ammyyadmin | ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6

Analysis

max time kernel
114s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2023 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6f506f57365deb1b24b84eafbd9271f.exe
Size

468KB
MD5

e6f506f57365deb1b24b84eafbd9271f
SHA1

d120720527f6d02f2c6e058bc95cc18d8c23f269
SHA256

ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6
SHA512

3273f5720d13ae0c77eb9e35ef52368f187b4acfe1e40471629c6e51e0f7c442f420bd0cbbe1f5e21918760fdd260cb86b7086eb93d92e28d00b502cd3e066e9
SSDEEP

12288:zPmdD7nWjmGR5iErreKOOkLsxhDzfrroATRwJJ:7mN7u5iEKOKalroATRwX

Score

10^/10

ammyyadmin phobos rhadamanthys smokeloader xmrig backdoor collection evasion miner persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://serverxlogs21.xyz/statweb255/

http://servxblog79.xyz/statweb255/

http://demblog289.xyz/statweb255/

http://admlogs77x.online/statweb255/

http://blogxstat38.xyz/statweb255/

http://blogxstat25.xyz/statweb255/

rc4.i32

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\A96A.tmp\svchost.exe	family_ammyyadmin
C:\Users\Admin\AppData\Local\Temp\A96A.tmp\svchost.exe	family_ammyyadmin

Detect rhadamanthys stealer shellcode 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/396-14-0x00000000032C0000-0x00000000036C0000-memory.dmp	family_rhadamanthys
behavioral2/memory/396-15-0x00000000032C0000-0x00000000036C0000-memory.dmp	family_rhadamanthys
behavioral2/memory/396-16-0x00000000032C0000-0x00000000036C0000-memory.dmp	family_rhadamanthys
behavioral2/memory/396-17-0x00000000032C0000-0x00000000036C0000-memory.dmp	family_rhadamanthys
behavioral2/memory/396-27-0x00000000032C0000-0x00000000036C0000-memory.dmp	family_rhadamanthys
behavioral2/memory/396-29-0x00000000032C0000-0x00000000036C0000-memory.dmp	family_rhadamanthys

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

e6f506f57365deb1b24b84eafbd9271f.exe

description pid process target process

PID 396 created 3200 396 e6f506f57365deb1b24b84eafbd9271f.exe Explorer.EXE
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4420 bcdedit.exe
2812 bcdedit.exe
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

description	pid	process	target process
PID 396 created 3200	396	e6f506f57365deb1b24b84eafbd9271f.exe	Explorer.EXE

pid	process
4420	bcdedit.exe
2812	bcdedit.exe

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3220-2394-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig

Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

396 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

4108 netsh.exe
3356 netsh.exe
Drops startup file 1 IoCs

Processes:

W8-sYXr%.exe

description ioc process

File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\W8-sYXr%.exe W8-sYXr%.exe

pid	process
396	wbadmin.exe

pid	process
4108	netsh.exe
3356	netsh.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\W8-sYXr%.exe	W8-sYXr%.exe

Executes dropped EXE 14 IoCs

Processes:

W8-sYXr%.exe3fs2S1$m.exeW8-sYXr%.exenT%Qu%Q.exe3fs2S1$m.exe3fs2S1$m.exeW8-sYXr%.exeW8-sYXr%.exe6925.exe6925.exe6CC0.exe6925.exe6925.exesvchost.exe

pid	process
4184	W8-sYXr%.exe
2012	3fs2S1$m.exe
656	W8-sYXr%.exe
1420	nT%Qu%Q.exe
540	3fs2S1$m.exe
3016	3fs2S1$m.exe
792	W8-sYXr%.exe
3572	W8-sYXr%.exe
1388	6925.exe
1536	6925.exe
228	6CC0.exe
4564	6925.exe
3184	6925.exe
3744	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

Processes:

explorer.execertreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

W8-sYXr%.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\W8-sYXr% = "C:\\Users\\Admin\\AppData\\Local\\W8-sYXr%.exe"	W8-sYXr%.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\W8-sYXr% = "C:\\Users\\Admin\\AppData\\Local\\W8-sYXr%.exe"	W8-sYXr%.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

W8-sYXr%.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2344688013-2965468717-2034126-1000\desktop.ini	W8-sYXr%.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2344688013-2965468717-2034126-1000\desktop.ini	W8-sYXr%.exe
File opened for modification	C:\Program Files\desktop.ini	W8-sYXr%.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

e6f506f57365deb1b24b84eafbd9271f.exeW8-sYXr%.exe3fs2S1$m.exenT%Qu%Q.exeW8-sYXr%.exeaspnet_compiler.exe6925.exe6925.exe

description	pid	process	target process
PID 4256 set thread context of 396	4256	e6f506f57365deb1b24b84eafbd9271f.exe	e6f506f57365deb1b24b84eafbd9271f.exe
PID 4184 set thread context of 656	4184	W8-sYXr%.exe	W8-sYXr%.exe
PID 2012 set thread context of 3016	2012	3fs2S1$m.exe	3fs2S1$m.exe
PID 1420 set thread context of 3252	1420	nT%Qu%Q.exe	aspnet_compiler.exe
PID 792 set thread context of 3572	792	W8-sYXr%.exe	W8-sYXr%.exe
PID 3252 set thread context of 3220	3252	aspnet_compiler.exe	AddInProcess.exe
PID 1388 set thread context of 1536	1388	6925.exe	6925.exe
PID 4564 set thread context of 3184	4564	6925.exe	6925.exe

Drops file in Program Files directory 64 IoCs

Processes:

W8-sYXr%.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\java.security	W8-sYXr%.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui	W8-sYXr%.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\t2k.dll.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\[email protected]	W8-sYXr%.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\3RDPARTY	W8-sYXr%.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar	W8-sYXr%.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar	W8-sYXr%.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\flavormap.properties.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.w3c.dom.svg_1.1.0.v201011041433.jar.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml	W8-sYXr%.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_zh_4.4.0.v20140623020002.jar.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll	W8-sYXr%.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui	W8-sYXr%.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\instrument.dll	W8-sYXr%.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\cmm\LINEAR_RGB.pf	W8-sYXr%.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar	W8-sYXr%.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\core_zh_CN.jar.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-options-api.jar.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_ja.jar.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.contenttype_3.4.200.v20140207-1251.jar.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml	W8-sYXr%.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	W8-sYXr%.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.contexts_1.3.100.v20140407-1019.jar.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar	W8-sYXr%.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui	W8-sYXr%.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-convert-l1-1-0.dll	W8-sYXr%.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\sRGB.pf.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\dt.jar	W8-sYXr%.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.zh_CN_5.5.0.165303.jar.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_zh_4.4.0.v20140623020002.jar	W8-sYXr%.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_ja.jar.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	W8-sYXr%.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml	W8-sYXr%.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_zh_CN.jar.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_zh_CN.jar	W8-sYXr%.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\management.dll.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml	W8-sYXr%.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui	W8-sYXr%.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCallbacks.h	W8-sYXr%.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_zh_4.4.0.v20140623020002.jar.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_sv.properties.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\instrument.dll	W8-sYXr%.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-api-caching.jar	W8-sYXr%.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-lib-uihandler.jar	W8-sYXr%.exe
File created	C:\Program Files\Microsoft Office\root\Client\ucrtbase.dll.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.di_1.4.0.v20140414-1837.jar.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar.id[6C8CEE4F-3483].[[email protected]].8base	W8-sYXr%.exe

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe3fs2S1$m.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3fs2S1$m.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3fs2S1$m.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3fs2S1$m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1176 vssadmin.exe

pid	process
1176	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e6f506f57365deb1b24b84eafbd9271f.execertreq.exe3fs2S1$m.exe3fs2S1$m.exenT%Qu%Q.exeExplorer.EXEW8-sYXr%.exe

pid	process
396	e6f506f57365deb1b24b84eafbd9271f.exe
396	e6f506f57365deb1b24b84eafbd9271f.exe
396	e6f506f57365deb1b24b84eafbd9271f.exe
396	e6f506f57365deb1b24b84eafbd9271f.exe
1464	certreq.exe
1464	certreq.exe
1464	certreq.exe
1464	certreq.exe
2012	3fs2S1$m.exe
2012	3fs2S1$m.exe
3016	3fs2S1$m.exe
3016	3fs2S1$m.exe
1420	nT%Qu%Q.exe
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
656	W8-sYXr%.exe
656	W8-sYXr%.exe
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
656	W8-sYXr%.exe
656	W8-sYXr%.exe
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
656	W8-sYXr%.exe
656	W8-sYXr%.exe
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
656	W8-sYXr%.exe
656	W8-sYXr%.exe
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3200 Explorer.EXE
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

648

pid	process
3200	Explorer.EXE

pid	process
648

Suspicious behavior: MapViewOfSection 33 IoCs

Processes:

3fs2S1$m.exeExplorer.EXEexplorer.exe

pid	process
3016	3fs2S1$m.exe
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE
3208	explorer.exe
3208	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e6f506f57365deb1b24b84eafbd9271f.exeW8-sYXr%.exe3fs2S1$m.exenT%Qu%Q.exeW8-sYXr%.exeW8-sYXr%.exeaspnet_compiler.exevssvc.exeWMIC.exeExplorer.EXEwbengine.exeAddInProcess.exe6925.exe6925.exe

description	pid	process
Token: SeDebugPrivilege	4256	e6f506f57365deb1b24b84eafbd9271f.exe
Token: SeDebugPrivilege	4184	W8-sYXr%.exe
Token: SeDebugPrivilege	2012	3fs2S1$m.exe
Token: SeDebugPrivilege	1420	nT%Qu%Q.exe
Token: SeDebugPrivilege	792	W8-sYXr%.exe
Token: SeDebugPrivilege	656	W8-sYXr%.exe
Token: SeDebugPrivilege	3252	aspnet_compiler.exe
Token: SeBackupPrivilege	684	vssvc.exe
Token: SeRestorePrivilege	684	vssvc.exe
Token: SeAuditPrivilege	684	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4292	WMIC.exe
Token: SeSecurityPrivilege	4292	WMIC.exe
Token: SeTakeOwnershipPrivilege	4292	WMIC.exe
Token: SeLoadDriverPrivilege	4292	WMIC.exe
Token: SeSystemProfilePrivilege	4292	WMIC.exe
Token: SeSystemtimePrivilege	4292	WMIC.exe
Token: SeProfSingleProcessPrivilege	4292	WMIC.exe
Token: SeIncBasePriorityPrivilege	4292	WMIC.exe
Token: SeCreatePagefilePrivilege	4292	WMIC.exe
Token: SeBackupPrivilege	4292	WMIC.exe
Token: SeRestorePrivilege	4292	WMIC.exe
Token: SeShutdownPrivilege	4292	WMIC.exe
Token: SeDebugPrivilege	4292	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4292	WMIC.exe
Token: SeRemoteShutdownPrivilege	4292	WMIC.exe
Token: SeUndockPrivilege	4292	WMIC.exe
Token: SeManageVolumePrivilege	4292	WMIC.exe
Token: 33	4292	WMIC.exe
Token: 34	4292	WMIC.exe
Token: 35	4292	WMIC.exe
Token: 36	4292	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4292	WMIC.exe
Token: SeSecurityPrivilege	4292	WMIC.exe
Token: SeTakeOwnershipPrivilege	4292	WMIC.exe
Token: SeLoadDriverPrivilege	4292	WMIC.exe
Token: SeSystemProfilePrivilege	4292	WMIC.exe
Token: SeSystemtimePrivilege	4292	WMIC.exe
Token: SeProfSingleProcessPrivilege	4292	WMIC.exe
Token: SeIncBasePriorityPrivilege	4292	WMIC.exe
Token: SeCreatePagefilePrivilege	4292	WMIC.exe
Token: SeBackupPrivilege	4292	WMIC.exe
Token: SeRestorePrivilege	4292	WMIC.exe
Token: SeShutdownPrivilege	4292	WMIC.exe
Token: SeDebugPrivilege	4292	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4292	WMIC.exe
Token: SeRemoteShutdownPrivilege	4292	WMIC.exe
Token: SeUndockPrivilege	4292	WMIC.exe
Token: SeManageVolumePrivilege	4292	WMIC.exe
Token: 33	4292	WMIC.exe
Token: 34	4292	WMIC.exe
Token: 35	4292	WMIC.exe
Token: 36	4292	WMIC.exe
Token: SeShutdownPrivilege	3200	Explorer.EXE
Token: SeCreatePagefilePrivilege	3200	Explorer.EXE
Token: SeBackupPrivilege	4724	wbengine.exe
Token: SeRestorePrivilege	4724	wbengine.exe
Token: SeSecurityPrivilege	4724	wbengine.exe
Token: SeShutdownPrivilege	3200	Explorer.EXE
Token: SeCreatePagefilePrivilege	3200	Explorer.EXE
Token: SeLockMemoryPrivilege	3220	AddInProcess.exe
Token: SeLockMemoryPrivilege	3220	AddInProcess.exe
Token: SeDebugPrivilege	1388	6925.exe
Token: SeDebugPrivilege	4564	6925.exe
Token: SeShutdownPrivilege	3200	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AddInProcess.exe

pid process

3220 AddInProcess.exe

pid	process
3220	AddInProcess.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e6f506f57365deb1b24b84eafbd9271f.exee6f506f57365deb1b24b84eafbd9271f.exeW8-sYXr%.exe3fs2S1$m.exenT%Qu%Q.exeW8-sYXr%.exeW8-sYXr%.execmd.execmd.exe

description	pid	process	target process
PID 4256 wrote to memory of 396	4256	e6f506f57365deb1b24b84eafbd9271f.exe	e6f506f57365deb1b24b84eafbd9271f.exe
PID 4256 wrote to memory of 396	4256	e6f506f57365deb1b24b84eafbd9271f.exe	e6f506f57365deb1b24b84eafbd9271f.exe
PID 4256 wrote to memory of 396	4256	e6f506f57365deb1b24b84eafbd9271f.exe	e6f506f57365deb1b24b84eafbd9271f.exe
PID 4256 wrote to memory of 396	4256	e6f506f57365deb1b24b84eafbd9271f.exe	e6f506f57365deb1b24b84eafbd9271f.exe
PID 4256 wrote to memory of 396	4256	e6f506f57365deb1b24b84eafbd9271f.exe	e6f506f57365deb1b24b84eafbd9271f.exe
PID 4256 wrote to memory of 396	4256	e6f506f57365deb1b24b84eafbd9271f.exe	e6f506f57365deb1b24b84eafbd9271f.exe
PID 4256 wrote to memory of 396	4256	e6f506f57365deb1b24b84eafbd9271f.exe	e6f506f57365deb1b24b84eafbd9271f.exe
PID 4256 wrote to memory of 396	4256	e6f506f57365deb1b24b84eafbd9271f.exe	e6f506f57365deb1b24b84eafbd9271f.exe
PID 396 wrote to memory of 1464	396	e6f506f57365deb1b24b84eafbd9271f.exe	certreq.exe
PID 396 wrote to memory of 1464	396	e6f506f57365deb1b24b84eafbd9271f.exe	certreq.exe
PID 396 wrote to memory of 1464	396	e6f506f57365deb1b24b84eafbd9271f.exe	certreq.exe
PID 396 wrote to memory of 1464	396	e6f506f57365deb1b24b84eafbd9271f.exe	certreq.exe
PID 4184 wrote to memory of 656	4184	W8-sYXr%.exe	W8-sYXr%.exe
PID 4184 wrote to memory of 656	4184	W8-sYXr%.exe	W8-sYXr%.exe
PID 4184 wrote to memory of 656	4184	W8-sYXr%.exe	W8-sYXr%.exe
PID 4184 wrote to memory of 656	4184	W8-sYXr%.exe	W8-sYXr%.exe
PID 4184 wrote to memory of 656	4184	W8-sYXr%.exe	W8-sYXr%.exe
PID 4184 wrote to memory of 656	4184	W8-sYXr%.exe	W8-sYXr%.exe
PID 4184 wrote to memory of 656	4184	W8-sYXr%.exe	W8-sYXr%.exe
PID 4184 wrote to memory of 656	4184	W8-sYXr%.exe	W8-sYXr%.exe
PID 4184 wrote to memory of 656	4184	W8-sYXr%.exe	W8-sYXr%.exe
PID 4184 wrote to memory of 656	4184	W8-sYXr%.exe	W8-sYXr%.exe
PID 2012 wrote to memory of 540	2012	3fs2S1$m.exe	3fs2S1$m.exe
PID 2012 wrote to memory of 540	2012	3fs2S1$m.exe	3fs2S1$m.exe
PID 2012 wrote to memory of 540	2012	3fs2S1$m.exe	3fs2S1$m.exe
PID 2012 wrote to memory of 3016	2012	3fs2S1$m.exe	3fs2S1$m.exe
PID 2012 wrote to memory of 3016	2012	3fs2S1$m.exe	3fs2S1$m.exe
PID 2012 wrote to memory of 3016	2012	3fs2S1$m.exe	3fs2S1$m.exe
PID 2012 wrote to memory of 3016	2012	3fs2S1$m.exe	3fs2S1$m.exe
PID 2012 wrote to memory of 3016	2012	3fs2S1$m.exe	3fs2S1$m.exe
PID 2012 wrote to memory of 3016	2012	3fs2S1$m.exe	3fs2S1$m.exe
PID 1420 wrote to memory of 3252	1420	nT%Qu%Q.exe	aspnet_compiler.exe
PID 1420 wrote to memory of 3252	1420	nT%Qu%Q.exe	aspnet_compiler.exe
PID 1420 wrote to memory of 3252	1420	nT%Qu%Q.exe	aspnet_compiler.exe
PID 1420 wrote to memory of 3252	1420	nT%Qu%Q.exe	aspnet_compiler.exe
PID 1420 wrote to memory of 3252	1420	nT%Qu%Q.exe	aspnet_compiler.exe
PID 1420 wrote to memory of 3252	1420	nT%Qu%Q.exe	aspnet_compiler.exe
PID 792 wrote to memory of 3572	792	W8-sYXr%.exe	W8-sYXr%.exe
PID 792 wrote to memory of 3572	792	W8-sYXr%.exe	W8-sYXr%.exe
PID 792 wrote to memory of 3572	792	W8-sYXr%.exe	W8-sYXr%.exe
PID 792 wrote to memory of 3572	792	W8-sYXr%.exe	W8-sYXr%.exe
PID 792 wrote to memory of 3572	792	W8-sYXr%.exe	W8-sYXr%.exe
PID 792 wrote to memory of 3572	792	W8-sYXr%.exe	W8-sYXr%.exe
PID 792 wrote to memory of 3572	792	W8-sYXr%.exe	W8-sYXr%.exe
PID 792 wrote to memory of 3572	792	W8-sYXr%.exe	W8-sYXr%.exe
PID 792 wrote to memory of 3572	792	W8-sYXr%.exe	W8-sYXr%.exe
PID 792 wrote to memory of 3572	792	W8-sYXr%.exe	W8-sYXr%.exe
PID 656 wrote to memory of 4328	656	W8-sYXr%.exe	cmd.exe
PID 656 wrote to memory of 4328	656	W8-sYXr%.exe	cmd.exe
PID 656 wrote to memory of 4872	656	W8-sYXr%.exe	cmd.exe
PID 656 wrote to memory of 4872	656	W8-sYXr%.exe	cmd.exe
PID 4872 wrote to memory of 4108	4872	cmd.exe	netsh.exe
PID 4872 wrote to memory of 4108	4872	cmd.exe	netsh.exe
PID 4328 wrote to memory of 1176	4328	cmd.exe	vssadmin.exe
PID 4328 wrote to memory of 1176	4328	cmd.exe	vssadmin.exe
PID 4872 wrote to memory of 3356	4872	cmd.exe	netsh.exe
PID 4872 wrote to memory of 3356	4872	cmd.exe	netsh.exe
PID 4328 wrote to memory of 4292	4328	cmd.exe	WMIC.exe
PID 4328 wrote to memory of 4292	4328	cmd.exe	WMIC.exe
PID 4328 wrote to memory of 4420	4328	cmd.exe	bcdedit.exe
PID 4328 wrote to memory of 4420	4328	cmd.exe	bcdedit.exe
PID 4328 wrote to memory of 2812	4328	cmd.exe	bcdedit.exe
PID 4328 wrote to memory of 2812	4328	cmd.exe	bcdedit.exe
PID 4328 wrote to memory of 396	4328	cmd.exe	wbadmin.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe
"C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4256

C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe
C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1464

C:\Users\Admin\AppData\Local\Temp\6925.exe
C:\Users\Admin\AppData\Local\Temp\6925.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Users\Admin\AppData\Local\Temp\6925.exe
C:\Users\Admin\AppData\Local\Temp\6925.exe
3⤵
- Executes dropped EXE
PID:1536

C:\Users\Admin\AppData\Local\Temp\6925.exe
"C:\Users\Admin\AppData\Local\Temp\6925.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Users\Admin\AppData\Local\Temp\6925.exe
C:\Users\Admin\AppData\Local\Temp\6925.exe
5⤵
- Executes dropped EXE
PID:3184

C:\Users\Admin\AppData\Local\Temp\6CC0.exe
C:\Users\Admin\AppData\Local\Temp\6CC0.exe
2⤵
- Executes dropped EXE
PID:228

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1684

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4988

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1464

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2152

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4124

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4136

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3968

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4248

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1216

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1912

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2540

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2868

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1764

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4328

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Suspicious behavior: MapViewOfSection
PID:3208

C:\Users\Admin\AppData\Local\Temp\A96A.tmp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\A96A.tmp\svchost.exe -debug
3⤵
- Executes dropped EXE
PID:3744

C:\Users\Admin\AppData\Local\Microsoft\W8-sYXr%.exe
"C:\Users\Admin\AppData\Local\Microsoft\W8-sYXr%.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4184

C:\Users\Admin\AppData\Local\Microsoft\W8-sYXr%.exe
C:\Users\Admin\AppData\Local\Microsoft\W8-sYXr%.exe
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:656

C:\Users\Admin\AppData\Local\Microsoft\W8-sYXr%.exe
"C:\Users\Admin\AppData\Local\Microsoft\W8-sYXr%.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\AppData\Local\Microsoft\W8-sYXr%.exe
C:\Users\Admin\AppData\Local\Microsoft\W8-sYXr%.exe
4⤵
- Executes dropped EXE
PID:3572

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
4⤵
- Modifies Windows Firewall
PID:4108

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
4⤵
- Modifies Windows Firewall
PID:3356

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1176

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:4420

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:2812

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:396

C:\Users\Admin\AppData\Local\Microsoft\3fs2S1$m.exe
"C:\Users\Admin\AppData\Local\Microsoft\3fs2S1$m.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Microsoft\3fs2S1$m.exe
C:\Users\Admin\AppData\Local\Microsoft\3fs2S1$m.exe
2⤵
- Executes dropped EXE
PID:540

C:\Users\Admin\AppData\Local\Microsoft\3fs2S1$m.exe
C:\Users\Admin\AppData\Local\Microsoft\3fs2S1$m.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3016

C:\Users\Admin\AppData\Local\Microsoft\nT%Qu%Q.exe
"C:\Users\Admin\AppData\Local\Microsoft\nT%Qu%Q.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3252

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u RVN:RBvfugTGdvfZCHCgvSoHZdsYt2u1JwYhUP.RIG_CPU -p x --cpu-max-threads-hint=50
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3220

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3400

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3292

C:\Users\Admin\AppData\Roaming\bbgtitv
C:\Users\Admin\AppData\Roaming\bbgtitv
1⤵
PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[6C8CEE4F-3483].[[email protected]].8base

Filesize
3.2MB

MD5
aae4376c71cb0be5f30edf8f5876947d

SHA1
689fd3904f5e0ed37f6cc9de3e69079156b51fe1

SHA256
4f79469785a21ebec382638ea298d6b79c276bf56e28a8bc3e23a4f9099e6c74

SHA512
4546705d44347549d6057bcff2046ac254720f2065393bd3fda3e6f1066f029c8d6265f212eb4527c6912831ac06a999a2fd1ff6f52ac7ea323e41ca2c953dae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\3fs2S1$m.exe

Filesize
254KB

MD5
fbc9ef363866fd3cff2615aebc2c8f6d

SHA1
7da7f54de775050eb6eb1410e24abf36c4d0c45c

SHA256
84365b5b998124dd5206ccdda3fb0f808ef4b4a6aebebcbd135e8d9193e197f9

SHA512
9ec578237e7857e8015b981b0c2842494ee0766a8ce605ed0b06b55f0036d46145b61d8b71c3843f94b92dc4aa20617b07d8d6dc7c38d83099533567da46692e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\3fs2S1$m.exe

Filesize
254KB

MD5
fbc9ef363866fd3cff2615aebc2c8f6d

SHA1
7da7f54de775050eb6eb1410e24abf36c4d0c45c

SHA256
84365b5b998124dd5206ccdda3fb0f808ef4b4a6aebebcbd135e8d9193e197f9

SHA512
9ec578237e7857e8015b981b0c2842494ee0766a8ce605ed0b06b55f0036d46145b61d8b71c3843f94b92dc4aa20617b07d8d6dc7c38d83099533567da46692e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\3fs2S1$m.exe

Filesize
254KB

MD5
fbc9ef363866fd3cff2615aebc2c8f6d

SHA1
7da7f54de775050eb6eb1410e24abf36c4d0c45c

SHA256
84365b5b998124dd5206ccdda3fb0f808ef4b4a6aebebcbd135e8d9193e197f9

SHA512
9ec578237e7857e8015b981b0c2842494ee0766a8ce605ed0b06b55f0036d46145b61d8b71c3843f94b92dc4aa20617b07d8d6dc7c38d83099533567da46692e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\3fs2S1$m.exe

Filesize
254KB

MD5
fbc9ef363866fd3cff2615aebc2c8f6d

SHA1
7da7f54de775050eb6eb1410e24abf36c4d0c45c

SHA256
84365b5b998124dd5206ccdda3fb0f808ef4b4a6aebebcbd135e8d9193e197f9

SHA512
9ec578237e7857e8015b981b0c2842494ee0766a8ce605ed0b06b55f0036d46145b61d8b71c3843f94b92dc4aa20617b07d8d6dc7c38d83099533567da46692e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6925.exe.log

Filesize
927B

MD5
ff27e87d4bf1330435001e57e8244d60

SHA1
b22264ed3cd4d35f8236278edd2512c3b7ecb355

SHA256
7e9adf70ba438f8a38feac34e1b25bb4261fa506d00361ea7e5cde784651474e

SHA512
d678aa2b42032ea0d811f9783abff7c94a6d674bd3dee74df706b7f95da7e51d84207320ea36226da4f8651e6ec618ea12d99d2d6d371bd1e98395518b8956e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\W8-sYXr%.exe.log

Filesize
927B

MD5
ff27e87d4bf1330435001e57e8244d60

SHA1
b22264ed3cd4d35f8236278edd2512c3b7ecb355

SHA256
7e9adf70ba438f8a38feac34e1b25bb4261fa506d00361ea7e5cde784651474e

SHA512
d678aa2b42032ea0d811f9783abff7c94a6d674bd3dee74df706b7f95da7e51d84207320ea36226da4f8651e6ec618ea12d99d2d6d371bd1e98395518b8956e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\W8-sYXr%.exe

Filesize
266KB

MD5
bca4f45fd63e9b7a8fb82ca92de246a2

SHA1
73819e4af3dc2200ae5eac87df6bda9c2d502134

SHA256
f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f

SHA512
6ad12488a43b28e97bb43cab7250ebd5b2f5a6437850a6c023f7a15ae5538905132f25a929c2efd240f113af2d038554e562ca5eb92835063ffd83b3f5b1c704

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\W8-sYXr%.exe

Filesize
266KB

MD5
bca4f45fd63e9b7a8fb82ca92de246a2

SHA1
73819e4af3dc2200ae5eac87df6bda9c2d502134

SHA256
f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f

SHA512
6ad12488a43b28e97bb43cab7250ebd5b2f5a6437850a6c023f7a15ae5538905132f25a929c2efd240f113af2d038554e562ca5eb92835063ffd83b3f5b1c704

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\W8-sYXr%.exe

Filesize
266KB

MD5
bca4f45fd63e9b7a8fb82ca92de246a2

SHA1
73819e4af3dc2200ae5eac87df6bda9c2d502134

SHA256
f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f

SHA512
6ad12488a43b28e97bb43cab7250ebd5b2f5a6437850a6c023f7a15ae5538905132f25a929c2efd240f113af2d038554e562ca5eb92835063ffd83b3f5b1c704

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\W8-sYXr%.exe

Filesize
266KB

MD5
bca4f45fd63e9b7a8fb82ca92de246a2

SHA1
73819e4af3dc2200ae5eac87df6bda9c2d502134

SHA256
f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f

SHA512
6ad12488a43b28e97bb43cab7250ebd5b2f5a6437850a6c023f7a15ae5538905132f25a929c2efd240f113af2d038554e562ca5eb92835063ffd83b3f5b1c704

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\W8-sYXr%.exe

Filesize
266KB

MD5
bca4f45fd63e9b7a8fb82ca92de246a2

SHA1
73819e4af3dc2200ae5eac87df6bda9c2d502134

SHA256
f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f

SHA512
6ad12488a43b28e97bb43cab7250ebd5b2f5a6437850a6c023f7a15ae5538905132f25a929c2efd240f113af2d038554e562ca5eb92835063ffd83b3f5b1c704

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\nT%Qu%Q.exe

Filesize
896KB

MD5
7b4f90ff07d0fa2e763fd680b1e963c9

SHA1
47f1d9453dd31b2467f3f11580fba975ed69246d

SHA256
5228ff83506f82456b550462d53e68f7bc82b793d99c167b6674d853aa6b68b0

SHA512
5385fb7df409be3214a1de1b565694ed6e3491ff0f066709084673cc2975560895ab473dfc8a35ec25be999ea32abbc21c7732b99fa51792103f1e05f1e1ea9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\nT%Qu%Q.exe

Filesize
896KB

MD5
7b4f90ff07d0fa2e763fd680b1e963c9

SHA1
47f1d9453dd31b2467f3f11580fba975ed69246d

SHA256
5228ff83506f82456b550462d53e68f7bc82b793d99c167b6674d853aa6b68b0

SHA512
5385fb7df409be3214a1de1b565694ed6e3491ff0f066709084673cc2975560895ab473dfc8a35ec25be999ea32abbc21c7732b99fa51792103f1e05f1e1ea9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6925.exe

Filesize
266KB

MD5
bca4f45fd63e9b7a8fb82ca92de246a2

SHA1
73819e4af3dc2200ae5eac87df6bda9c2d502134

SHA256
f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f

SHA512
6ad12488a43b28e97bb43cab7250ebd5b2f5a6437850a6c023f7a15ae5538905132f25a929c2efd240f113af2d038554e562ca5eb92835063ffd83b3f5b1c704

Download Submit
C:\Users\Admin\AppData\Local\Temp\6925.exe

Filesize
266KB

MD5
bca4f45fd63e9b7a8fb82ca92de246a2

SHA1
73819e4af3dc2200ae5eac87df6bda9c2d502134

SHA256
f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f

SHA512
6ad12488a43b28e97bb43cab7250ebd5b2f5a6437850a6c023f7a15ae5538905132f25a929c2efd240f113af2d038554e562ca5eb92835063ffd83b3f5b1c704

Download Submit
C:\Users\Admin\AppData\Local\Temp\6925.exe

Filesize
266KB

MD5
bca4f45fd63e9b7a8fb82ca92de246a2

SHA1
73819e4af3dc2200ae5eac87df6bda9c2d502134

SHA256
f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f

SHA512
6ad12488a43b28e97bb43cab7250ebd5b2f5a6437850a6c023f7a15ae5538905132f25a929c2efd240f113af2d038554e562ca5eb92835063ffd83b3f5b1c704

Download Submit
C:\Users\Admin\AppData\Local\Temp\6925.exe

Filesize
266KB

MD5
bca4f45fd63e9b7a8fb82ca92de246a2

SHA1
73819e4af3dc2200ae5eac87df6bda9c2d502134

SHA256
f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f

SHA512
6ad12488a43b28e97bb43cab7250ebd5b2f5a6437850a6c023f7a15ae5538905132f25a929c2efd240f113af2d038554e562ca5eb92835063ffd83b3f5b1c704

Download Submit
C:\Users\Admin\AppData\Local\Temp\6925.exe

Filesize
266KB

MD5
bca4f45fd63e9b7a8fb82ca92de246a2

SHA1
73819e4af3dc2200ae5eac87df6bda9c2d502134

SHA256
f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f

SHA512
6ad12488a43b28e97bb43cab7250ebd5b2f5a6437850a6c023f7a15ae5538905132f25a929c2efd240f113af2d038554e562ca5eb92835063ffd83b3f5b1c704

Download Submit
C:\Users\Admin\AppData\Local\Temp\6925.exe

Filesize
266KB

MD5
bca4f45fd63e9b7a8fb82ca92de246a2

SHA1
73819e4af3dc2200ae5eac87df6bda9c2d502134

SHA256
f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f

SHA512
6ad12488a43b28e97bb43cab7250ebd5b2f5a6437850a6c023f7a15ae5538905132f25a929c2efd240f113af2d038554e562ca5eb92835063ffd83b3f5b1c704

Download Submit
C:\Users\Admin\AppData\Local\Temp\6CC0.exe

Filesize
335KB

MD5
b767d6220ad7a3aaf39761a415c927af

SHA1
297c8a96997998f547a3eadce7e7fe04096492f1

SHA256
cd0ea12bd2eb7aac8fae5cd9fb2ae2857aecdc4a0de6c3179cec29221292df42

SHA512
2e24f5e5d00b9c423218996264df83756a18b89ea2d68629c788edb32178119f971c33bdfc9fd1b9151faace2a6de4bed24d418c46ffab984e0aa318f2fb4b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6CC0.exe

Filesize
335KB

MD5
b767d6220ad7a3aaf39761a415c927af

SHA1
297c8a96997998f547a3eadce7e7fe04096492f1

SHA256
cd0ea12bd2eb7aac8fae5cd9fb2ae2857aecdc4a0de6c3179cec29221292df42

SHA512
2e24f5e5d00b9c423218996264df83756a18b89ea2d68629c788edb32178119f971c33bdfc9fd1b9151faace2a6de4bed24d418c46ffab984e0aa318f2fb4b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\A96A.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\A96A.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzw33i5d.default-release\cookies.sqlite.id[6C8CEE4F-3483].[[email protected]].8base

Filesize
96KB

MD5
bff5fd97a9f4369a4e065e9ba9bfcc34

SHA1
940eba65db0f9007d4b7ae48b8ed5b36e9503552

SHA256
27183582e216d48cd1f1ed8c7f43fbc2a9aed3cc16b50b393209c28655abfbc9

SHA512
26391dcb5631a3b980a4ff006347649733cb04a4f106d74e4bcb4e106818b986afb9bf75303bbc4ddcb922b2c6f387815cd6155933129962324faa17bb67f17f

Download Submit
C:\Users\Admin\AppData\Roaming\bbgtitv

Filesize
254KB

MD5
fbc9ef363866fd3cff2615aebc2c8f6d

SHA1
7da7f54de775050eb6eb1410e24abf36c4d0c45c

SHA256
84365b5b998124dd5206ccdda3fb0f808ef4b4a6aebebcbd135e8d9193e197f9

SHA512
9ec578237e7857e8015b981b0c2842494ee0766a8ce605ed0b06b55f0036d46145b61d8b71c3843f94b92dc4aa20617b07d8d6dc7c38d83099533567da46692e

Download Submit
C:\Users\Admin\AppData\Roaming\bbgtitv

Filesize
92KB

MD5
a1a628c4ca0bc5965c314d34cc095479

SHA1
6b1502d307fcae1645a4b6ad545ef2f562ae0e9d

SHA256
a4b767293f2d24aecb9619e247e11a11c6f2490019c4f2414d7c26ea4e03497f

SHA512
0364c9f996ea340b0a95728f8596284c146f35559e210e4a49d67f4b293b0d4576cde98d82628389622313729a8d8de56f2c42ba7ffa733f7e7a81427d8e8338

Download Submit
memory/228-2424-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/396-29-0x00000000032C0000-0x00000000036C0000-memory.dmp

Filesize
4.0MB

Download
memory/396-28-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/396-27-0x00000000032C0000-0x00000000036C0000-memory.dmp

Filesize
4.0MB

Download
memory/396-26-0x0000000004080000-0x00000000040B6000-memory.dmp

Filesize
216KB

Download
memory/396-20-0x0000000004080000-0x00000000040B6000-memory.dmp

Filesize
216KB

Download
memory/396-19-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/396-17-0x00000000032C0000-0x00000000036C0000-memory.dmp

Filesize
4.0MB

Download
memory/396-16-0x00000000032C0000-0x00000000036C0000-memory.dmp

Filesize
4.0MB

Download
memory/396-15-0x00000000032C0000-0x00000000036C0000-memory.dmp

Filesize
4.0MB

Download
memory/396-14-0x00000000032C0000-0x00000000036C0000-memory.dmp

Filesize
4.0MB

Download
memory/396-13-0x0000000003050000-0x0000000003057000-memory.dmp

Filesize
28KB

Download
memory/396-11-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/396-10-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/396-7-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/656-127-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/656-270-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/656-130-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/656-203-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/656-126-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/656-123-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/656-125-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/656-121-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/656-119-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/656-171-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/656-244-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/656-78-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/656-67-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/656-240-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/656-74-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/656-2389-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/792-92-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/792-101-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/792-90-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/1388-2413-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/1388-2414-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download
memory/1420-102-0x00007FFC58070000-0x00007FFC58B31000-memory.dmp

Filesize
10.8MB

Download
memory/1420-86-0x00000249C3950000-0x00000249C3960000-memory.dmp

Filesize
64KB

Download
memory/1420-76-0x00007FFC58070000-0x00007FFC58B31000-memory.dmp

Filesize
10.8MB

Download
memory/1420-77-0x00000249C1C20000-0x00000249C1D06000-memory.dmp

Filesize
920KB

Download
memory/1420-84-0x00000249DC180000-0x00000249DC262000-memory.dmp

Filesize
904KB

Download
memory/1420-87-0x00000249DCE10000-0x00000249DCEE0000-memory.dmp

Filesize
832KB

Download
memory/1464-42-0x00007FF47C9D0000-0x00007FF47CAFF000-memory.dmp

Filesize
1.2MB

Download
memory/1464-47-0x00007FF47C9D0000-0x00007FF47CAFF000-memory.dmp

Filesize
1.2MB

Download
memory/1464-41-0x00007FF47C9D0000-0x00007FF47CAFF000-memory.dmp

Filesize
1.2MB

Download
memory/1464-18-0x00000237E8960000-0x00000237E8963000-memory.dmp

Filesize
12KB

Download
memory/1464-30-0x00000237E8960000-0x00000237E8963000-memory.dmp

Filesize
12KB

Download
memory/1464-43-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/1464-34-0x00007FF47C9D0000-0x00007FF47CAFF000-memory.dmp

Filesize
1.2MB

Download
memory/1464-35-0x00007FF47C9D0000-0x00007FF47CAFF000-memory.dmp

Filesize
1.2MB

Download
memory/1464-45-0x00007FF47C9D0000-0x00007FF47CAFF000-memory.dmp

Filesize
1.2MB

Download
memory/1464-36-0x00007FF47C9D0000-0x00007FF47CAFF000-memory.dmp

Filesize
1.2MB

Download
memory/1464-46-0x00007FF47C9D0000-0x00007FF47CAFF000-memory.dmp

Filesize
1.2MB

Download
memory/1464-44-0x00007FF47C9D0000-0x00007FF47CAFF000-memory.dmp

Filesize
1.2MB

Download
memory/1464-38-0x00007FF47C9D0000-0x00007FF47CAFF000-memory.dmp

Filesize
1.2MB

Download
memory/1464-40-0x00007FF47C9D0000-0x00007FF47CAFF000-memory.dmp

Filesize
1.2MB

Download
memory/1464-49-0x00007FF47C9D0000-0x00007FF47CAFF000-memory.dmp

Filesize
1.2MB

Download
memory/1464-48-0x00000237E8C00000-0x00000237E8C07000-memory.dmp

Filesize
28KB

Download
memory/1464-50-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/1464-109-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/1464-33-0x00007FF47C9D0000-0x00007FF47CAFF000-memory.dmp

Filesize
1.2MB

Download
memory/1464-32-0x00007FF47C9D0000-0x00007FF47CAFF000-memory.dmp

Filesize
1.2MB

Download
memory/1464-31-0x00000237E8C00000-0x00000237E8C07000-memory.dmp

Filesize
28KB

Download
memory/2012-61-0x0000000000CB0000-0x0000000000CF6000-memory.dmp

Filesize
280KB

Download
memory/2012-59-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/2012-65-0x0000000002EA0000-0x0000000002EE4000-memory.dmp

Filesize
272KB

Download
memory/2012-68-0x00000000058A0000-0x00000000058B0000-memory.dmp

Filesize
64KB

Download
memory/2012-66-0x00000000055D0000-0x0000000005602000-memory.dmp

Filesize
200KB

Download
memory/2012-85-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/3016-110-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3016-80-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3016-83-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3200-104-0x00000000032D0000-0x00000000032E6000-memory.dmp

Filesize
88KB

Download
memory/3220-2394-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/3220-2402-0x000001552AF30000-0x000001552AF70000-memory.dmp

Filesize
256KB

Download
memory/3252-91-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3252-103-0x0000023C135E0000-0x0000023C135E8000-memory.dmp

Filesize
32KB

Download
memory/3252-838-0x0000023C2D880000-0x0000023C2D890000-memory.dmp

Filesize
64KB

Download
memory/3252-1609-0x0000023C2D880000-0x0000023C2D890000-memory.dmp

Filesize
64KB

Download
memory/3252-106-0x0000023C2D890000-0x0000023C2D8E6000-memory.dmp

Filesize
344KB

Download
memory/3252-94-0x00007FFC58070000-0x00007FFC58B31000-memory.dmp

Filesize
10.8MB

Download
memory/3252-407-0x0000023C2D880000-0x0000023C2D890000-memory.dmp

Filesize
64KB

Download
memory/3252-2395-0x0000023C2D880000-0x0000023C2D890000-memory.dmp

Filesize
64KB

Download
memory/3252-2401-0x0000023C2D880000-0x0000023C2D890000-memory.dmp

Filesize
64KB

Download
memory/3252-837-0x00007FFC58070000-0x00007FFC58B31000-memory.dmp

Filesize
10.8MB

Download
memory/3252-93-0x0000023C14E50000-0x0000023C14F52000-memory.dmp

Filesize
1.0MB

Download
memory/3572-100-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3572-1837-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4184-54-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/4184-75-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/4184-63-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/4184-62-0x0000000004D60000-0x0000000004D94000-memory.dmp

Filesize
208KB

Download
memory/4184-60-0x0000000004CE0000-0x0000000004D26000-memory.dmp

Filesize
280KB

Download
memory/4184-55-0x0000000000430000-0x0000000000478000-memory.dmp

Filesize
288KB

Download
memory/4256-12-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/4256-0-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/4256-6-0x00000000056F0000-0x000000000573C000-memory.dmp

Filesize
304KB

Download
memory/4256-5-0x0000000005680000-0x00000000056E8000-memory.dmp

Filesize
416KB

Download
memory/4256-4-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/4256-3-0x0000000005600000-0x0000000005678000-memory.dmp

Filesize
480KB

Download
memory/4256-2-0x0000000005B40000-0x00000000060E4000-memory.dmp

Filesize
5.6MB

Download
memory/4256-1-0x0000000000B50000-0x0000000000BCC000-memory.dmp

Filesize
496KB

Download