f6f0f0dff69468aba294c402fba321920129346528bc1d5512e6db31f551f049b95177add129dae6148cc2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe
Filesize
164KB

MD5
7166d39e9c1cb17e1728d316531242b1

SHA1
d05810943685bcd70999ff0926215f5d6fe2637a

SHA256
8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7

SHA512
b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe
Filesize
164KB

MD5
7166d39e9c1cb17e1728d316531242b1

SHA1
d05810943685bcd70999ff0926215f5d6fe2637a

SHA256
8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7

SHA512
b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe
Filesize
164KB

MD5
7166d39e9c1cb17e1728d316531242b1

SHA1
d05810943685bcd70999ff0926215f5d6fe2637a

SHA256
8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7

SHA512
b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

Download Submit
C:\Users\Admin\AppData\Local\Temp\19AE.exe
Filesize
290KB

MD5
6d35d4cb11e99f8645441b0f1f96da3d

SHA1
3b6e12da0c1c37d38db867ab6330ace34461c56a

SHA256
9066d830ae21197499f19a044054b0ea96f5be17cbb246714e15f36f32312204

SHA512
01b5b75ce608f55f70c6471bb20f0a248116ef902f4bd602b5cf11fed747e0af9b811fbe74d393895672806f2b525900c6cef0ce889229d27032683a5e591aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\19AE.exe
Filesize
290KB

MD5
6d35d4cb11e99f8645441b0f1f96da3d

SHA1
3b6e12da0c1c37d38db867ab6330ace34461c56a

SHA256
9066d830ae21197499f19a044054b0ea96f5be17cbb246714e15f36f32312204

SHA512
01b5b75ce608f55f70c6471bb20f0a248116ef902f4bd602b5cf11fed747e0af9b811fbe74d393895672806f2b525900c6cef0ce889229d27032683a5e591aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B6F.exe
Filesize
164KB

MD5
7166d39e9c1cb17e1728d316531242b1

SHA1
d05810943685bcd70999ff0926215f5d6fe2637a

SHA256
8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7

SHA512
b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B6F.exe
Filesize
164KB

MD5
7166d39e9c1cb17e1728d316531242b1

SHA1
d05810943685bcd70999ff0926215f5d6fe2637a

SHA256
8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7

SHA512
b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B6F.exe
Filesize
164KB

MD5
7166d39e9c1cb17e1728d316531242b1

SHA1
d05810943685bcd70999ff0926215f5d6fe2637a

SHA256
8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7

SHA512
b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E01.exe
Filesize
164KB

MD5
16bab536f93bbf833bca053e355402ee

SHA1
8b7ccbef0fcb0edab800b6ddc0c9d302b0a03374

SHA256
b8c302a27f96d81723dae52638784519772a968b84533a793e69aab74ef08ba4

SHA512
c7f9b1f0a6034e22b61febcab103482dc613f861a987e53569a2526aba56826fd06f98fe357506fd4f2806abc7f84c3d86e2e046cdfac3539eea6e67ff9c603f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E01.exe
Filesize
164KB

MD5
16bab536f93bbf833bca053e355402ee

SHA1
8b7ccbef0fcb0edab800b6ddc0c9d302b0a03374

SHA256
b8c302a27f96d81723dae52638784519772a968b84533a793e69aab74ef08ba4

SHA512
c7f9b1f0a6034e22b61febcab103482dc613f861a987e53569a2526aba56826fd06f98fe357506fd4f2806abc7f84c3d86e2e046cdfac3539eea6e67ff9c603f

Download Submit
C:\Users\Admin\AppData\Local\Temp\95C2.exe
Filesize
1.2MB

MD5
4a9777a2bf4fa6e8945a0b48dfac8108

SHA1
36777152e87eb30a58e4b22430888ee0b065864e

SHA256
67e2316b799a36c92f468f339002f1b3e1c2a984c1fbff5a73f0659a13209ad8

SHA512
ddc703fbcf4909e65395a5911404c08991c03d234295d4e24484d92648e6b2e8a99fdafd8851b45e29d77c0e8aba0a4b0fc0c709ebbdee9939712fcc476a897a

Download Submit
C:\Users\Admin\AppData\Local\Temp\95C2.exe
Filesize
1.2MB

MD5
4a9777a2bf4fa6e8945a0b48dfac8108

SHA1
36777152e87eb30a58e4b22430888ee0b065864e

SHA256
67e2316b799a36c92f468f339002f1b3e1c2a984c1fbff5a73f0659a13209ad8

SHA512
ddc703fbcf4909e65395a5911404c08991c03d234295d4e24484d92648e6b2e8a99fdafd8851b45e29d77c0e8aba0a4b0fc0c709ebbdee9939712fcc476a897a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DA7.exe
Filesize
374KB

MD5
11715c27335a026129dfc1695ebc8888

SHA1
0ffaa4f65fbf2bc0750b972621f37c787b0231e2

SHA256
c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482

SHA512
f7743e16fa619a90cb2c216bc46e2f3b10973e2d3aeb81be27d284e52758cc6fd204dc0babef2bfd01e8bfdc12e70c35dd0f50472f06635f489d2db8060b1220

Download Submit
C:\Users\Admin\AppData\Local\Temp\DA7.exe
Filesize
374KB

MD5
11715c27335a026129dfc1695ebc8888

SHA1
0ffaa4f65fbf2bc0750b972621f37c787b0231e2

SHA256
c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482

SHA512
f7743e16fa619a90cb2c216bc46e2f3b10973e2d3aeb81be27d284e52758cc6fd204dc0babef2bfd01e8bfdc12e70c35dd0f50472f06635f489d2db8060b1220

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ob0k9snf.default-release\cookies.sqlite.id[63449BD6-3483].[[email protected]].8base
Filesize
96KB

MD5
aa80792c0b4eb2e6ba4c7e6211786c47

SHA1
aef9f11f45fa1a235b6f62b18551e2ad3cbadd9e

SHA256
c05df34a54e7ca3a9510b5e3849bf42746aeb4f5f45ef065e2faa8f1c3805966

SHA512
d6ce8d982b0d00ceae3f6075a0bb8a71f935cdc191e4cfa9cf9896cd6e47442b3c61a711501867fa30b64ece4c89862630819bef54b1e9132e5dad99e68e9bf7

Download Submit
memory/64-176-0x0000000000330000-0x0000000000339000-memory.dmp

Filesize
36KB

Download
memory/64-177-0x0000000000340000-0x0000000000345000-memory.dmp

Filesize
20KB

Download
memory/64-194-0x0000000000330000-0x0000000000339000-memory.dmp

Filesize
36KB

Download
memory/228-261-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/228-262-0x00000000020F0000-0x00000000020F9000-memory.dmp

Filesize
36KB

Download
memory/544-174-0x0000000000D30000-0x0000000000D57000-memory.dmp

Filesize
156KB

Download
memory/544-190-0x0000000000D60000-0x0000000000D82000-memory.dmp

Filesize
136KB

Download
memory/544-173-0x0000000000D60000-0x0000000000D82000-memory.dmp

Filesize
136KB

Download
memory/544-172-0x0000000000D30000-0x0000000000D57000-memory.dmp

Filesize
156KB

Download
memory/760-277-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/760-265-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/760-263-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/956-161-0x0000000001010000-0x000000000101B000-memory.dmp

Filesize
44KB

Download
memory/956-160-0x0000000001020000-0x0000000001027000-memory.dmp

Filesize
28KB

Download
memory/956-162-0x0000000001010000-0x000000000101B000-memory.dmp

Filesize
44KB

Download
memory/956-175-0x0000000001020000-0x0000000001027000-memory.dmp

Filesize
28KB

Download
memory/1212-137-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1212-141-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1212-136-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1212-142-0x0000000000690000-0x0000000000699000-memory.dmp

Filesize
36KB

Download
memory/1212-135-0x0000000000690000-0x0000000000699000-memory.dmp

Filesize
36KB

Download
memory/1212-134-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/1872-184-0x0000000000F00000-0x0000000000F07000-memory.dmp

Filesize
28KB

Download
memory/1872-182-0x0000000000EF0000-0x0000000000EFD000-memory.dmp

Filesize
52KB

Download
memory/1872-201-0x0000000000F00000-0x0000000000F07000-memory.dmp

Filesize
28KB

Download
memory/1872-185-0x0000000000EF0000-0x0000000000EFD000-memory.dmp

Filesize
52KB

Download
memory/2244-4000-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2244-223-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2244-222-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2244-202-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2244-204-0x0000000002110000-0x0000000002165000-memory.dmp

Filesize
340KB

Download
memory/2244-203-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2272-183-0x0000000000FF0000-0x0000000001000000-memory.dmp

Filesize
64KB

Download
memory/2272-168-0x0000000000FE0000-0x0000000000FE9000-memory.dmp

Filesize
36KB

Download
memory/2272-167-0x0000000000FF0000-0x0000000001000000-memory.dmp

Filesize
64KB

Download
memory/2272-166-0x0000000000FE0000-0x0000000000FE9000-memory.dmp

Filesize
36KB

Download
memory/2784-208-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/2784-191-0x0000000000660000-0x000000000066B000-memory.dmp

Filesize
44KB

Download
memory/2784-192-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/2784-193-0x0000000000660000-0x000000000066B000-memory.dmp

Filesize
44KB

Download
memory/3052-859-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/3052-272-0x0000000000580000-0x0000000000585000-memory.dmp

Filesize
20KB

Download
memory/3052-273-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3052-271-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/3116-220-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/3116-198-0x00000000024E0000-0x00000000028E0000-memory.dmp

Filesize
4.0MB

Download
memory/3116-189-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/3116-187-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/3116-188-0x00000000021D0000-0x0000000002241000-memory.dmp

Filesize
452KB

Download
memory/3116-195-0x00000000006C0000-0x00000000006C7000-memory.dmp

Filesize
28KB

Download
memory/3116-218-0x00000000024E0000-0x00000000028E0000-memory.dmp

Filesize
4.0MB

Download
memory/3116-196-0x00000000024E0000-0x00000000028E0000-memory.dmp

Filesize
4.0MB

Download
memory/3116-197-0x00000000024E0000-0x00000000028E0000-memory.dmp

Filesize
4.0MB

Download
memory/3116-221-0x00000000024E0000-0x00000000028E0000-memory.dmp

Filesize
4.0MB

Download
memory/3116-217-0x00000000024E0000-0x00000000028E0000-memory.dmp

Filesize
4.0MB

Download
memory/3116-200-0x00000000024E0000-0x00000000028E0000-memory.dmp

Filesize
4.0MB

Download
memory/3116-205-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/3116-206-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/3116-210-0x0000000003220000-0x0000000003256000-memory.dmp

Filesize
216KB

Download
memory/3116-216-0x0000000003220000-0x0000000003256000-memory.dmp

Filesize
216KB

Download
memory/3156-138-0x0000000000C10000-0x0000000000C26000-memory.dmp

Filesize
88KB

Download
memory/3156-276-0x0000000007FD0000-0x0000000007FE6000-memory.dmp

Filesize
88KB

Download
memory/4068-238-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

Filesize
1.2MB

Download
memory/4068-231-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

Filesize
1.2MB

Download
memory/4068-225-0x000001965E320000-0x000001965E323000-memory.dmp

Filesize
12KB

Download
memory/4068-226-0x000001965E5C0000-0x000001965E5C7000-memory.dmp

Filesize
28KB

Download
memory/4068-243-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

Filesize
1.2MB

Download
memory/4068-258-0x000001965E5C0000-0x000001965E5C5000-memory.dmp

Filesize
20KB

Download
memory/4068-259-0x00007FFB00F70000-0x00007FFB01165000-memory.dmp

Filesize
2.0MB

Download
memory/4068-241-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

Filesize
1.2MB

Download
memory/4068-207-0x000001965E320000-0x000001965E323000-memory.dmp

Filesize
12KB

Download
memory/4068-240-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

Filesize
1.2MB

Download
memory/4068-239-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

Filesize
1.2MB

Download
memory/4068-227-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

Filesize
1.2MB

Download
memory/4068-237-0x00007FFB00F70000-0x00007FFB01165000-memory.dmp

Filesize
2.0MB

Download
memory/4068-228-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

Filesize
1.2MB

Download
memory/4068-229-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

Filesize
1.2MB

Download
memory/4068-230-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

Filesize
1.2MB

Download
memory/4068-236-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

Filesize
1.2MB

Download
memory/4068-235-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

Filesize
1.2MB

Download
memory/4068-234-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

Filesize
1.2MB

Download
memory/4068-249-0x00007FFB00F70000-0x00007FFB01165000-memory.dmp

Filesize
2.0MB

Download
memory/4068-232-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

Filesize
1.2MB

Download
memory/4388-165-0x00000000003C0000-0x00000000003CF000-memory.dmp

Filesize
60KB

Download
memory/4388-179-0x00000000003D0000-0x00000000003D9000-memory.dmp

Filesize
36KB

Download
memory/4388-164-0x00000000003D0000-0x00000000003D9000-memory.dmp

Filesize
36KB

Download
memory/4388-163-0x00000000003C0000-0x00000000003CF000-memory.dmp

Filesize
60KB

Download
memory/4520-2436-0x0000000000530000-0x000000000053F000-memory.dmp

Filesize
60KB

Download
memory/4520-2425-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/4828-5697-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4828-817-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4828-4027-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4828-1855-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4828-574-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/4828-267-0x0000000000530000-0x000000000053F000-memory.dmp

Filesize
60KB

Download
memory/4828-268-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4828-266-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/4840-181-0x0000000000D30000-0x0000000000D3B000-memory.dmp

Filesize
44KB

Download
memory/4840-180-0x0000000000D40000-0x0000000000D46000-memory.dmp

Filesize
24KB

Download
memory/4840-178-0x0000000000D30000-0x0000000000D3B000-memory.dmp

Filesize
44KB

Download
memory/4840-199-0x0000000000D40000-0x0000000000D46000-memory.dmp

Filesize
24KB

Download
memory/5028-186-0x0000000000940000-0x0000000000946000-memory.dmp

Filesize
24KB

Download
memory/5028-169-0x0000000000930000-0x000000000093C000-memory.dmp

Filesize
48KB

Download
memory/5028-170-0x0000000000940000-0x0000000000946000-memory.dmp

Filesize
24KB

Download
memory/5028-171-0x0000000000930000-0x000000000093C000-memory.dmp

Filesize
48KB

Download