ammyyadmin | 18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6

Analysis

max time kernel
300s
max time network
277s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
08-09-2023 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe
Size

833KB
MD5

cccc7f5648739a0339ab8475810b05eb
SHA1

ea2c3245ced87c11e3bb862fca1e1499f954f0d2
SHA256

18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6
SHA512

b858cab4bd98d219ce93959d2a95ee645c5868ef685e4920db8e180bcf234d58c2bc382a9d95b48144cac49d1c0d4abf964de9c8d910270cbddb00975c2581d3
SSDEEP

24576:rgQKL7qH3OhqnGmhMAFspPEKYX5NWfWUpc9p8ld3qb/LFLzu4PU6C19w2wfCUEr8:Hq7G3OhqnGmhMAFspPEKYX5NWfWUpc9b

Score

10^/10

ammyyadmin flawedammyy phobos rhadamanthys smokeloader backdoor bootkit collection evasion persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Path

C:\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>cartilage</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #C6B5C4; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #B5CC8E; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #e6ecf2; border-left: 10px solid #B58CB2; } .alert { background: #FFE4E4; border-left: 10px solid #FFA07A; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC.</div> <div class='bold'>If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Or write us to the Tox: <span class='mark'>78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>CB27636F-3483</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 5 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\74B3.tmp\svchost.exe	family_ammyyadmin
C:\Users\Admin\AppData\Local\Temp\74B3.tmp\svchost.exe	family_ammyyadmin
C:\Users\Admin\AppData\Local\Temp\74B3.tmp\svchost.exe	family_ammyyadmin
\Users\Admin\AppData\Local\Temp\74B3.tmp\svchost.exe	family_ammyyadmin
C:\Users\Admin\AppData\Local\Temp\74B3.tmp\svchost.exe	family_ammyyadmin

Detect rhadamanthys stealer shellcode 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2588-20-0x00000000023A0000-0x00000000027A0000-memory.dmp	family_rhadamanthys
behavioral1/memory/2588-22-0x00000000023A0000-0x00000000027A0000-memory.dmp	family_rhadamanthys
behavioral1/memory/2588-21-0x00000000023A0000-0x00000000027A0000-memory.dmp	family_rhadamanthys
behavioral1/memory/2588-23-0x00000000023A0000-0x00000000027A0000-memory.dmp	family_rhadamanthys
behavioral1/memory/2588-35-0x00000000023A0000-0x00000000027A0000-memory.dmp	family_rhadamanthys
behavioral1/memory/2588-36-0x00000000023A0000-0x00000000027A0000-memory.dmp	family_rhadamanthys

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe

description pid process target process

PID 2588 created 1292 2588 18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

2728 bcdedit.exe
2988 bcdedit.exe
2020 bcdedit.exe
588 bcdedit.exe
Renames multiple (319) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

32 996 rundll32.exe
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

2308 wbadmin.exe
1668 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

2276 netsh.exe
1940 netsh.exe

description	pid	process	target process
PID 2588 created 1292	2588	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe	Explorer.EXE

pid	process
2728	bcdedit.exe
2988	bcdedit.exe
2020	bcdedit.exe
588	bcdedit.exe

flow	pid	process
32	996	rundll32.exe

pid	process
2308	wbadmin.exe
1668	wbadmin.exe

pid	process
2276	netsh.exe
1940	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Control Panel\International\Geo\Nation	svchost.exe

Deletes itself 1 IoCs

Processes:

certreq.exe

pid process

2768 certreq.exe

pid	process
2768	certreq.exe

Drops startup file 3 IoCs

Processes:

uGwrLm3.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\uGwrLm3.exe	uGwrLm3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	uGwrLm3.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[CB27636F-3483].[[email protected]].8base	uGwrLm3.exe

Executes dropped EXE 20 IoCs

Processes:

uGwrLm3.exe2Q93_9rN.exeuGwrLm3.exe2Q93_9rN.exe2Q93_9rN.exe2Q93_9rN.exeuGwrLm3.exeuGwrLm3.exeuGwrLm3.exeuGwrLm3.exeuGwrLm3.exe26D2.exe2B84.exe26D2.exe2B84.exesvchost.exe2B84.exerctschgrctschgrctschg

pid	process
2192	uGwrLm3.exe
3016	2Q93_9rN.exe
2352	uGwrLm3.exe
1468	2Q93_9rN.exe
2020	2Q93_9rN.exe
2008	2Q93_9rN.exe
1420	uGwrLm3.exe
2800	uGwrLm3.exe
2868	uGwrLm3.exe
524	uGwrLm3.exe
584	uGwrLm3.exe
1960	26D2.exe
2640	2B84.exe
2692	26D2.exe
3020	2B84.exe
2988	svchost.exe
2112	2B84.exe
1560	rctschg
944	rctschg
1892	rctschg

Loads dropped DLL 16 IoCs

Processes:

WerFault.exe26D2.exe2B84.exeexplorer.exerundll32.exe

pid	process
1224	WerFault.exe
1224	WerFault.exe
1224	WerFault.exe
1224	WerFault.exe
1224	WerFault.exe
1224	WerFault.exe
1224	WerFault.exe
1960	26D2.exe
2640	2B84.exe
2640	2B84.exe
2188	explorer.exe
2188	explorer.exe
996	rundll32.exe
996	rundll32.exe
996	rundll32.exe
996	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

Processes:

certreq.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

uGwrLm3.exe2B84.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uGwrLm3 = "C:\\Users\\Admin\\AppData\\Local\\uGwrLm3.exe"	uGwrLm3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\uGwrLm3 = "C:\\Users\\Admin\\AppData\\Local\\uGwrLm3.exe"	uGwrLm3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\2B84.exe'\""	2B84.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

uGwrLm3.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Public\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	uGwrLm3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JQALZ7NY\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WYZEMTEU\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	uGwrLm3.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	uGwrLm3.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	uGwrLm3.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	uGwrLm3.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	uGwrLm3.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	uGwrLm3.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3750544865-3773649541-1858556521-1000\desktop.ini	uGwrLm3.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	uGwrLm3.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IDLDGKZQ\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RIT0VQ4M\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YK5VI4QL\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z0TR3CUC\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	uGwrLm3.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3750544865-3773649541-1858556521-1000\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	uGwrLm3.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	uGwrLm3.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	uGwrLm3.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1DRFDKCL\desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	uGwrLm3.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	uGwrLm3.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

svchost.exe

description ioc process

File opened for modification \??\PhysicalDrive0 svchost.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe2Q93_9rN.exeuGwrLm3.exeuGwrLm3.exe26D2.exe2B84.exerctschg

description	pid	process	target process
PID 2216 set thread context of 2588	2216	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe
PID 3016 set thread context of 2008	3016	2Q93_9rN.exe	2Q93_9rN.exe
PID 2192 set thread context of 1420	2192	uGwrLm3.exe	uGwrLm3.exe
PID 2800 set thread context of 584	2800	uGwrLm3.exe	uGwrLm3.exe
PID 1960 set thread context of 2692	1960	26D2.exe	26D2.exe
PID 2640 set thread context of 2112	2640	2B84.exe	2B84.exe
PID 1560 set thread context of 1892	1560	rctschg	rctschg

Drops file in Program Files directory 64 IoCs

Processes:

uGwrLm3.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\NOTE.CFG	uGwrLm3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe.id[CB27636F-3483].[[email protected]].8base	uGwrLm3.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01253_.WMF.id[CB27636F-3483].[[email protected]].8base	uGwrLm3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00382_.WMF	uGwrLm3.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceDaYi.txt	uGwrLm3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\jvm.cfg.id[CB27636F-3483].[[email protected]].8base	uGwrLm3.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105240.WMF.id[CB27636F-3483].[[email protected]].8base	uGwrLm3.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif.id[CB27636F-3483].[[email protected]].8base	uGwrLm3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR42F.GIF	uGwrLm3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif.id[CB27636F-3483].[[email protected]].8base	uGwrLm3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.change_2.10.0.v20140901-1043.jar.id[CB27636F-3483].[[email protected]].8base	uGwrLm3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar.id[CB27636F-3483].[[email protected]].8base	uGwrLm3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_ja.jar	uGwrLm3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\vlc.mo	uGwrLm3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_mms_plugin.dll	uGwrLm3.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll	uGwrLm3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST7MDT	uGwrLm3.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\RMNSQUE.ELM.id[CB27636F-3483].[[email protected]].8base	uGwrLm3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART14.BDR	uGwrLm3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECREC.CFG	uGwrLm3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\messageboxinfo.ico	uGwrLm3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\hxdsui.dll	uGwrLm3.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\PREVIEW.GIF.id[CB27636F-3483].[[email protected]].8base	uGwrLm3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\vlc.mo	uGwrLm3.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\settings.html	uGwrLm3.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll.id[CB27636F-3483].[[email protected]].8base	uGwrLm3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Tags.accft	uGwrLm3.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\localizedStrings.js	uGwrLm3.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg	uGwrLm3.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Kathmandu.id[CB27636F-3483].[[email protected]].8base	uGwrLm3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImagesMask.bmp	uGwrLm3.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\Sidebar.exe.mui	uGwrLm3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\PREVIEW.GIF	uGwrLm3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01039_.WMF	uGwrLm3.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02404_.WMF.id[CB27636F-3483].[[email protected]].8base	uGwrLm3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png	uGwrLm3.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Belgrade.id[CB27636F-3483].[[email protected]].8base	uGwrLm3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\README.txt	uGwrLm3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0234687.GIF	uGwrLm3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santarem	uGwrLm3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_ja.jar.id[CB27636F-3483].[[email protected]].8base	uGwrLm3.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\msoeres.dll.mui	uGwrLm3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00779_.WMF	uGwrLm3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR18F.GIF	uGwrLm3.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GreenTea.css.id[CB27636F-3483].[[email protected]].8base	uGwrLm3.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll.id[CB27636F-3483].[[email protected]].8base	uGwrLm3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt_0.11.101.v20140818-1343.jar.id[CB27636F-3483].[[email protected]].8base	uGwrLm3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01332U.BMP	uGwrLm3.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-dock.png	uGwrLm3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll	uGwrLm3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185796.WMF	uGwrLm3.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\LASER.WAV.id[CB27636F-3483].[[email protected]].8base	uGwrLm3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar	uGwrLm3.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\TAB_ON.GIF.id[CB27636F-3483].[[email protected]].8base	uGwrLm3.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png	uGwrLm3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\eBook.api	uGwrLm3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21342_.GIF	uGwrLm3.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLNOTER.FAE.id[CB27636F-3483].[[email protected]].8base	uGwrLm3.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\TAB_OFF.GIF.id[CB27636F-3483].[[email protected]].8base	uGwrLm3.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SlateBlue.css.id[CB27636F-3483].[[email protected]].8base	uGwrLm3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Sitka.id[CB27636F-3483].[[email protected]].8base	uGwrLm3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html.id[CB27636F-3483].[[email protected]].8base	uGwrLm3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SlateBlue.css	uGwrLm3.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105376.WMF.id[CB27636F-3483].[[email protected]].8base	uGwrLm3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1224 584 WerFault.exe uGwrLm3.exe

pid	pid_target	process	target process
1224	584	WerFault.exe	uGwrLm3.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rctschg2Q93_9rN.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rctschg
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rctschg
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rctschg
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2Q93_9rN.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2Q93_9rN.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2Q93_9rN.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1956 vssadmin.exe
1876 vssadmin.exe

pid	process
1956	vssadmin.exe
1876	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exemshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.execertreq.exeuGwrLm3.exe2Q93_9rN.exe2Q93_9rN.exeuGwrLm3.exeExplorer.EXEuGwrLm3.exe

pid	process
2216	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe
2588	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe
2588	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe
2588	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe
2588	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe
2768	certreq.exe
2768	certreq.exe
2768	certreq.exe
2768	certreq.exe
2192	uGwrLm3.exe
2192	uGwrLm3.exe
3016	2Q93_9rN.exe
3016	2Q93_9rN.exe
3016	2Q93_9rN.exe
3016	2Q93_9rN.exe
2008	2Q93_9rN.exe
2008	2Q93_9rN.exe
2800	uGwrLm3.exe
2800	uGwrLm3.exe
2800	uGwrLm3.exe
2800	uGwrLm3.exe
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1420	uGwrLm3.exe
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1420	uGwrLm3.exe
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1420	uGwrLm3.exe
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1420	uGwrLm3.exe
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1420	uGwrLm3.exe
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1420	uGwrLm3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1292 Explorer.EXE

Suspicious behavior: MapViewOfSection 33 IoCs

Processes:

2Q93_9rN.exeExplorer.EXEexplorer.exe

pid	process
2008	2Q93_9rN.exe
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
2188	explorer.exe
2188	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exeuGwrLm3.exe2Q93_9rN.exeuGwrLm3.exeuGwrLm3.exevssvc.exe26D2.exeWMIC.exewbengine.exe2B84.exeExplorer.EXEWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2216	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe
Token: SeDebugPrivilege	2192	uGwrLm3.exe
Token: SeDebugPrivilege	3016	2Q93_9rN.exe
Token: SeDebugPrivilege	2800	uGwrLm3.exe
Token: SeDebugPrivilege	1420	uGwrLm3.exe
Token: SeBackupPrivilege	1264	vssvc.exe
Token: SeRestorePrivilege	1264	vssvc.exe
Token: SeAuditPrivilege	1264	vssvc.exe
Token: SeDebugPrivilege	1960	26D2.exe
Token: SeIncreaseQuotaPrivilege	1248	WMIC.exe
Token: SeSecurityPrivilege	1248	WMIC.exe
Token: SeTakeOwnershipPrivilege	1248	WMIC.exe
Token: SeLoadDriverPrivilege	1248	WMIC.exe
Token: SeSystemProfilePrivilege	1248	WMIC.exe
Token: SeSystemtimePrivilege	1248	WMIC.exe
Token: SeProfSingleProcessPrivilege	1248	WMIC.exe
Token: SeIncBasePriorityPrivilege	1248	WMIC.exe
Token: SeCreatePagefilePrivilege	1248	WMIC.exe
Token: SeBackupPrivilege	1248	WMIC.exe
Token: SeRestorePrivilege	1248	WMIC.exe
Token: SeShutdownPrivilege	1248	WMIC.exe
Token: SeDebugPrivilege	1248	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1248	WMIC.exe
Token: SeRemoteShutdownPrivilege	1248	WMIC.exe
Token: SeUndockPrivilege	1248	WMIC.exe
Token: SeManageVolumePrivilege	1248	WMIC.exe
Token: 33	1248	WMIC.exe
Token: 34	1248	WMIC.exe
Token: 35	1248	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1248	WMIC.exe
Token: SeSecurityPrivilege	1248	WMIC.exe
Token: SeTakeOwnershipPrivilege	1248	WMIC.exe
Token: SeLoadDriverPrivilege	1248	WMIC.exe
Token: SeSystemProfilePrivilege	1248	WMIC.exe
Token: SeSystemtimePrivilege	1248	WMIC.exe
Token: SeProfSingleProcessPrivilege	1248	WMIC.exe
Token: SeIncBasePriorityPrivilege	1248	WMIC.exe
Token: SeCreatePagefilePrivilege	1248	WMIC.exe
Token: SeBackupPrivilege	1248	WMIC.exe
Token: SeRestorePrivilege	1248	WMIC.exe
Token: SeShutdownPrivilege	1248	WMIC.exe
Token: SeDebugPrivilege	1248	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1248	WMIC.exe
Token: SeRemoteShutdownPrivilege	1248	WMIC.exe
Token: SeUndockPrivilege	1248	WMIC.exe
Token: SeManageVolumePrivilege	1248	WMIC.exe
Token: 33	1248	WMIC.exe
Token: 34	1248	WMIC.exe
Token: 35	1248	WMIC.exe
Token: SeBackupPrivilege	524	wbengine.exe
Token: SeRestorePrivilege	524	wbengine.exe
Token: SeSecurityPrivilege	524	wbengine.exe
Token: SeDebugPrivilege	2640	2B84.exe
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	844	WMIC.exe
Token: SeSecurityPrivilege	844	WMIC.exe
Token: SeTakeOwnershipPrivilege	844	WMIC.exe
Token: SeLoadDriverPrivilege	844	WMIC.exe
Token: SeSystemProfilePrivilege	844	WMIC.exe
Token: SeSystemtimePrivilege	844	WMIC.exe
Token: SeProfSingleProcessPrivilege	844	WMIC.exe
Token: SeIncBasePriorityPrivilege	844	WMIC.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

svchost.exeExplorer.EXE

pid	process
2988	svchost.exe
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE

Suspicious use of SendNotifyMessage 14 IoCs

Processes:

Explorer.EXE

pid	process
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1292 Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exeuGwrLm3.exe2Q93_9rN.exeuGwrLm3.exe

description	pid	process	target process
PID 2216 wrote to memory of 2588	2216	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe
PID 2216 wrote to memory of 2588	2216	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe
PID 2216 wrote to memory of 2588	2216	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe
PID 2216 wrote to memory of 2588	2216	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe
PID 2216 wrote to memory of 2588	2216	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe
PID 2216 wrote to memory of 2588	2216	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe
PID 2216 wrote to memory of 2588	2216	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe
PID 2216 wrote to memory of 2588	2216	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe
PID 2216 wrote to memory of 2588	2216	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe
PID 2588 wrote to memory of 2768	2588	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe	certreq.exe
PID 2588 wrote to memory of 2768	2588	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe	certreq.exe
PID 2588 wrote to memory of 2768	2588	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe	certreq.exe
PID 2588 wrote to memory of 2768	2588	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe	certreq.exe
PID 2588 wrote to memory of 2768	2588	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe	certreq.exe
PID 2588 wrote to memory of 2768	2588	18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe	certreq.exe
PID 2192 wrote to memory of 2352	2192	uGwrLm3.exe	uGwrLm3.exe
PID 2192 wrote to memory of 2352	2192	uGwrLm3.exe	uGwrLm3.exe
PID 2192 wrote to memory of 2352	2192	uGwrLm3.exe	uGwrLm3.exe
PID 2192 wrote to memory of 2352	2192	uGwrLm3.exe	uGwrLm3.exe
PID 2192 wrote to memory of 1420	2192	uGwrLm3.exe	uGwrLm3.exe
PID 2192 wrote to memory of 1420	2192	uGwrLm3.exe	uGwrLm3.exe
PID 2192 wrote to memory of 1420	2192	uGwrLm3.exe	uGwrLm3.exe
PID 2192 wrote to memory of 1420	2192	uGwrLm3.exe	uGwrLm3.exe
PID 2192 wrote to memory of 1420	2192	uGwrLm3.exe	uGwrLm3.exe
PID 3016 wrote to memory of 2020	3016	2Q93_9rN.exe	2Q93_9rN.exe
PID 3016 wrote to memory of 2020	3016	2Q93_9rN.exe	2Q93_9rN.exe
PID 3016 wrote to memory of 2020	3016	2Q93_9rN.exe	2Q93_9rN.exe
PID 3016 wrote to memory of 2020	3016	2Q93_9rN.exe	2Q93_9rN.exe
PID 2192 wrote to memory of 1420	2192	uGwrLm3.exe	uGwrLm3.exe
PID 3016 wrote to memory of 1468	3016	2Q93_9rN.exe	2Q93_9rN.exe
PID 3016 wrote to memory of 1468	3016	2Q93_9rN.exe	2Q93_9rN.exe
PID 3016 wrote to memory of 1468	3016	2Q93_9rN.exe	2Q93_9rN.exe
PID 3016 wrote to memory of 1468	3016	2Q93_9rN.exe	2Q93_9rN.exe
PID 3016 wrote to memory of 2008	3016	2Q93_9rN.exe	2Q93_9rN.exe
PID 3016 wrote to memory of 2008	3016	2Q93_9rN.exe	2Q93_9rN.exe
PID 3016 wrote to memory of 2008	3016	2Q93_9rN.exe	2Q93_9rN.exe
PID 3016 wrote to memory of 2008	3016	2Q93_9rN.exe	2Q93_9rN.exe
PID 2192 wrote to memory of 1420	2192	uGwrLm3.exe	uGwrLm3.exe
PID 3016 wrote to memory of 2008	3016	2Q93_9rN.exe	2Q93_9rN.exe
PID 2192 wrote to memory of 1420	2192	uGwrLm3.exe	uGwrLm3.exe
PID 3016 wrote to memory of 2008	3016	2Q93_9rN.exe	2Q93_9rN.exe
PID 2192 wrote to memory of 1420	2192	uGwrLm3.exe	uGwrLm3.exe
PID 3016 wrote to memory of 2008	3016	2Q93_9rN.exe	2Q93_9rN.exe
PID 2192 wrote to memory of 1420	2192	uGwrLm3.exe	uGwrLm3.exe
PID 2192 wrote to memory of 1420	2192	uGwrLm3.exe	uGwrLm3.exe
PID 2800 wrote to memory of 2868	2800	uGwrLm3.exe	uGwrLm3.exe
PID 2800 wrote to memory of 2868	2800	uGwrLm3.exe	uGwrLm3.exe
PID 2800 wrote to memory of 2868	2800	uGwrLm3.exe	uGwrLm3.exe
PID 2800 wrote to memory of 2868	2800	uGwrLm3.exe	uGwrLm3.exe
PID 2800 wrote to memory of 524	2800	uGwrLm3.exe	uGwrLm3.exe
PID 2800 wrote to memory of 524	2800	uGwrLm3.exe	uGwrLm3.exe
PID 2800 wrote to memory of 524	2800	uGwrLm3.exe	uGwrLm3.exe
PID 2800 wrote to memory of 524	2800	uGwrLm3.exe	uGwrLm3.exe
PID 2800 wrote to memory of 584	2800	uGwrLm3.exe	uGwrLm3.exe
PID 2800 wrote to memory of 584	2800	uGwrLm3.exe	uGwrLm3.exe
PID 2800 wrote to memory of 584	2800	uGwrLm3.exe	uGwrLm3.exe
PID 2800 wrote to memory of 584	2800	uGwrLm3.exe	uGwrLm3.exe
PID 2800 wrote to memory of 584	2800	uGwrLm3.exe	uGwrLm3.exe
PID 2800 wrote to memory of 584	2800	uGwrLm3.exe	uGwrLm3.exe
PID 2800 wrote to memory of 584	2800	uGwrLm3.exe	uGwrLm3.exe
PID 2800 wrote to memory of 584	2800	uGwrLm3.exe	uGwrLm3.exe
PID 2800 wrote to memory of 584	2800	uGwrLm3.exe	uGwrLm3.exe
PID 2800 wrote to memory of 584	2800	uGwrLm3.exe	uGwrLm3.exe
PID 2800 wrote to memory of 584	2800	uGwrLm3.exe	uGwrLm3.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
PID:1292

C:\Users\Admin\AppData\Local\Temp\18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe
"C:\Users\Admin\AppData\Local\Temp\18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216

C:\Users\Admin\AppData\Local\Temp\18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe
C:\Users\Admin\AppData\Local\Temp\18046faa65d9027214778b8d61a2ff92c4c43aacaa05c99a4fc46d3119af55d6.exe
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Deletes itself
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2768

C:\Users\Admin\AppData\Local\Temp\26D2.exe
C:\Users\Admin\AppData\Local\Temp\26D2.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Users\Admin\AppData\Local\Temp\26D2.exe
C:\Users\Admin\AppData\Local\Temp\26D2.exe
3⤵
- Executes dropped EXE
PID:2692

C:\Users\Admin\AppData\Local\Temp\2B84.exe
C:\Users\Admin\AppData\Local\Temp\2B84.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Users\Admin\AppData\Local\Temp\2B84.exe
"C:\Users\Admin\AppData\Local\Temp\2B84.exe"
3⤵
- Executes dropped EXE
PID:3020

C:\Users\Admin\AppData\Local\Temp\2B84.exe
"C:\Users\Admin\AppData\Local\Temp\2B84.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2112

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2680

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1052

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2956

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:400

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3044

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1696

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2240

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1952

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2404

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:2200

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1500

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2656

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2984

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1912

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:2188

C:\Users\Admin\AppData\Local\Temp\74B3.tmp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\74B3.tmp\svchost.exe -debug
3⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
PID:2988

C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe
4⤵
PID:2776

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\74B3.tmp\aa_nts.dll",run
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:996

C:\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe
"C:\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192

C:\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe
C:\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe
2⤵
- Executes dropped EXE
PID:2352

C:\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe
C:\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe
"C:\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800

C:\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe
C:\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe
4⤵
- Executes dropped EXE
PID:2868

C:\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe
C:\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe
4⤵
- Executes dropped EXE
PID:524

C:\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe
C:\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe
4⤵
- Executes dropped EXE
PID:584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 164
5⤵
- Loads dropped DLL
- Program crash
PID:1224

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:1968

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1876

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:2728

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:2988

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:2308

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:2148

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
4⤵
- Modifies Windows Firewall
PID:2276

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
4⤵
- Modifies Windows Firewall
PID:1940

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
3⤵
- Modifies Internet Explorer settings
PID:1604

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
3⤵
- Modifies Internet Explorer settings
PID:2724

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
3⤵
- Modifies Internet Explorer settings
PID:1760

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"
3⤵
- Modifies Internet Explorer settings
PID:560

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:1692

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1956

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:2020

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:588

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:1668

C:\Users\Admin\AppData\Local\Microsoft\2Q93_9rN.exe
"C:\Users\Admin\AppData\Local\Microsoft\2Q93_9rN.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Local\Microsoft\2Q93_9rN.exe
C:\Users\Admin\AppData\Local\Microsoft\2Q93_9rN.exe
2⤵
- Executes dropped EXE
PID:2020

C:\Users\Admin\AppData\Local\Microsoft\2Q93_9rN.exe
C:\Users\Admin\AppData\Local\Microsoft\2Q93_9rN.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2008

C:\Users\Admin\AppData\Local\Microsoft\2Q93_9rN.exe
C:\Users\Admin\AppData\Local\Microsoft\2Q93_9rN.exe
2⤵
- Executes dropped EXE
PID:1468

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:216

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2972

C:\Windows\system32\taskeng.exe
taskeng.exe {43712359-BA9B-443E-9BAF-9732EB8895EB} S-1-5-21-3750544865-3773649541-1858556521-1000:XOCYHKRS\Admin:Interactive:[1]
1⤵
PID:2292

C:\Users\Admin\AppData\Roaming\rctschg
C:\Users\Admin\AppData\Roaming\rctschg
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1560

C:\Users\Admin\AppData\Roaming\rctschg
C:\Users\Admin\AppData\Roaming\rctschg
3⤵
- Executes dropped EXE
PID:944

C:\Users\Admin\AppData\Roaming\rctschg
C:\Users\Admin\AppData\Roaming\rctschg
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1892

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[CB27636F-3483].[[email protected]].8base
Filesize
143.1MB

MD5
b66dddffc87bb02b02c9ec14d146299c

SHA1
3cb25a72e2ff2addaffcf5d7629707ee47d78e67

SHA256
b4268779af26ecebb2496cba1a9ac1754187d1e22e3ecb6b3a76615be6d18d8b

SHA512
26c6d343886a96885d56caebfadbcc03c51abccf7be38562213704417a261b4042cb8ab76b3e015ebefbe5559602e4187f5378cd8a120bb82bf8402aab19a3f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
60fe01df86be2e5331b0cdbe86165686

SHA1
2a79f9713c3f192862ff80508062e64e8e0b29bd

SHA256
c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8

SHA512
ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5037AC1E573F140500110A0B67548B5E
Filesize
503B

MD5
b946574b909046c0e99099f57b9202d9

SHA1
86cee1e28e38fdc64d6d15c57ecf7ccc5df8ac53

SHA256
585923cdcead0071a03441e863a545ffc9954e6bcc1eb847974a6b237e0b4126

SHA512
b48b07b64dfc1c2ef1abbbc4bc9f67f6f37d7c77374f49d8cf732156c50ca62f39dd5e6d49c9c4559b562260c83cebada7aa8e4f057eca66030d6a2056a34da5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
4f6371abe128600896d6becc3e353692

SHA1
5e7498f75bbce51cc143b3b93ceb94606136c9f2

SHA256
a41f8dc46fc3c720c73bd3fbb0cb2f38ac2109bffeba43344b4fadcbbbeef555

SHA512
19e280334aac8519fff410413a0ced0e17feb9dcf7a9dc1523257e7448a52512ead1c35387328673151b4bcd7c84b3ca053b2389badf4215faa80273df3c1b98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5037AC1E573F140500110A0B67548B5E
Filesize
556B

MD5
3637d1a956b03957bab82505e84060c7

SHA1
bdf200d78261477e0b9901cc0247cac48580eb0b

SHA256
dd5403c98af3fd250f118b6144b526e854cf89b87fd0b2588961d18fb44d5268

SHA512
133e4b0c4acf86ae6699fdfd4f59e4424d3fb3dcaa06f3b98ac0f1c10b9fc270e299ced5bc1423867811fcac6b46f0ff077e34411bd5181c40b47b6aa363aa78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3238a84812a41cc922ece385527bfb65

SHA1
36ecf57fc4e1d661a0d7a77c8a13e782b5df1caa

SHA256
a1cfe4fdf11e75951384cc4a672e70fbf6d03c7de8fd4719f6272d15087b9af3

SHA512
5431df0276bb6d588bae448de94981c8ee4db6196248cc34bdd39f148a7df52dc67b704274a5a8cd1c61293408d6ce0fd6c0e957774ab95fd5bcbf870d329d89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
454150239a05165ee71f3b2673d0ffee

SHA1
9b43657880dbbe1d9b65aeb1e0fea527d3361153

SHA256
f96dc808a2040483afa4b8ec6a5cdfdcc46aef57ecd09d7aa3eb359fed0ebbbc

SHA512
b98d77dab09945c1fa5d07788564cac8150c50d94e03500c2f93be2af196a75b4880926e116bfd3072c0e95ad4543af5167dca64ab5c1516875c580b22847eff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3f15e7ba6132f970356b06b8656369f8

SHA1
fe5b937daa67d1b3468a315b7167fe3be3ebd786

SHA256
78c79ff0cf013126f493dcc313cb2bc84234572e4c0906c3704191a8b0c8f49e

SHA512
fbaf2749d260cd6ecb3fc123964b27f3980167ed581e19280ea9c0b258aced57ec53c64d8979e17b7e34951c50452311c5d49cc8da262d575649148551797c6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
Filesize
252B

MD5
f6364176a48859e6d66632be49c1a066

SHA1
09d73ccf6a6d0100ea18c671ab6937a14c71bd3e

SHA256
fb018708f4f8fa896a32a73a51646c15cea9e3365162b3b428af9a1a8f74e390

SHA512
59c7b2e089bddf59ee9659d45cda1cf27c26d4eeaa78c81118ee3161eac427451a29268530a9fd40cb077c7ee612ec1ba55041cb007ded65e3998a4628af65d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\2Q93_9rN.exe
Filesize
259KB

MD5
93ce7d54193f795f9d48942e2d65513f

SHA1
400c05d65cdce25ac9d84ebc43f7c87defa11a0f

SHA256
54e1295c5df189db7bf1b5c3a2d6e190d41709b75754c1f6ce22cb767d488c5e

SHA512
7f473571b2e1ade66aeaf4ac1e093a8faf49fd044c42a5196399bb3032208e7ebdaa18fd9c202305483da609d6881cd793f7cae3bed45e8e59fe6c747462648b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\2Q93_9rN.exe
Filesize
259KB

MD5
93ce7d54193f795f9d48942e2d65513f

SHA1
400c05d65cdce25ac9d84ebc43f7c87defa11a0f

SHA256
54e1295c5df189db7bf1b5c3a2d6e190d41709b75754c1f6ce22cb767d488c5e

SHA512
7f473571b2e1ade66aeaf4ac1e093a8faf49fd044c42a5196399bb3032208e7ebdaa18fd9c202305483da609d6881cd793f7cae3bed45e8e59fe6c747462648b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\2Q93_9rN.exe
Filesize
259KB

MD5
93ce7d54193f795f9d48942e2d65513f

SHA1
400c05d65cdce25ac9d84ebc43f7c87defa11a0f

SHA256
54e1295c5df189db7bf1b5c3a2d6e190d41709b75754c1f6ce22cb767d488c5e

SHA512
7f473571b2e1ade66aeaf4ac1e093a8faf49fd044c42a5196399bb3032208e7ebdaa18fd9c202305483da609d6881cd793f7cae3bed45e8e59fe6c747462648b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\2Q93_9rN.exe
Filesize
259KB

MD5
93ce7d54193f795f9d48942e2d65513f

SHA1
400c05d65cdce25ac9d84ebc43f7c87defa11a0f

SHA256
54e1295c5df189db7bf1b5c3a2d6e190d41709b75754c1f6ce22cb767d488c5e

SHA512
7f473571b2e1ade66aeaf4ac1e093a8faf49fd044c42a5196399bb3032208e7ebdaa18fd9c202305483da609d6881cd793f7cae3bed45e8e59fe6c747462648b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\2Q93_9rN.exe
Filesize
259KB

MD5
93ce7d54193f795f9d48942e2d65513f

SHA1
400c05d65cdce25ac9d84ebc43f7c87defa11a0f

SHA256
54e1295c5df189db7bf1b5c3a2d6e190d41709b75754c1f6ce22cb767d488c5e

SHA512
7f473571b2e1ade66aeaf4ac1e093a8faf49fd044c42a5196399bb3032208e7ebdaa18fd9c202305483da609d6881cd793f7cae3bed45e8e59fe6c747462648b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe
Filesize
271KB

MD5
8581a33bb410c7674705ca163c6f75ad

SHA1
3dd6bb5a8786eb073a6f7d26454a8ddbffbbe48f

SHA256
104032d8993555a84679746069ad1f8c1365c4a27eaeec732fda76aa62da005a

SHA512
4519a93e98b555a4eac8c18cb61bd28c862d47d6036362f9776074ae897e621202ad80d28f83686bfe3d185081ebd19ac951183768851f3bf17a403c73624302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe
Filesize
271KB

MD5
8581a33bb410c7674705ca163c6f75ad

SHA1
3dd6bb5a8786eb073a6f7d26454a8ddbffbbe48f

SHA256
104032d8993555a84679746069ad1f8c1365c4a27eaeec732fda76aa62da005a

SHA512
4519a93e98b555a4eac8c18cb61bd28c862d47d6036362f9776074ae897e621202ad80d28f83686bfe3d185081ebd19ac951183768851f3bf17a403c73624302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe
Filesize
271KB

MD5
8581a33bb410c7674705ca163c6f75ad

SHA1
3dd6bb5a8786eb073a6f7d26454a8ddbffbbe48f

SHA256
104032d8993555a84679746069ad1f8c1365c4a27eaeec732fda76aa62da005a

SHA512
4519a93e98b555a4eac8c18cb61bd28c862d47d6036362f9776074ae897e621202ad80d28f83686bfe3d185081ebd19ac951183768851f3bf17a403c73624302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe
Filesize
271KB

MD5
8581a33bb410c7674705ca163c6f75ad

SHA1
3dd6bb5a8786eb073a6f7d26454a8ddbffbbe48f

SHA256
104032d8993555a84679746069ad1f8c1365c4a27eaeec732fda76aa62da005a

SHA512
4519a93e98b555a4eac8c18cb61bd28c862d47d6036362f9776074ae897e621202ad80d28f83686bfe3d185081ebd19ac951183768851f3bf17a403c73624302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe
Filesize
271KB

MD5
8581a33bb410c7674705ca163c6f75ad

SHA1
3dd6bb5a8786eb073a6f7d26454a8ddbffbbe48f

SHA256
104032d8993555a84679746069ad1f8c1365c4a27eaeec732fda76aa62da005a

SHA512
4519a93e98b555a4eac8c18cb61bd28c862d47d6036362f9776074ae897e621202ad80d28f83686bfe3d185081ebd19ac951183768851f3bf17a403c73624302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe
Filesize
271KB

MD5
8581a33bb410c7674705ca163c6f75ad

SHA1
3dd6bb5a8786eb073a6f7d26454a8ddbffbbe48f

SHA256
104032d8993555a84679746069ad1f8c1365c4a27eaeec732fda76aa62da005a

SHA512
4519a93e98b555a4eac8c18cb61bd28c862d47d6036362f9776074ae897e621202ad80d28f83686bfe3d185081ebd19ac951183768851f3bf17a403c73624302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe
Filesize
271KB

MD5
8581a33bb410c7674705ca163c6f75ad

SHA1
3dd6bb5a8786eb073a6f7d26454a8ddbffbbe48f

SHA256
104032d8993555a84679746069ad1f8c1365c4a27eaeec732fda76aa62da005a

SHA512
4519a93e98b555a4eac8c18cb61bd28c862d47d6036362f9776074ae897e621202ad80d28f83686bfe3d185081ebd19ac951183768851f3bf17a403c73624302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe
Filesize
271KB

MD5
8581a33bb410c7674705ca163c6f75ad

SHA1
3dd6bb5a8786eb073a6f7d26454a8ddbffbbe48f

SHA256
104032d8993555a84679746069ad1f8c1365c4a27eaeec732fda76aa62da005a

SHA512
4519a93e98b555a4eac8c18cb61bd28c862d47d6036362f9776074ae897e621202ad80d28f83686bfe3d185081ebd19ac951183768851f3bf17a403c73624302

Download Submit
C:\Users\Admin\AppData\Local\Temp\26D2.exe
Filesize
271KB

MD5
8581a33bb410c7674705ca163c6f75ad

SHA1
3dd6bb5a8786eb073a6f7d26454a8ddbffbbe48f

SHA256
104032d8993555a84679746069ad1f8c1365c4a27eaeec732fda76aa62da005a

SHA512
4519a93e98b555a4eac8c18cb61bd28c862d47d6036362f9776074ae897e621202ad80d28f83686bfe3d185081ebd19ac951183768851f3bf17a403c73624302

Download Submit
C:\Users\Admin\AppData\Local\Temp\26D2.exe
Filesize
271KB

MD5
8581a33bb410c7674705ca163c6f75ad

SHA1
3dd6bb5a8786eb073a6f7d26454a8ddbffbbe48f

SHA256
104032d8993555a84679746069ad1f8c1365c4a27eaeec732fda76aa62da005a

SHA512
4519a93e98b555a4eac8c18cb61bd28c862d47d6036362f9776074ae897e621202ad80d28f83686bfe3d185081ebd19ac951183768851f3bf17a403c73624302

Download Submit
C:\Users\Admin\AppData\Local\Temp\26D2.exe
Filesize
271KB

MD5
8581a33bb410c7674705ca163c6f75ad

SHA1
3dd6bb5a8786eb073a6f7d26454a8ddbffbbe48f

SHA256
104032d8993555a84679746069ad1f8c1365c4a27eaeec732fda76aa62da005a

SHA512
4519a93e98b555a4eac8c18cb61bd28c862d47d6036362f9776074ae897e621202ad80d28f83686bfe3d185081ebd19ac951183768851f3bf17a403c73624302

Download Submit
C:\Users\Admin\AppData\Local\Temp\26D2.exe
Filesize
271KB

MD5
8581a33bb410c7674705ca163c6f75ad

SHA1
3dd6bb5a8786eb073a6f7d26454a8ddbffbbe48f

SHA256
104032d8993555a84679746069ad1f8c1365c4a27eaeec732fda76aa62da005a

SHA512
4519a93e98b555a4eac8c18cb61bd28c862d47d6036362f9776074ae897e621202ad80d28f83686bfe3d185081ebd19ac951183768851f3bf17a403c73624302

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B84.exe
Filesize
246KB

MD5
fbf0a1dac97318a3ae3824184959a0f3

SHA1
a1c19f2a7802754f1aab8a744fbeb4b955f9491e

SHA256
cc3c25428fc709184339f227c7861dcc8d881c5175183e1de7a5f1070b8f6475

SHA512
d519afcc72d56877f9f118e15c8c99070a892ea4f2162eeac57a2925b5f03da8e3a0160e98f122484c1243818f7a9168aa1e6e4bd0802c9cfb3f49c4383cb949

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B84.exe
Filesize
246KB

MD5
fbf0a1dac97318a3ae3824184959a0f3

SHA1
a1c19f2a7802754f1aab8a744fbeb4b955f9491e

SHA256
cc3c25428fc709184339f227c7861dcc8d881c5175183e1de7a5f1070b8f6475

SHA512
d519afcc72d56877f9f118e15c8c99070a892ea4f2162eeac57a2925b5f03da8e3a0160e98f122484c1243818f7a9168aa1e6e4bd0802c9cfb3f49c4383cb949

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B84.exe
Filesize
246KB

MD5
fbf0a1dac97318a3ae3824184959a0f3

SHA1
a1c19f2a7802754f1aab8a744fbeb4b955f9491e

SHA256
cc3c25428fc709184339f227c7861dcc8d881c5175183e1de7a5f1070b8f6475

SHA512
d519afcc72d56877f9f118e15c8c99070a892ea4f2162eeac57a2925b5f03da8e3a0160e98f122484c1243818f7a9168aa1e6e4bd0802c9cfb3f49c4383cb949

Download Submit
C:\Users\Admin\AppData\Local\Temp\74B3.tmp\aa_nts.dll
Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\74B3.tmp\aa_nts.log
Filesize
121B

MD5
dd6a9a588cb55c57352c020649b1a560

SHA1
4e6c0d3f6460bfd99c61fc8c9ab4106f88b2b797

SHA256
8c5053037fc885d638bb83da70f77cfb43d58e6f9843945c60b2694dafa1aca4

SHA512
a262d3a7118bfea2e652244c1eca35ac6326521ba2883a9a24e5853b110183f6f2acbf8481aee9dbfed0c7e482fe884fefa6c613a7d2fd81d50abd9bb43c2db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\74B3.tmp\aa_nts.log
Filesize
4KB

MD5
1fa84b0e0a551989c7ec593cd3d00da1

SHA1
77423bf366420794a5191a0aa68fbf380e613125

SHA256
6743b0abd01ab3ff3ea070f7bc8906d84a0b9ff3480f5a4a7eb8c18f5f8d9c6a

SHA512
24447e79b8972d0e073ae8abd4996b6261582b9b3249cc044bcfd247eeb7d4db930485c2a0a8a71cb961160127b05ba1a962327821353092dd1a416527a444e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\74B3.tmp\aa_nts.msg
Filesize
46B

MD5
3f05819f995b4dafa1b5d55ce8d1f411

SHA1
404449b79a16bfc4f64f2fd55cd73d5d27a85d71

SHA256
7e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0

SHA512
34abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026

Download Submit
C:\Users\Admin\AppData\Local\Temp\74B3.tmp\hr3
Filesize
68B

MD5
2f80d672ebc81a968e19484fdcd45e21

SHA1
8f2d31be6e01166598a24d9d740f35a33485adcb

SHA256
26c21873e39302e6f9a2471ff50578817888e3f0ea3150966f29c9dfe6b78505

SHA512
8883d86ae2e66755dad5f977ec6c24b75663d5e122337a8b8da67edb727227e416170ef63b108554d88f7957f628c2fb1d8b3b403286e3d905e4cedd6179d985

Download Submit
C:\Users\Admin\AppData\Local\Temp\74B3.tmp\settings3.bin
Filesize
327B

MD5
52f371dd4820f6fd42d0e6fdc7cd4d32

SHA1
2ffc7a7e48cf7df170337a82a769ab2cd17a6b83

SHA256
acfe9ba962f6beb23f5cf6a0e7a2835ea47f4442c2bba60d272792dc83af2c7e

SHA512
39734fc62cbc9d4258228a71e3c57a1085615405a07d885555681f628fa3d2b0e14c6f28b358d4491a95941bc086ae4b6d876103c309d8d3fcf941983fa94562

Download Submit
C:\Users\Admin\AppData\Local\Temp\74B3.tmp\svchost.exe
Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\74B3.tmp\svchost.exe
Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\74B3.tmp\svchost.exe
Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3602.tmp
Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3663.tmp
Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\167nfkxe.default-release\cookies.sqlite.id[CB27636F-3483].[[email protected]].8base
Filesize
96KB

MD5
ba8a29b3b512225751014385126f04fe

SHA1
fd3bb2a5333b36ed58c15a7b484017db7df11b95

SHA256
471f7bd9c20ff295b6da871b326ffe07968df0417dec46058ed076063c05ea6d

SHA512
6c798b01bad1e0bd0a9f10e2acf1c101f144c995415997f90b420cd80661a05afd7c4038eca2645528af37b1d253b352b2c2b2f43f6786a38d998dc5ca0ee622

Download Submit
C:\Users\Admin\AppData\Roaming\faariuv
Filesize
438KB

MD5
e28422e7a5c7334932f7f039fa88afea

SHA1
ca0d03bdeed031ab82d9d239592f20a872992ce2

SHA256
b74f8530f0fda9efc13e0a6dcdb955b2db2dbe642c01f24828794151df615d28

SHA512
fe5cea931617cec15510e3c90351c817b7685a8e3a65b1905eaca71a20aff9454cf0ed4f8c7b6ba8b66d9bd6695f893d8361a78fdc19474a29d5ddb54bae0151

Download Submit
C:\Users\Admin\AppData\Roaming\rctschg
Filesize
259KB

MD5
93ce7d54193f795f9d48942e2d65513f

SHA1
400c05d65cdce25ac9d84ebc43f7c87defa11a0f

SHA256
54e1295c5df189db7bf1b5c3a2d6e190d41709b75754c1f6ce22cb767d488c5e

SHA512
7f473571b2e1ade66aeaf4ac1e093a8faf49fd044c42a5196399bb3032208e7ebdaa18fd9c202305483da609d6881cd793f7cae3bed45e8e59fe6c747462648b

Download Submit
C:\Users\Admin\Desktop\ReceiveNew.xsl.id[CB27636F-3483].[[email protected]].8base
Filesize
286KB

MD5
3b16084322b70154cf0e3f1297b5f8d8

SHA1
1e57aff7ccf98e259664f6d1914f3c8e9c2d9ee4

SHA256
2ec5ff77521469a040e4a7584f003f10e3dc047131f3d87f7b77fe45da17c8be

SHA512
ef031ac58f870c334284090d3ffcb75796787eae6ddbe0d50852b992ebe00779c34313728ad8ec6c66949758ccc5e2f7fbfab34bc3468eb9a3e220fd27210751

Download Submit
C:\Users\Admin\Desktop\RegisterCompare.hta.id[CB27636F-3483].[[email protected]].8base
Filesize
199KB

MD5
9fbd66c6fa3e7274d26a025df7f21941

SHA1
53449de7f65a9de68ace91b5045450d10cbe0a2c

SHA256
cf9b2b7f628c9bbc3e26b7570fff7af378cb4df00628cabdec3f264ee1bab8a8

SHA512
fa6a15f18fed51f732ab956fd223815c0d1a0ca9f4dd2e7167f07bb0c3158fed0ed609f29c3df6d51eecc15e71b87cefadc4f03317ccd8d6ad0726f40d214126

Download Submit
C:\Users\Admin\Desktop\RequestDeny.aif.id[CB27636F-3483].[[email protected]].8base
Filesize
162KB

MD5
e819ed11c1a13d5e8959fccc839bfcf3

SHA1
5f3612cdcf054bf7ebcf92e552dcbc73f282aa64

SHA256
9ef7d8125798943260cb63e55296ab02adbf01ce2ce86bf465415711a2109dda

SHA512
af00dba31b87f593fbbbe2d72b167b2e31bf2d33ee453602793efe1566a4b6b8e8571175159f0ce425d8c48f19f47adb2d3d249a08810f234bc22e7dee5a5769

Download Submit
C:\Users\Admin\Desktop\ResetConvertFrom.vssx.id[CB27636F-3483].[[email protected]].8base
Filesize
211KB

MD5
0dcd2f547cbdc6ee8f3f33d7e0ed0d1c

SHA1
6cebf10ed4ec65c77c29fcf11a9485c9a6494fef

SHA256
1d84f615ac52385d7ecf8af55cadb38e0183facf3aa021a03418b1c0dbab3a00

SHA512
3cf5fb774c48ac24db0099093e52be550b621598706d292697e9d4b8c8b9f2f9465a22ce833510e21287577a4c39746abfc84a4ea526cfc80121deca97155d2e

Download Submit
C:\Users\Admin\Desktop\RevokeResume.mht.id[CB27636F-3483].[[email protected]].8base
Filesize
261KB

MD5
fcbf18272468e893515fc7708d42549f

SHA1
4ae1f5cf10214a8c4936bbbd069fd969746a2df8

SHA256
c5289bfaaf09a214d8ff10d82aa161219c85cc5710ff3fddbeceb28ffaf968b2

SHA512
f213fa30e14b3a1d90718890c7f839baba3e3561e40df80ed84fe18a5d39f9e9d57a6cff24abb4946de91b8458bf8caf96d27f2a849bcc4d116bea9f614f8bd6

Download Submit
C:\Users\Admin\Desktop\SkipMove.dxf.id[CB27636F-3483].[[email protected]].8base
Filesize
361KB

MD5
0be64de828adfd23f97520e574d19e8d

SHA1
17531e230be78b7151ffe66b81367e19d9ab5cc3

SHA256
01d0e3f0b02ef1a795506dde8e414d9c21d8244df6b595290ea04b7a8cf0623d

SHA512
f5a3c2a2c78ee12553f892e34ab75e9bba3372dc0840cd220b256046f2d7f3488f08a879aa264829cddb87100568c30115edcd8d9822bbbe0b55a43fcee0cf31

Download Submit
C:\Users\Admin\Desktop\SplitMove.wmv.id[CB27636F-3483].[[email protected]].8base
Filesize
373KB

MD5
1496af4ad845273ebd0cbbcab3194c29

SHA1
94060393ee0bee4f75aa3d6b1a28dc803fc68e21

SHA256
c0b7698d3ec57448801eec6f4eb8bcc71d52c6f30ccd92eeefdfa4c6b14830a4

SHA512
94a5ecfedf7c6179b9b7b57cc2c88a7f53e0793a1b41a6e6c1f8efaa5855ab7a83bcc1ad6f2e41a88d1aa7103bde49bedfa6e18644e6f5730752fda79ddc5a11

Download Submit
C:\Users\Admin\Desktop\SwitchShow.htm.id[CB27636F-3483].[[email protected]].8base
Filesize
236KB

MD5
af9a51c06d0b5f9053cc0f45c5223f6a

SHA1
2e67487854c237ad17fc7b3540470c9fc07a1c6f

SHA256
3b1e5052b10c68a77b971d177539930231989f154ad3b6deca9f61c61cfbe834

SHA512
f08cd17e3bf46ca38bea2829e39f9482894f04d0a98339ad4ef84bc6887dfdc2d1b2fb58ec5e5bd627e6e3c811c2878bd25a51cebfd119d4f2ab7c9c36fde6ba

Download Submit
C:\Users\Admin\Desktop\UnregisterDisable.ps1xml.id[CB27636F-3483].[[email protected]].8base
Filesize
323KB

MD5
d7fe3464f5273f8ca5d939b400272405

SHA1
ff11161b5672c37eaecd214752728ccaddb3c5b2

SHA256
ad7cee22e21da8ed6e3acca8cf05870d35d1d57f341d0239c5d4af6d5c695b71

SHA512
e25ccd04cdc4fe6c4d999fe6000b1d9058fa822cd3bd6f14bfb563273cd8425270e91391e2395b48dce52672535a695a6bf40da129e90d2c85fa4bc438a5f6a6

Download Submit
C:\Users\Admin\Desktop\UseHide.xht.id[CB27636F-3483].[[email protected]].8base
Filesize
585KB

MD5
8f1b7822eb7d5c55211114e3449e2541

SHA1
5422d043c4c96b0a495532323b223a651aa11380

SHA256
c085ff15cefd6b84902b6308502f151adfdfa6b97c7fcb49e72c6e9b6489c249

SHA512
c6fec62dab42e3b8f5d84dc142db4dd952deac7191453c512889969677e043a93d993a870ae0870b0bb18fb5e4923cf670b064f54fe6cd01a75aabfddb88c768

Download Submit
C:\Users\Admin\Desktop\WaitUndo.tiff.id[CB27636F-3483].[[email protected]].8base
Filesize
410KB

MD5
a996f86e64ce34d2d07c0d54cb101c1b

SHA1
8e60d6be82c586b60a9c6d3093329ac9a34fdd52

SHA256
8d11d59817c00e834503ad7f5e5fd1ddcff0fbcff99e4bf8737f8eb2e54c9429

SHA512
0c439ec71c95e6d41ad247f8cfa1c37910e6ba81c1f39ea112f5816229aec2c8e34a66e6b04e06c7d4897b2feb1b6e8894c1a8f7aea97f7a5cb59d59487d01cb

Download Submit
C:\info.hta
Filesize
5KB

MD5
c9d9ad886f26ea145d709a201a05f516

SHA1
26ff471b36f8d6cdf0ba521fae8d1d84ea027bfe

SHA256
5cd2faa500bc9367ba0a6fa47006fdec8d9caf87ad8e6183e1226c51c6ff4e43

SHA512
de6d825eda45a5465e7b58f010fb31b60b763adbe2a2e9e75dbde01683967151ca3c7e3076f35ab9a9995e7f2e78205c65b5be6e6742a508470c009d84b307b6

Download Submit
\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe
Filesize
271KB

MD5
8581a33bb410c7674705ca163c6f75ad

SHA1
3dd6bb5a8786eb073a6f7d26454a8ddbffbbe48f

SHA256
104032d8993555a84679746069ad1f8c1365c4a27eaeec732fda76aa62da005a

SHA512
4519a93e98b555a4eac8c18cb61bd28c862d47d6036362f9776074ae897e621202ad80d28f83686bfe3d185081ebd19ac951183768851f3bf17a403c73624302

Download Submit
\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe
Filesize
271KB

MD5
8581a33bb410c7674705ca163c6f75ad

SHA1
3dd6bb5a8786eb073a6f7d26454a8ddbffbbe48f

SHA256
104032d8993555a84679746069ad1f8c1365c4a27eaeec732fda76aa62da005a

SHA512
4519a93e98b555a4eac8c18cb61bd28c862d47d6036362f9776074ae897e621202ad80d28f83686bfe3d185081ebd19ac951183768851f3bf17a403c73624302

Download Submit
\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe
Filesize
271KB

MD5
8581a33bb410c7674705ca163c6f75ad

SHA1
3dd6bb5a8786eb073a6f7d26454a8ddbffbbe48f

SHA256
104032d8993555a84679746069ad1f8c1365c4a27eaeec732fda76aa62da005a

SHA512
4519a93e98b555a4eac8c18cb61bd28c862d47d6036362f9776074ae897e621202ad80d28f83686bfe3d185081ebd19ac951183768851f3bf17a403c73624302

Download Submit
\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe
Filesize
271KB

MD5
8581a33bb410c7674705ca163c6f75ad

SHA1
3dd6bb5a8786eb073a6f7d26454a8ddbffbbe48f

SHA256
104032d8993555a84679746069ad1f8c1365c4a27eaeec732fda76aa62da005a

SHA512
4519a93e98b555a4eac8c18cb61bd28c862d47d6036362f9776074ae897e621202ad80d28f83686bfe3d185081ebd19ac951183768851f3bf17a403c73624302

Download Submit
\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe
Filesize
271KB

MD5
8581a33bb410c7674705ca163c6f75ad

SHA1
3dd6bb5a8786eb073a6f7d26454a8ddbffbbe48f

SHA256
104032d8993555a84679746069ad1f8c1365c4a27eaeec732fda76aa62da005a

SHA512
4519a93e98b555a4eac8c18cb61bd28c862d47d6036362f9776074ae897e621202ad80d28f83686bfe3d185081ebd19ac951183768851f3bf17a403c73624302

Download Submit
\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe
Filesize
271KB

MD5
8581a33bb410c7674705ca163c6f75ad

SHA1
3dd6bb5a8786eb073a6f7d26454a8ddbffbbe48f

SHA256
104032d8993555a84679746069ad1f8c1365c4a27eaeec732fda76aa62da005a

SHA512
4519a93e98b555a4eac8c18cb61bd28c862d47d6036362f9776074ae897e621202ad80d28f83686bfe3d185081ebd19ac951183768851f3bf17a403c73624302

Download Submit
\Users\Admin\AppData\Local\Microsoft\uGwrLm3.exe
Filesize
271KB

MD5
8581a33bb410c7674705ca163c6f75ad

SHA1
3dd6bb5a8786eb073a6f7d26454a8ddbffbbe48f

SHA256
104032d8993555a84679746069ad1f8c1365c4a27eaeec732fda76aa62da005a

SHA512
4519a93e98b555a4eac8c18cb61bd28c862d47d6036362f9776074ae897e621202ad80d28f83686bfe3d185081ebd19ac951183768851f3bf17a403c73624302

Download Submit
\Users\Admin\AppData\Local\Temp\26D2.exe
Filesize
271KB

MD5
8581a33bb410c7674705ca163c6f75ad

SHA1
3dd6bb5a8786eb073a6f7d26454a8ddbffbbe48f

SHA256
104032d8993555a84679746069ad1f8c1365c4a27eaeec732fda76aa62da005a

SHA512
4519a93e98b555a4eac8c18cb61bd28c862d47d6036362f9776074ae897e621202ad80d28f83686bfe3d185081ebd19ac951183768851f3bf17a403c73624302

Download Submit
\Users\Admin\AppData\Local\Temp\2B84.exe
Filesize
246KB

MD5
fbf0a1dac97318a3ae3824184959a0f3

SHA1
a1c19f2a7802754f1aab8a744fbeb4b955f9491e

SHA256
cc3c25428fc709184339f227c7861dcc8d881c5175183e1de7a5f1070b8f6475

SHA512
d519afcc72d56877f9f118e15c8c99070a892ea4f2162eeac57a2925b5f03da8e3a0160e98f122484c1243818f7a9168aa1e6e4bd0802c9cfb3f49c4383cb949

Download Submit
\Users\Admin\AppData\Local\Temp\2B84.exe
Filesize
246KB

MD5
fbf0a1dac97318a3ae3824184959a0f3

SHA1
a1c19f2a7802754f1aab8a744fbeb4b955f9491e

SHA256
cc3c25428fc709184339f227c7861dcc8d881c5175183e1de7a5f1070b8f6475

SHA512
d519afcc72d56877f9f118e15c8c99070a892ea4f2162eeac57a2925b5f03da8e3a0160e98f122484c1243818f7a9168aa1e6e4bd0802c9cfb3f49c4383cb949

Download Submit
\Users\Admin\AppData\Local\Temp\74B3.tmp\aa_nts.dll
Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
\Users\Admin\AppData\Local\Temp\74B3.tmp\aa_nts.dll
Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
\Users\Admin\AppData\Local\Temp\74B3.tmp\aa_nts.dll
Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
\Users\Admin\AppData\Local\Temp\74B3.tmp\aa_nts.dll
Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
\Users\Admin\AppData\Local\Temp\74B3.tmp\svchost.exe
Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
\Users\Admin\AppData\Local\Temp\74B3.tmp\svchost.exe
Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
memory/400-2956-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/400-2957-0x00000000000C0000-0x00000000000CB000-memory.dmp

Filesize
44KB

Download
memory/1052-3045-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1052-2605-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1052-2604-0x00000000000C0000-0x000000000012B000-memory.dmp

Filesize
428KB

Download
memory/1420-98-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1420-82-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1420-102-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1420-103-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1420-78-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1420-90-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1420-417-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1420-93-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1420-86-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1420-74-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1420-76-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1696-3039-0x0000000000070000-0x0000000000079000-memory.dmp

Filesize
36KB

Download
memory/1696-3041-0x0000000000060000-0x000000000006F000-memory.dmp

Filesize
60KB

Download
memory/1960-2079-0x0000000073010000-0x00000000736FE000-memory.dmp

Filesize
6.9MB

Download
memory/1960-2241-0x0000000073010000-0x00000000736FE000-memory.dmp

Filesize
6.9MB

Download
memory/1960-2082-0x0000000001130000-0x000000000117A000-memory.dmp

Filesize
296KB

Download
memory/2008-91-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2008-83-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2008-85-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2008-87-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2008-97-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2008-135-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2192-65-0x00000000048F0000-0x0000000004930000-memory.dmp

Filesize
256KB

Download
memory/2192-59-0x00000000000B0000-0x00000000000FA000-memory.dmp

Filesize
296KB

Download
memory/2192-62-0x00000000004C0000-0x0000000000506000-memory.dmp

Filesize
280KB

Download
memory/2192-61-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2192-64-0x0000000001EC0000-0x0000000001EF4000-memory.dmp

Filesize
208KB

Download
memory/2192-101-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2216-0-0x0000000000EC0000-0x0000000000F96000-memory.dmp

Filesize
856KB

Download
memory/2216-1-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/2216-2-0x0000000000CD0000-0x0000000000D48000-memory.dmp

Filesize
480KB

Download
memory/2216-3-0x0000000000480000-0x00000000004C0000-memory.dmp

Filesize
256KB

Download
memory/2216-4-0x0000000000DD0000-0x0000000000E38000-memory.dmp

Filesize
416KB

Download
memory/2216-5-0x0000000000A10000-0x0000000000A5C000-memory.dmp

Filesize
304KB

Download
memory/2216-17-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/2588-18-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2588-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2588-36-0x00000000023A0000-0x00000000027A0000-memory.dmp

Filesize
4.0MB

Download
memory/2588-21-0x00000000023A0000-0x00000000027A0000-memory.dmp

Filesize
4.0MB

Download
memory/2588-22-0x00000000023A0000-0x00000000027A0000-memory.dmp

Filesize
4.0MB

Download
memory/2588-20-0x00000000023A0000-0x00000000027A0000-memory.dmp

Filesize
4.0MB

Download
memory/2588-35-0x00000000023A0000-0x00000000027A0000-memory.dmp

Filesize
4.0MB

Download
memory/2588-34-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2588-19-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/2588-32-0x0000000000B40000-0x0000000000B76000-memory.dmp

Filesize
216KB

Download
memory/2588-23-0x00000000023A0000-0x00000000027A0000-memory.dmp

Filesize
4.0MB

Download
memory/2588-16-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2588-26-0x0000000000B40000-0x0000000000B76000-memory.dmp

Filesize
216KB

Download
memory/2588-33-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2588-14-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2588-6-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2588-11-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2588-10-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2588-8-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2640-2130-0x0000000000DD0000-0x0000000000E14000-memory.dmp

Filesize
272KB

Download
memory/2640-2131-0x0000000073010000-0x00000000736FE000-memory.dmp

Filesize
6.9MB

Download
memory/2640-3028-0x0000000004760000-0x00000000047A0000-memory.dmp

Filesize
256KB

Download
memory/2640-3130-0x0000000000B80000-0x0000000000BC2000-memory.dmp

Filesize
264KB

Download
memory/2640-2955-0x0000000073010000-0x00000000736FE000-memory.dmp

Filesize
6.9MB

Download
memory/2640-2311-0x0000000004760000-0x00000000047A0000-memory.dmp

Filesize
256KB

Download
memory/2680-2572-0x00000000000C0000-0x000000000012B000-memory.dmp

Filesize
428KB

Download
memory/2680-2504-0x00000000000C0000-0x000000000012B000-memory.dmp

Filesize
428KB

Download
memory/2680-2497-0x00000000001D0000-0x0000000000245000-memory.dmp

Filesize
468KB

Download
memory/2692-2242-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2768-54-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2768-45-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2768-24-0x0000000000060000-0x0000000000063000-memory.dmp

Filesize
12KB

Download
memory/2768-25-0x0000000000060000-0x0000000000063000-memory.dmp

Filesize
12KB

Download
memory/2768-133-0x0000000077110000-0x00000000772B9000-memory.dmp

Filesize
1.7MB

Download
memory/2768-132-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/2768-38-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2768-39-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2768-40-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2768-41-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2768-42-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2768-43-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2768-47-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2768-49-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2768-69-0x0000000077110000-0x00000000772B9000-memory.dmp

Filesize
1.7MB

Download
memory/2768-48-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2768-63-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2768-55-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2768-53-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2768-52-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2768-51-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2768-50-0x0000000077110000-0x00000000772B9000-memory.dmp

Filesize
1.7MB

Download
memory/2800-106-0x0000000073A40000-0x000000007412E000-memory.dmp

Filesize
6.9MB

Download
memory/2800-105-0x00000000000B0000-0x00000000000FA000-memory.dmp

Filesize
296KB

Download
memory/2800-107-0x00000000049B0000-0x00000000049F0000-memory.dmp

Filesize
256KB

Download
memory/2800-124-0x0000000073A40000-0x000000007412E000-memory.dmp

Filesize
6.9MB

Download
memory/2956-2662-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/3016-70-0x0000000000A80000-0x0000000000AC2000-memory.dmp

Filesize
264KB

Download
memory/3016-72-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/3016-73-0x0000000000650000-0x0000000000682000-memory.dmp

Filesize
200KB

Download
memory/3016-68-0x00000000001E0000-0x0000000000228000-memory.dmp

Filesize
288KB

Download
memory/3016-95-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/3044-3032-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/3044-3029-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download