phobos | 6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
07-09-2023 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17688f03f125bb494dc7f304b8936221.exe
Size

833KB
MD5

17688f03f125bb494dc7f304b8936221
SHA1

7fadc66ba11a5b3c4582f4d9b5b245801ccf918a
SHA256

6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb
SHA512

1636d32e5a59c5c3577d0dc5ecf7dbccc22cc0ce2087889974903257d500e694d2cee4218c17ddba747c4b59ea4f811889837883b40cd009c1463cdc21f65a06
SSDEEP

12288:Ib/bL1cEYZpFQOT4KpMT+msoH985+3wAFn6DQnbu7L3SpiQXYIOnUfvDrD8FEsim:WzLmQsI85mn6DQDYpmv8FEyuOGLU

Score

10^/10

phobos rhadamanthys collection evasion persistence ransomware spyware stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2340-18-0x0000000002150000-0x0000000002550000-memory.dmp	family_rhadamanthys
behavioral1/memory/2340-19-0x0000000002150000-0x0000000002550000-memory.dmp	family_rhadamanthys
behavioral1/memory/2340-20-0x0000000002150000-0x0000000002550000-memory.dmp	family_rhadamanthys
behavioral1/memory/2340-21-0x0000000002150000-0x0000000002550000-memory.dmp	family_rhadamanthys
behavioral1/memory/2340-31-0x0000000002150000-0x0000000002550000-memory.dmp	family_rhadamanthys

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

17688f03f125bb494dc7f304b8936221.exe

description pid process target process

PID 2340 created 1384 2340 17688f03f125bb494dc7f304b8936221.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2504 bcdedit.exe
1552 bcdedit.exe
Renames multiple (313) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

692 wbadmin.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

1440 netsh.exe
1100 netsh.exe
Deletes itself 1 IoCs

Processes:

certreq.exe

pid process

2584 certreq.exe

description	pid	process	target process
PID 2340 created 1384	2340	17688f03f125bb494dc7f304b8936221.exe	Explorer.EXE

pid	process
2504	bcdedit.exe
1552	bcdedit.exe

pid	process
692	wbadmin.exe

pid	process
1440	netsh.exe
1100	netsh.exe

pid	process
2584	certreq.exe

Drops startup file 3 IoCs

Processes:

Ozt-wH.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\Ozt-wH.exe	Ozt-wH.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Ozt-wH.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[E43C9C33-3483].[[email protected]].8base	Ozt-wH.exe

Executes dropped EXE 16 IoCs

Processes:

Ozt-wH.exeOzt-wH.exeOzt-wH.exeZBiXo).exeZBiXo).exeZBiXo).exeZBiXo).exeZBiXo).exeZBiXo).exeZBiXo).exeZBiXo).exeZBiXo).exeOzt-wH.exeZBiXo).exeZBiXo).exeOzt-wH.exe

pid	process
752	Ozt-wH.exe
2812	Ozt-wH.exe
2828	Ozt-wH.exe
2808	ZBiXo).exe
1112	ZBiXo).exe
2232	ZBiXo).exe
2040	ZBiXo).exe
2452	ZBiXo).exe
1620	ZBiXo).exe
1724	ZBiXo).exe
1800	ZBiXo).exe
1092	ZBiXo).exe
2644	Ozt-wH.exe
380	ZBiXo).exe
1628	ZBiXo).exe
1712	Ozt-wH.exe

Loads dropped DLL 7 IoCs

Processes:

WerFault.exe

pid process

1768 WerFault.exe
1768 WerFault.exe
1768 WerFault.exe
1768 WerFault.exe
1768 WerFault.exe
1768 WerFault.exe
1768 WerFault.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1768	WerFault.exe
1768	WerFault.exe
1768	WerFault.exe
1768	WerFault.exe
1768	WerFault.exe
1768	WerFault.exe
1768	WerFault.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ozt-wH.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ozt-wH = "C:\\Users\\Admin\\AppData\\Local\\Ozt-wH.exe"	Ozt-wH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ozt-wH = "C:\\Users\\Admin\\AppData\\Local\\Ozt-wH.exe"	Ozt-wH.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

Ozt-wH.exe

description	ioc	process
File opened for modification	C:\Users\Public\Documents\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2TCNB3QR\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	Ozt-wH.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\PNLMEYHC\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JY0EDUNO\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Public\desktop.ini	Ozt-wH.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2F3386PL\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Program Files\desktop.ini	Ozt-wH.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	Ozt-wH.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	Ozt-wH.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8VE3RER5\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	Ozt-wH.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-86725733-3001458681-3405935542-1000\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	Ozt-wH.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OXRRPXTH\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	Ozt-wH.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	Ozt-wH.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZM14P5Y5\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Ozt-wH.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	Ozt-wH.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Ozt-wH.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	Ozt-wH.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Ozt-wH.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

17688f03f125bb494dc7f304b8936221.exeOzt-wH.exeOzt-wH.exe

description	pid	process	target process
PID 2372 set thread context of 2340	2372	17688f03f125bb494dc7f304b8936221.exe	17688f03f125bb494dc7f304b8936221.exe
PID 752 set thread context of 2828	752	Ozt-wH.exe	Ozt-wH.exe
PID 2644 set thread context of 1712	2644	Ozt-wH.exe	Ozt-wH.exe

Drops file in Program Files directory 64 IoCs

Processes:

Ozt-wH.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\verify.dll	Ozt-wH.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac.id[E43C9C33-3483].[[email protected]].8base	Ozt-wH.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107026.WMF.id[E43C9C33-3483].[[email protected]].8base	Ozt-wH.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00555_.WMF.id[E43C9C33-3483].[[email protected]].8base	Ozt-wH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REMOTE.CFG	Ozt-wH.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\fr-FR\MoreGames.dll.mui	Ozt-wH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLTS.DAT	Ozt-wH.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif.id[E43C9C33-3483].[[email protected]].8base	Ozt-wH.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\derby_common.bat.id[E43C9C33-3483].[[email protected]].8base	Ozt-wH.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\wmlaunch.exe.mui	Ozt-wH.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\oledbjvs.inc	Ozt-wH.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CSS7DATA000C.DLL.id[E43C9C33-3483].[[email protected]].8base	Ozt-wH.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Budapest	Ozt-wH.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_record_plugin.dll.id[E43C9C33-3483].[[email protected]].8base	Ozt-wH.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE.id[E43C9C33-3483].[[email protected]].8base	Ozt-wH.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ENVELOPE.DLL.id[E43C9C33-3483].[[email protected]].8base	Ozt-wH.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png	Ozt-wH.exe
File opened for modification	C:\Program Files\DisconnectSuspend.3gp	Ozt-wH.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\HEADER.GIF.id[E43C9C33-3483].[[email protected]].8base	Ozt-wH.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sl.pak	Ozt-wH.exe
File opened for modification	C:\Program Files\Mozilla Firefox\ipcclientcerts.dll	Ozt-wH.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FINCL_02.MID.id[E43C9C33-3483].[[email protected]].8base	Ozt-wH.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BS2BARB.POC.id[E43C9C33-3483].[[email protected]].8base	Ozt-wH.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml	Ozt-wH.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Updater.api	Ozt-wH.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif	Ozt-wH.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe.id[E43C9C33-3483].[[email protected]].8base	Ozt-wH.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\MSB1ESEN.DLL	Ozt-wH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04269_.WMF	Ozt-wH.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152414.WMF.id[E43C9C33-3483].[[email protected]].8base	Ozt-wH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\IMAGE.JPG	Ozt-wH.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png	Ozt-wH.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.core_3.5.0.v20120725-1805.jar.id[E43C9C33-3483].[[email protected]].8base	Ozt-wH.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar	Ozt-wH.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\34.png	Ozt-wH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382955.JPG	Ozt-wH.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Grid.thmx.id[E43C9C33-3483].[[email protected]].8base	Ozt-wH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\AUTHOR.XSL	Ozt-wH.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html	Ozt-wH.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar.id[E43C9C33-3483].[[email protected]].8base	Ozt-wH.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_zh_4.4.0.v20140623020002.jar.id[E43C9C33-3483].[[email protected]].8base	Ozt-wH.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml.id[E43C9C33-3483].[[email protected]].8base	Ozt-wH.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Managua.id[E43C9C33-3483].[[email protected]].8base	Ozt-wH.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\jamendo.luac	Ozt-wH.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00276_.WMF.id[E43C9C33-3483].[[email protected]].8base	Ozt-wH.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0213243.WMF.id[E43C9C33-3483].[[email protected]].8base	Ozt-wH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292248.WMF	Ozt-wH.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\form_edit.js.id[E43C9C33-3483].[[email protected]].8base	Ozt-wH.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png	Ozt-wH.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png	Ozt-wH.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Resources.dll	Ozt-wH.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml	Ozt-wH.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_wasapi_plugin.dll	Ozt-wH.exe
File opened for modification	C:\Program Files\Windows Journal\NBMapTIP.dll	Ozt-wH.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152608.WMF.id[E43C9C33-3483].[[email protected]].8base	Ozt-wH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB5B.BDR	Ozt-wH.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\MSTTSLoc.dll.mui	Ozt-wH.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml.id[E43C9C33-3483].[[email protected]].8base	Ozt-wH.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318448.WMF.id[E43C9C33-3483].[[email protected]].8base	Ozt-wH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR51F.GIF	Ozt-wH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BRCHUR11.POC	Ozt-wH.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Sofia	Ozt-wH.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5EDT	Ozt-wH.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\gadget.xml	Ozt-wH.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1768 1712 WerFault.exe Ozt-wH.exe

pid	pid_target	process	target process
1768	1712	WerFault.exe	Ozt-wH.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1072 vssadmin.exe

pid	process
1072	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

17688f03f125bb494dc7f304b8936221.exe17688f03f125bb494dc7f304b8936221.execertreq.exeOzt-wH.exeZBiXo).exeOzt-wH.exeOzt-wH.exe

pid	process
2372	17688f03f125bb494dc7f304b8936221.exe
2340	17688f03f125bb494dc7f304b8936221.exe
2340	17688f03f125bb494dc7f304b8936221.exe
2340	17688f03f125bb494dc7f304b8936221.exe
2340	17688f03f125bb494dc7f304b8936221.exe
2584	certreq.exe
2584	certreq.exe
2584	certreq.exe
2584	certreq.exe
752	Ozt-wH.exe
752	Ozt-wH.exe
752	Ozt-wH.exe
2808	ZBiXo).exe
2808	ZBiXo).exe
2808	ZBiXo).exe
2808	ZBiXo).exe
2808	ZBiXo).exe
2808	ZBiXo).exe
2808	ZBiXo).exe
2808	ZBiXo).exe
2808	ZBiXo).exe
2808	ZBiXo).exe
2808	ZBiXo).exe
2808	ZBiXo).exe
2808	ZBiXo).exe
2808	ZBiXo).exe
2808	ZBiXo).exe
2808	ZBiXo).exe
2808	ZBiXo).exe
2808	ZBiXo).exe
2808	ZBiXo).exe
2644	Ozt-wH.exe
2808	ZBiXo).exe
2808	ZBiXo).exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe
2828	Ozt-wH.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

17688f03f125bb494dc7f304b8936221.exeOzt-wH.exeZBiXo).exeOzt-wH.exeOzt-wH.exevssvc.exeWMIC.exewbengine.exe

description	pid	process
Token: SeDebugPrivilege	2372	17688f03f125bb494dc7f304b8936221.exe
Token: SeDebugPrivilege	752	Ozt-wH.exe
Token: SeDebugPrivilege	2808	ZBiXo).exe
Token: SeDebugPrivilege	2644	Ozt-wH.exe
Token: SeDebugPrivilege	2828	Ozt-wH.exe
Token: SeBackupPrivilege	2960	vssvc.exe
Token: SeRestorePrivilege	2960	vssvc.exe
Token: SeAuditPrivilege	2960	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2536	WMIC.exe
Token: SeSecurityPrivilege	2536	WMIC.exe
Token: SeTakeOwnershipPrivilege	2536	WMIC.exe
Token: SeLoadDriverPrivilege	2536	WMIC.exe
Token: SeSystemProfilePrivilege	2536	WMIC.exe
Token: SeSystemtimePrivilege	2536	WMIC.exe
Token: SeProfSingleProcessPrivilege	2536	WMIC.exe
Token: SeIncBasePriorityPrivilege	2536	WMIC.exe
Token: SeCreatePagefilePrivilege	2536	WMIC.exe
Token: SeBackupPrivilege	2536	WMIC.exe
Token: SeRestorePrivilege	2536	WMIC.exe
Token: SeShutdownPrivilege	2536	WMIC.exe
Token: SeDebugPrivilege	2536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2536	WMIC.exe
Token: SeRemoteShutdownPrivilege	2536	WMIC.exe
Token: SeUndockPrivilege	2536	WMIC.exe
Token: SeManageVolumePrivilege	2536	WMIC.exe
Token: 33	2536	WMIC.exe
Token: 34	2536	WMIC.exe
Token: 35	2536	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2536	WMIC.exe
Token: SeSecurityPrivilege	2536	WMIC.exe
Token: SeTakeOwnershipPrivilege	2536	WMIC.exe
Token: SeLoadDriverPrivilege	2536	WMIC.exe
Token: SeSystemProfilePrivilege	2536	WMIC.exe
Token: SeSystemtimePrivilege	2536	WMIC.exe
Token: SeProfSingleProcessPrivilege	2536	WMIC.exe
Token: SeIncBasePriorityPrivilege	2536	WMIC.exe
Token: SeCreatePagefilePrivilege	2536	WMIC.exe
Token: SeBackupPrivilege	2536	WMIC.exe
Token: SeRestorePrivilege	2536	WMIC.exe
Token: SeShutdownPrivilege	2536	WMIC.exe
Token: SeDebugPrivilege	2536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2536	WMIC.exe
Token: SeRemoteShutdownPrivilege	2536	WMIC.exe
Token: SeUndockPrivilege	2536	WMIC.exe
Token: SeManageVolumePrivilege	2536	WMIC.exe
Token: 33	2536	WMIC.exe
Token: 34	2536	WMIC.exe
Token: 35	2536	WMIC.exe
Token: SeBackupPrivilege	792	wbengine.exe
Token: SeRestorePrivilege	792	wbengine.exe
Token: SeSecurityPrivilege	792	wbengine.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

17688f03f125bb494dc7f304b8936221.exe17688f03f125bb494dc7f304b8936221.exeOzt-wH.exeZBiXo).exe

description	pid	process	target process
PID 2372 wrote to memory of 2340	2372	17688f03f125bb494dc7f304b8936221.exe	17688f03f125bb494dc7f304b8936221.exe
PID 2372 wrote to memory of 2340	2372	17688f03f125bb494dc7f304b8936221.exe	17688f03f125bb494dc7f304b8936221.exe
PID 2372 wrote to memory of 2340	2372	17688f03f125bb494dc7f304b8936221.exe	17688f03f125bb494dc7f304b8936221.exe
PID 2372 wrote to memory of 2340	2372	17688f03f125bb494dc7f304b8936221.exe	17688f03f125bb494dc7f304b8936221.exe
PID 2372 wrote to memory of 2340	2372	17688f03f125bb494dc7f304b8936221.exe	17688f03f125bb494dc7f304b8936221.exe
PID 2372 wrote to memory of 2340	2372	17688f03f125bb494dc7f304b8936221.exe	17688f03f125bb494dc7f304b8936221.exe
PID 2372 wrote to memory of 2340	2372	17688f03f125bb494dc7f304b8936221.exe	17688f03f125bb494dc7f304b8936221.exe
PID 2372 wrote to memory of 2340	2372	17688f03f125bb494dc7f304b8936221.exe	17688f03f125bb494dc7f304b8936221.exe
PID 2372 wrote to memory of 2340	2372	17688f03f125bb494dc7f304b8936221.exe	17688f03f125bb494dc7f304b8936221.exe
PID 2340 wrote to memory of 2584	2340	17688f03f125bb494dc7f304b8936221.exe	certreq.exe
PID 2340 wrote to memory of 2584	2340	17688f03f125bb494dc7f304b8936221.exe	certreq.exe
PID 2340 wrote to memory of 2584	2340	17688f03f125bb494dc7f304b8936221.exe	certreq.exe
PID 2340 wrote to memory of 2584	2340	17688f03f125bb494dc7f304b8936221.exe	certreq.exe
PID 2340 wrote to memory of 2584	2340	17688f03f125bb494dc7f304b8936221.exe	certreq.exe
PID 2340 wrote to memory of 2584	2340	17688f03f125bb494dc7f304b8936221.exe	certreq.exe
PID 752 wrote to memory of 2812	752	Ozt-wH.exe	Ozt-wH.exe
PID 752 wrote to memory of 2812	752	Ozt-wH.exe	Ozt-wH.exe
PID 752 wrote to memory of 2812	752	Ozt-wH.exe	Ozt-wH.exe
PID 752 wrote to memory of 2812	752	Ozt-wH.exe	Ozt-wH.exe
PID 752 wrote to memory of 2828	752	Ozt-wH.exe	Ozt-wH.exe
PID 752 wrote to memory of 2828	752	Ozt-wH.exe	Ozt-wH.exe
PID 752 wrote to memory of 2828	752	Ozt-wH.exe	Ozt-wH.exe
PID 752 wrote to memory of 2828	752	Ozt-wH.exe	Ozt-wH.exe
PID 752 wrote to memory of 2828	752	Ozt-wH.exe	Ozt-wH.exe
PID 752 wrote to memory of 2828	752	Ozt-wH.exe	Ozt-wH.exe
PID 752 wrote to memory of 2828	752	Ozt-wH.exe	Ozt-wH.exe
PID 752 wrote to memory of 2828	752	Ozt-wH.exe	Ozt-wH.exe
PID 752 wrote to memory of 2828	752	Ozt-wH.exe	Ozt-wH.exe
PID 752 wrote to memory of 2828	752	Ozt-wH.exe	Ozt-wH.exe
PID 752 wrote to memory of 2828	752	Ozt-wH.exe	Ozt-wH.exe
PID 2808 wrote to memory of 1112	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 1112	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 1112	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 1112	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 2232	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 2232	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 2232	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 2232	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 2040	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 2040	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 2040	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 2040	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 2452	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 2452	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 2452	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 2452	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 1620	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 1620	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 1620	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 1620	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 1724	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 1724	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 1724	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 1724	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 1800	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 1800	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 1800	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 1800	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 1092	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 1092	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 1092	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 1092	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 380	2808	ZBiXo).exe	ZBiXo).exe
PID 2808 wrote to memory of 380	2808	ZBiXo).exe	ZBiXo).exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

outlook_win_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\17688f03f125bb494dc7f304b8936221.exe
"C:\Users\Admin\AppData\Local\Temp\17688f03f125bb494dc7f304b8936221.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372

C:\Users\Admin\AppData\Local\Temp\17688f03f125bb494dc7f304b8936221.exe
C:\Users\Admin\AppData\Local\Temp\17688f03f125bb494dc7f304b8936221.exe
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Deletes itself
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:2584

C:\Users\Admin\AppData\Local\Microsoft\Ozt-wH.exe
"C:\Users\Admin\AppData\Local\Microsoft\Ozt-wH.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:752

C:\Users\Admin\AppData\Local\Microsoft\Ozt-wH.exe
C:\Users\Admin\AppData\Local\Microsoft\Ozt-wH.exe
2⤵
- Executes dropped EXE
PID:2812

C:\Users\Admin\AppData\Local\Microsoft\Ozt-wH.exe
C:\Users\Admin\AppData\Local\Microsoft\Ozt-wH.exe
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:2332

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
4⤵
- Modifies Windows Firewall
PID:1440

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
4⤵
- Modifies Windows Firewall
PID:1100

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:2956

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1072

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:2504

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:1552

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:692

C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe
"C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808

C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe
C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe
2⤵
- Executes dropped EXE
PID:1112

C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe
C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe
2⤵
- Executes dropped EXE
PID:2232

C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe
C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe
2⤵
- Executes dropped EXE
PID:1628

C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe
C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe
2⤵
- Executes dropped EXE
PID:380

C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe
C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe
2⤵
- Executes dropped EXE
PID:1092

C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe
C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe
2⤵
- Executes dropped EXE
PID:1800

C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe
C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe
2⤵
- Executes dropped EXE
PID:1724

C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe
C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe
2⤵
- Executes dropped EXE
PID:1620

C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe
C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe
2⤵
- Executes dropped EXE
PID:2452

C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe
C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe
2⤵
- Executes dropped EXE
PID:2040

C:\Users\Admin\AppData\Local\Microsoft\Ozt-wH.exe
"C:\Users\Admin\AppData\Local\Microsoft\Ozt-wH.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Users\Admin\AppData\Local\Microsoft\Ozt-wH.exe
C:\Users\Admin\AppData\Local\Microsoft\Ozt-wH.exe
2⤵
- Executes dropped EXE
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 164
3⤵
- Loads dropped DLL
- Program crash
PID:1768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2552

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[E43C9C33-3483].[[email protected]].8base

Filesize
143.1MB

MD5
37fa82cde5a3d7e58e0604b8f546d766

SHA1
6aa00c86a079493b12f2ebf62e1a6ad203705c7c

SHA256
ef510444e80b8e106c9f476d9b867ef3dbb90eb79503bedf8afe2a6002965d18

SHA512
47b5f7ec35ab243dd6b3dd3197d0e289ee589fdfed2ba8f57e4b21daa0f5e5d916ad526b01d4b8737fa904136bb7d3ecd176d0bc6c9a76e16542245c72c639d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Ozt-wH.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Ozt-wH.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Ozt-wH.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Ozt-wH.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Ozt-wH.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Ozt-wH.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe

Filesize
618KB

MD5
3f6d5376b6d40c82644287c7621dfc5b

SHA1
f54b9ed42b60eb6793cd55ed25e6f2bd6120218f

SHA256
94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e

SHA512
3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe

Filesize
618KB

MD5
3f6d5376b6d40c82644287c7621dfc5b

SHA1
f54b9ed42b60eb6793cd55ed25e6f2bd6120218f

SHA256
94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e

SHA512
3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe

Filesize
618KB

MD5
3f6d5376b6d40c82644287c7621dfc5b

SHA1
f54b9ed42b60eb6793cd55ed25e6f2bd6120218f

SHA256
94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e

SHA512
3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe

Filesize
618KB

MD5
3f6d5376b6d40c82644287c7621dfc5b

SHA1
f54b9ed42b60eb6793cd55ed25e6f2bd6120218f

SHA256
94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e

SHA512
3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe

Filesize
618KB

MD5
3f6d5376b6d40c82644287c7621dfc5b

SHA1
f54b9ed42b60eb6793cd55ed25e6f2bd6120218f

SHA256
94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e

SHA512
3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe

Filesize
618KB

MD5
3f6d5376b6d40c82644287c7621dfc5b

SHA1
f54b9ed42b60eb6793cd55ed25e6f2bd6120218f

SHA256
94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e

SHA512
3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe

Filesize
618KB

MD5
3f6d5376b6d40c82644287c7621dfc5b

SHA1
f54b9ed42b60eb6793cd55ed25e6f2bd6120218f

SHA256
94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e

SHA512
3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe

Filesize
618KB

MD5
3f6d5376b6d40c82644287c7621dfc5b

SHA1
f54b9ed42b60eb6793cd55ed25e6f2bd6120218f

SHA256
94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e

SHA512
3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe

Filesize
618KB

MD5
3f6d5376b6d40c82644287c7621dfc5b

SHA1
f54b9ed42b60eb6793cd55ed25e6f2bd6120218f

SHA256
94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e

SHA512
3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe

Filesize
618KB

MD5
3f6d5376b6d40c82644287c7621dfc5b

SHA1
f54b9ed42b60eb6793cd55ed25e6f2bd6120218f

SHA256
94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e

SHA512
3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe

Filesize
618KB

MD5
3f6d5376b6d40c82644287c7621dfc5b

SHA1
f54b9ed42b60eb6793cd55ed25e6f2bd6120218f

SHA256
94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e

SHA512
3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ZBiXo).exe

Filesize
618KB

MD5
3f6d5376b6d40c82644287c7621dfc5b

SHA1
f54b9ed42b60eb6793cd55ed25e6f2bd6120218f

SHA256
94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e

SHA512
3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c

Download Submit
\Users\Admin\AppData\Local\Microsoft\Ozt-wH.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
\Users\Admin\AppData\Local\Microsoft\Ozt-wH.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
\Users\Admin\AppData\Local\Microsoft\Ozt-wH.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
\Users\Admin\AppData\Local\Microsoft\Ozt-wH.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
\Users\Admin\AppData\Local\Microsoft\Ozt-wH.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
\Users\Admin\AppData\Local\Microsoft\Ozt-wH.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
\Users\Admin\AppData\Local\Microsoft\Ozt-wH.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
memory/752-54-0x0000000000320000-0x00000000003C4000-memory.dmp

Filesize
656KB

Download
memory/752-56-0x0000000000760000-0x00000000007A6000-memory.dmp

Filesize
280KB

Download
memory/752-76-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/752-57-0x00000000002C0000-0x0000000000300000-memory.dmp

Filesize
256KB

Download
memory/752-58-0x00000000007E0000-0x0000000000814000-memory.dmp

Filesize
208KB

Download
memory/752-55-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/1712-104-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2340-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2340-6-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2340-19-0x0000000002150000-0x0000000002550000-memory.dmp

Filesize
4.0MB

Download
memory/2340-18-0x0000000002150000-0x0000000002550000-memory.dmp

Filesize
4.0MB

Download
memory/2340-17-0x0000000000140000-0x0000000000147000-memory.dmp

Filesize
28KB

Download
memory/2340-16-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2340-20-0x0000000002150000-0x0000000002550000-memory.dmp

Filesize
4.0MB

Download
memory/2340-13-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2340-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2340-9-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2340-21-0x0000000002150000-0x0000000002550000-memory.dmp

Filesize
4.0MB

Download
memory/2340-24-0x0000000000180000-0x00000000001B6000-memory.dmp

Filesize
216KB

Download
memory/2340-30-0x0000000000180000-0x00000000001B6000-memory.dmp

Filesize
216KB

Download
memory/2340-31-0x0000000002150000-0x0000000002550000-memory.dmp

Filesize
4.0MB

Download
memory/2340-8-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2340-7-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2372-15-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download
memory/2372-5-0x0000000001F60000-0x0000000001FAC000-memory.dmp

Filesize
304KB

Download
memory/2372-4-0x00000000021B0000-0x0000000002218000-memory.dmp

Filesize
416KB

Download
memory/2372-3-0x0000000002170000-0x00000000021B0000-memory.dmp

Filesize
256KB

Download
memory/2372-2-0x0000000000460000-0x00000000004D8000-memory.dmp

Filesize
480KB

Download
memory/2372-0-0x00000000009E0000-0x0000000000AB6000-memory.dmp

Filesize
856KB

Download
memory/2372-1-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download
memory/2584-22-0x00000000000E0000-0x00000000000E3000-memory.dmp

Filesize
12KB

Download
memory/2584-75-0x0000000077970000-0x0000000077B19000-memory.dmp

Filesize
1.7MB

Download
memory/2584-118-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download
memory/2584-119-0x0000000077970000-0x0000000077B19000-memory.dmp

Filesize
1.7MB

Download
memory/2584-52-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2584-48-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2584-47-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2584-46-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2584-45-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2584-44-0x0000000077970000-0x0000000077B19000-memory.dmp

Filesize
1.7MB

Download
memory/2584-42-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2584-43-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2584-39-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2584-41-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2584-38-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2584-37-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2584-36-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2584-35-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2584-34-0x0000000000130000-0x0000000000137000-memory.dmp

Filesize
28KB

Download
memory/2584-23-0x00000000000E0000-0x00000000000E3000-memory.dmp

Filesize
12KB

Download
memory/2644-95-0x0000000004C50000-0x0000000004C90000-memory.dmp

Filesize
256KB

Download
memory/2644-92-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/2644-109-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/2644-94-0x0000000000450000-0x0000000000496000-memory.dmp

Filesize
280KB

Download
memory/2808-96-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/2808-73-0x00000000003F0000-0x0000000000490000-memory.dmp

Filesize
640KB

Download
memory/2808-81-0x0000000004A40000-0x0000000004A80000-memory.dmp

Filesize
256KB

Download
memory/2808-78-0x0000000000490000-0x00000000004D2000-memory.dmp

Filesize
264KB

Download
memory/2808-80-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/2808-79-0x0000000000610000-0x0000000000642000-memory.dmp

Filesize
200KB

Download
memory/2828-77-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2828-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2828-64-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2828-62-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2828-63-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2828-74-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2828-68-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2828-65-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2828-61-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2828-59-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2828-190-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download