ammyyadmin | 8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f

Analysis

max time kernel
111s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2023 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe
Size

513KB
MD5

89fe28686a81b90bf1f46b6d46251ce4
SHA1

19f6a799b4777acf208926cee4913c0a889db72e
SHA256

8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f
SHA512

9cb0181a6a9e6a37c10a6acf9c172fd4130f4d476b76c3b97acc71c157c3d8135f42d1f2a10bb87d07ecf784d30e705dc071b5630705e9f939127762795d0dfc
SSDEEP

12288:pX5JC7oT39ra0hI1iGKsHJwUJ10qx6qhE12:pLC7mtThIcGNSS1VY31

Score

10^/10

ammyyadmin flawedammyy phobos rhadamanthys smokeloader xmrig backdoor bootkit collection evasion miner persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://serverxlogs21.xyz/statweb255/

http://servxblog79.xyz/statweb255/

http://demblog289.xyz/statweb255/

http://admlogs77x.online/statweb255/

http://blogxstat38.xyz/statweb255/

http://blogxstat25.xyz/statweb255/

rc4.i32

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\9304.tmp\svchost.exe	family_ammyyadmin
C:\Users\Admin\AppData\Local\Temp\9304.tmp\svchost.exe	family_ammyyadmin

Detect rhadamanthys stealer shellcode 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5020-14-0x0000000003040000-0x0000000003440000-memory.dmp	family_rhadamanthys
behavioral2/memory/5020-15-0x0000000003040000-0x0000000003440000-memory.dmp	family_rhadamanthys
behavioral2/memory/5020-16-0x0000000003040000-0x0000000003440000-memory.dmp	family_rhadamanthys
behavioral2/memory/5020-17-0x0000000003040000-0x0000000003440000-memory.dmp	family_rhadamanthys
behavioral2/memory/5020-27-0x0000000003040000-0x0000000003440000-memory.dmp	family_rhadamanthys
behavioral2/memory/5020-29-0x0000000003040000-0x0000000003440000-memory.dmp	family_rhadamanthys

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe

description pid process target process

PID 5020 created 3164 5020 SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe Explorer.EXE
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4684 bcdedit.exe
3320 bcdedit.exe
Renames multiple (67) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

description	pid	process	target process
PID 5020 created 3164	5020	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe	Explorer.EXE

pid	process
4684	bcdedit.exe
3320	bcdedit.exe

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1368-2034-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig

Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1788 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

1484 netsh.exe
3908 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

svchost.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation svchost.exe
Drops startup file 1 IoCs

Processes:

)B]4A~(74`.exe

description ioc process

File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\)B]4A~(74`.exe )B]4A~(74`.exe

pid	process
1788	wbadmin.exe

pid	process
1484	netsh.exe
3908	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	svchost.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\)B]4A~(74`.exe	)B]4A~(74`.exe

Executes dropped EXE 16 IoCs

Processes:

)B]4A~(74`.exeg8`[email protected])B]4A~(74`.exeg8`[email protected]3v7~I~AV6Q.exe)B]4A~(74`.exe)B]4A~(74`.exe)B]4A~(74`.exe)B]4A~(74`.exe5242.exe5242.exe5437.exe5242.exe5242.exesvchost.exectretrw

pid	process
1696	)B]4A~(74`.exe
3364	g8`[email protected]
4800	)B]4A~(74`.exe
1668	g8`[email protected]
4284	3v7~I~AV6Q.exe
4660	)B]4A~(74`.exe
4344	)B]4A~(74`.exe
1856	)B]4A~(74`.exe
4288	)B]4A~(74`.exe
4196	5242.exe
1116	5242.exe
4440	5437.exe
3136	5242.exe
3384	5242.exe
4180	svchost.exe
2356	ctretrw

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

Processes:

certreq.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

)B]4A~(74`.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\)B]4A~(74` = "C:\\Users\\Admin\\AppData\\Local\\)B]4A~(74`.exe"	)B]4A~(74`.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\)B]4A~(74` = "C:\\Users\\Admin\\AppData\\Local\\)B]4A~(74`.exe"	)B]4A~(74`.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

)B]4A~(74`.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3027552071-446050021-1254071215-1000\desktop.ini	)B]4A~(74`.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3027552071-446050021-1254071215-1000\desktop.ini	)B]4A~(74`.exe
File opened for modification	C:\Program Files\desktop.ini	)B]4A~(74`.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

svchost.exe

description ioc process

File opened for modification \??\PhysicalDrive0 svchost.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe)B]4A~(74`.exeg8`[email protected])B]4A~(74`.exe3v7~I~AV6Q.exeaspnet_compiler.exe5242.exe5242.exe

description	pid	process	target process
PID 1144 set thread context of 5020	1144	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe
PID 1696 set thread context of 4800	1696	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 3364 set thread context of 1668	3364	g8`[email protected]	g8`[email protected]
PID 4660 set thread context of 4288	4660	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 4284 set thread context of 4356	4284	3v7~I~AV6Q.exe	aspnet_compiler.exe
PID 4356 set thread context of 1368	4356	aspnet_compiler.exe	AddInProcess.exe
PID 4196 set thread context of 1116	4196	5242.exe	5242.exe
PID 3136 set thread context of 3384	3136	5242.exe	5242.exe

Drops file in Program Files directory 64 IoCs

Processes:

)B]4A~(74`.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat	)B]4A~(74`.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es.pak.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.ja_5.5.0.165303.jar.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css	)B]4A~(74`.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core.xml.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\calendars.properties	)B]4A~(74`.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar	)B]4A~(74`.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_zh_4.4.0.v20140623020002.jar.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.rcp_4.3.100.v20141007-2301.jar.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml	)B]4A~(74`.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_ja.jar	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\oledb32r.dll	)B]4A~(74`.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\psfontj2d.properties.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands_3.6.100.v20140528-1422.jar.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-modules-profiler_visualvm.jar.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-awt.xml	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_ja.jar	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\3RDPARTY	)B]4A~(74`.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml	)B]4A~(74`.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler.jar	)B]4A~(74`.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_ja_4.4.0.v20140623020002.jar.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-sendopts.jar	)B]4A~(74`.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui	)B]4A~(74`.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzmappings.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui	)B]4A~(74`.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookbig.gif.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.w3c.dom.smil_1.0.0.v200806040011.jar	)B]4A~(74`.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_ja.jar.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\vi.pak	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar	)B]4A~(74`.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sr.pak.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.properties	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ja.pak	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt_0.11.101.v20140818-1343.jar	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml	)B]4A~(74`.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.0.165303.jar.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml	)B]4A~(74`.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin_2.0.100.v20131209-2144.jar.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_zh_4.4.0.v20140623020002.jar	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado21.tlb	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\preloaded_data.pb	)B]4A~(74`.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\blacklist.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\updater_zh_CN.jar.id[A4CAF2F9-3483].[[email protected]].8base	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml	)B]4A~(74`.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	)B]4A~(74`.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll	)B]4A~(74`.exe

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exeg8`[email protected]

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	g8`[email protected]
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	g8`[email protected]
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	g8`[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2144 vssadmin.exe

pid	process
2144	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.execertreq.exeg8`[email protected])B]4A~(74`.exe3v7~I~AV6Q.exeExplorer.EXE)B]4A~(74`.exe

pid	process
5020	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe
5020	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe
5020	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe
5020	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe
4512	certreq.exe
4512	certreq.exe
4512	certreq.exe
4512	certreq.exe
1668	g8`[email protected]
1668	g8`[email protected]
4660	)B]4A~(74`.exe
4660	)B]4A~(74`.exe
4660	)B]4A~(74`.exe
4660	)B]4A~(74`.exe
4284	3v7~I~AV6Q.exe
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
4800	)B]4A~(74`.exe
4800	)B]4A~(74`.exe
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
4800	)B]4A~(74`.exe
4800	)B]4A~(74`.exe
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
4800	)B]4A~(74`.exe
4800	)B]4A~(74`.exe
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3164 Explorer.EXE
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

672

pid	process
3164	Explorer.EXE

pid	process
672

Suspicious behavior: MapViewOfSection 33 IoCs

Processes:

g8`[email protected]Explorer.EXEexplorer.exe

pid	process
1668	g8`[email protected]
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
4296	explorer.exe
4296	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe)B]4A~(74`.exeg8`[email protected])B]4A~(74`.exe3v7~I~AV6Q.exeaspnet_compiler.exe)B]4A~(74`.exevssvc.exeWMIC.exewbengine.exeExplorer.EXEAddInProcess.exe5242.exe5242.exe

description	pid	process
Token: SeDebugPrivilege	1144	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe
Token: SeDebugPrivilege	1696	)B]4A~(74`.exe
Token: SeDebugPrivilege	3364	g8`[email protected]
Token: SeDebugPrivilege	4660	)B]4A~(74`.exe
Token: SeDebugPrivilege	4284	3v7~I~AV6Q.exe
Token: SeDebugPrivilege	4356	aspnet_compiler.exe
Token: SeDebugPrivilege	4800	)B]4A~(74`.exe
Token: SeBackupPrivilege	2672	vssvc.exe
Token: SeRestorePrivilege	2672	vssvc.exe
Token: SeAuditPrivilege	2672	vssvc.exe
Token: SeIncreaseQuotaPrivilege	452	WMIC.exe
Token: SeSecurityPrivilege	452	WMIC.exe
Token: SeTakeOwnershipPrivilege	452	WMIC.exe
Token: SeLoadDriverPrivilege	452	WMIC.exe
Token: SeSystemProfilePrivilege	452	WMIC.exe
Token: SeSystemtimePrivilege	452	WMIC.exe
Token: SeProfSingleProcessPrivilege	452	WMIC.exe
Token: SeIncBasePriorityPrivilege	452	WMIC.exe
Token: SeCreatePagefilePrivilege	452	WMIC.exe
Token: SeBackupPrivilege	452	WMIC.exe
Token: SeRestorePrivilege	452	WMIC.exe
Token: SeShutdownPrivilege	452	WMIC.exe
Token: SeDebugPrivilege	452	WMIC.exe
Token: SeSystemEnvironmentPrivilege	452	WMIC.exe
Token: SeRemoteShutdownPrivilege	452	WMIC.exe
Token: SeUndockPrivilege	452	WMIC.exe
Token: SeManageVolumePrivilege	452	WMIC.exe
Token: 33	452	WMIC.exe
Token: 34	452	WMIC.exe
Token: 35	452	WMIC.exe
Token: 36	452	WMIC.exe
Token: SeIncreaseQuotaPrivilege	452	WMIC.exe
Token: SeSecurityPrivilege	452	WMIC.exe
Token: SeTakeOwnershipPrivilege	452	WMIC.exe
Token: SeLoadDriverPrivilege	452	WMIC.exe
Token: SeSystemProfilePrivilege	452	WMIC.exe
Token: SeSystemtimePrivilege	452	WMIC.exe
Token: SeProfSingleProcessPrivilege	452	WMIC.exe
Token: SeIncBasePriorityPrivilege	452	WMIC.exe
Token: SeCreatePagefilePrivilege	452	WMIC.exe
Token: SeBackupPrivilege	452	WMIC.exe
Token: SeRestorePrivilege	452	WMIC.exe
Token: SeShutdownPrivilege	452	WMIC.exe
Token: SeDebugPrivilege	452	WMIC.exe
Token: SeSystemEnvironmentPrivilege	452	WMIC.exe
Token: SeRemoteShutdownPrivilege	452	WMIC.exe
Token: SeUndockPrivilege	452	WMIC.exe
Token: SeManageVolumePrivilege	452	WMIC.exe
Token: 33	452	WMIC.exe
Token: 34	452	WMIC.exe
Token: 35	452	WMIC.exe
Token: 36	452	WMIC.exe
Token: SeBackupPrivilege	3200	wbengine.exe
Token: SeRestorePrivilege	3200	wbengine.exe
Token: SeSecurityPrivilege	3200	wbengine.exe
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeLockMemoryPrivilege	1368	AddInProcess.exe
Token: SeLockMemoryPrivilege	1368	AddInProcess.exe
Token: SeDebugPrivilege	4196	5242.exe
Token: SeDebugPrivilege	3136	5242.exe
Token: SeShutdownPrivilege	3164	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

AddInProcess.exesvchost.exe

pid process

1368 AddInProcess.exe
4180 svchost.exe

pid	process
1368	AddInProcess.exe
4180	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exeSecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe)B]4A~(74`.exeg8`[email protected])B]4A~(74`.exe3v7~I~AV6Q.exe)B]4A~(74`.execmd.execmd.exe

description	pid	process	target process
PID 1144 wrote to memory of 5020	1144	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe
PID 1144 wrote to memory of 5020	1144	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe
PID 1144 wrote to memory of 5020	1144	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe
PID 1144 wrote to memory of 5020	1144	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe
PID 1144 wrote to memory of 5020	1144	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe
PID 1144 wrote to memory of 5020	1144	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe
PID 1144 wrote to memory of 5020	1144	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe
PID 1144 wrote to memory of 5020	1144	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe
PID 5020 wrote to memory of 4512	5020	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe	certreq.exe
PID 5020 wrote to memory of 4512	5020	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe	certreq.exe
PID 5020 wrote to memory of 4512	5020	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe	certreq.exe
PID 5020 wrote to memory of 4512	5020	SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe	certreq.exe
PID 1696 wrote to memory of 4800	1696	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 1696 wrote to memory of 4800	1696	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 1696 wrote to memory of 4800	1696	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 1696 wrote to memory of 4800	1696	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 1696 wrote to memory of 4800	1696	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 1696 wrote to memory of 4800	1696	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 1696 wrote to memory of 4800	1696	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 1696 wrote to memory of 4800	1696	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 1696 wrote to memory of 4800	1696	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 1696 wrote to memory of 4800	1696	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 3364 wrote to memory of 1668	3364	g8`[email protected]	g8`[email protected]
PID 3364 wrote to memory of 1668	3364	g8`[email protected]	g8`[email protected]
PID 3364 wrote to memory of 1668	3364	g8`[email protected]	g8`[email protected]
PID 3364 wrote to memory of 1668	3364	g8`[email protected]	g8`[email protected]
PID 3364 wrote to memory of 1668	3364	g8`[email protected]	g8`[email protected]
PID 3364 wrote to memory of 1668	3364	g8`[email protected]	g8`[email protected]
PID 4660 wrote to memory of 4344	4660	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 4660 wrote to memory of 4344	4660	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 4660 wrote to memory of 4344	4660	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 4660 wrote to memory of 1856	4660	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 4660 wrote to memory of 1856	4660	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 4660 wrote to memory of 1856	4660	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 4660 wrote to memory of 4288	4660	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 4660 wrote to memory of 4288	4660	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 4660 wrote to memory of 4288	4660	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 4660 wrote to memory of 4288	4660	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 4660 wrote to memory of 4288	4660	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 4660 wrote to memory of 4288	4660	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 4660 wrote to memory of 4288	4660	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 4660 wrote to memory of 4288	4660	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 4660 wrote to memory of 4288	4660	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 4660 wrote to memory of 4288	4660	)B]4A~(74`.exe	)B]4A~(74`.exe
PID 4284 wrote to memory of 4356	4284	3v7~I~AV6Q.exe	aspnet_compiler.exe
PID 4284 wrote to memory of 4356	4284	3v7~I~AV6Q.exe	aspnet_compiler.exe
PID 4284 wrote to memory of 4356	4284	3v7~I~AV6Q.exe	aspnet_compiler.exe
PID 4284 wrote to memory of 4356	4284	3v7~I~AV6Q.exe	aspnet_compiler.exe
PID 4284 wrote to memory of 4356	4284	3v7~I~AV6Q.exe	aspnet_compiler.exe
PID 4284 wrote to memory of 4356	4284	3v7~I~AV6Q.exe	aspnet_compiler.exe
PID 4800 wrote to memory of 1616	4800	)B]4A~(74`.exe	cmd.exe
PID 4800 wrote to memory of 1616	4800	)B]4A~(74`.exe	cmd.exe
PID 4800 wrote to memory of 4196	4800	)B]4A~(74`.exe	cmd.exe
PID 4800 wrote to memory of 4196	4800	)B]4A~(74`.exe	cmd.exe
PID 4196 wrote to memory of 1484	4196	cmd.exe	netsh.exe
PID 4196 wrote to memory of 1484	4196	cmd.exe	netsh.exe
PID 1616 wrote to memory of 2144	1616	cmd.exe	vssadmin.exe
PID 1616 wrote to memory of 2144	1616	cmd.exe	vssadmin.exe
PID 1616 wrote to memory of 452	1616	cmd.exe	WMIC.exe
PID 1616 wrote to memory of 452	1616	cmd.exe	WMIC.exe
PID 1616 wrote to memory of 4684	1616	cmd.exe	bcdedit.exe
PID 1616 wrote to memory of 4684	1616	cmd.exe	bcdedit.exe
PID 1616 wrote to memory of 3320	1616	cmd.exe	bcdedit.exe
PID 1616 wrote to memory of 3320	1616	cmd.exe	bcdedit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4512

C:\Users\Admin\AppData\Local\Temp\5242.exe
C:\Users\Admin\AppData\Local\Temp\5242.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Users\Admin\AppData\Local\Temp\5242.exe
C:\Users\Admin\AppData\Local\Temp\5242.exe
3⤵
- Executes dropped EXE
PID:1116

C:\Users\Admin\AppData\Local\Temp\5242.exe
"C:\Users\Admin\AppData\Local\Temp\5242.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Users\Admin\AppData\Local\Temp\5242.exe
C:\Users\Admin\AppData\Local\Temp\5242.exe
5⤵
- Executes dropped EXE
PID:3384

C:\Users\Admin\AppData\Local\Temp\5437.exe
C:\Users\Admin\AppData\Local\Temp\5437.exe
2⤵
- Executes dropped EXE
PID:4440

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3016

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:2348

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1696

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1512

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3904

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:560

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:292

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:3488

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1364

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:276

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1636

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1380

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3248

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1788

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Suspicious behavior: MapViewOfSection
PID:4296

C:\Users\Admin\AppData\Local\Temp\9304.tmp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\9304.tmp\svchost.exe -debug
3⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
PID:4180

C:\Users\Admin\AppData\Local\Microsoft\)B]4A~(74`.exe
"C:\Users\Admin\AppData\Local\Microsoft\)B]4A~(74`.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Microsoft\)B]4A~(74`.exe
C:\Users\Admin\AppData\Local\Microsoft\)B]4A~(74`.exe
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800

C:\Users\Admin\AppData\Local\Microsoft\)B]4A~(74`.exe
"C:\Users\Admin\AppData\Local\Microsoft\)B]4A~(74`.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660

C:\Users\Admin\AppData\Local\Microsoft\)B]4A~(74`.exe
C:\Users\Admin\AppData\Local\Microsoft\)B]4A~(74`.exe
4⤵
- Executes dropped EXE
PID:4344

C:\Users\Admin\AppData\Local\Microsoft\)B]4A~(74`.exe
C:\Users\Admin\AppData\Local\Microsoft\)B]4A~(74`.exe
4⤵
- Executes dropped EXE
PID:1856

C:\Users\Admin\AppData\Local\Microsoft\)B]4A~(74`.exe
C:\Users\Admin\AppData\Local\Microsoft\)B]4A~(74`.exe
4⤵
- Executes dropped EXE
PID:4288

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:2144

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:4684

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:3320

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:1788

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4196

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
4⤵
- Modifies Windows Firewall
PID:1484

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
4⤵
- Modifies Windows Firewall
PID:3908

C:\Users\Admin\AppData\Local\Microsoft\g8`[email protected]
"C:\Users\Admin\AppData\Local\Microsoft\g8`[email protected]"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3364

C:\Users\Admin\AppData\Local\Microsoft\g8`[email protected]
C:\Users\Admin\AppData\Local\Microsoft\g8`[email protected]
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1668

C:\Users\Admin\AppData\Local\Microsoft\3v7~I~AV6Q.exe
"C:\Users\Admin\AppData\Local\Microsoft\3v7~I~AV6Q.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u RVN:RBvfugTGdvfZCHCgvSoHZdsYt2u1JwYhUP.RIG_CPU -p x --cpu-max-threads-hint=50
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1368

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2348

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:1772

C:\Users\Admin\AppData\Roaming\ctretrw
C:\Users\Admin\AppData\Roaming\ctretrw
1⤵
- Executes dropped EXE
PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[A4CAF2F9-3483].[[email protected]].8base

Filesize
3.2MB

MD5
c1cc091a3e55dd37f3dc3995b575708c

SHA1
f642f6dff62a9ea78a35d8a38076d81df873a9ac

SHA256
bd417b847b2857e1e7201550c2731cf7895288a1bb3d3b339a0aef6a3191f469

SHA512
360c5f0f8fd3dd28d117adc92c4f4c2b3928ac018ad1ec7e96d1007487f7e9a0dd1ed0e2d26ddeaa1291ea2f21ad71571b04da91d07012eaa8beeecb1a24957c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\)B]4A~(74`.exe

Filesize
312KB

MD5
9824d07cea51069c0042eff0e46d1ad2

SHA1
70ef130a8f88076dc671ab9873b2a3a3c45818fc

SHA256
d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7

SHA512
6d38269e1c93c7e8bd6668cd26947cb821043c9bcbcb19d586795e0fb3d52b8a492e3817eef912bae165973c001c205fd879bbca9810339e6b45bda1651e3bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\)B]4A~(74`.exe

Filesize
312KB

MD5
9824d07cea51069c0042eff0e46d1ad2

SHA1
70ef130a8f88076dc671ab9873b2a3a3c45818fc

SHA256
d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7

SHA512
6d38269e1c93c7e8bd6668cd26947cb821043c9bcbcb19d586795e0fb3d52b8a492e3817eef912bae165973c001c205fd879bbca9810339e6b45bda1651e3bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\)B]4A~(74`.exe

Filesize
312KB

MD5
9824d07cea51069c0042eff0e46d1ad2

SHA1
70ef130a8f88076dc671ab9873b2a3a3c45818fc

SHA256
d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7

SHA512
6d38269e1c93c7e8bd6668cd26947cb821043c9bcbcb19d586795e0fb3d52b8a492e3817eef912bae165973c001c205fd879bbca9810339e6b45bda1651e3bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\)B]4A~(74`.exe

Filesize
312KB

MD5
9824d07cea51069c0042eff0e46d1ad2

SHA1
70ef130a8f88076dc671ab9873b2a3a3c45818fc

SHA256
d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7

SHA512
6d38269e1c93c7e8bd6668cd26947cb821043c9bcbcb19d586795e0fb3d52b8a492e3817eef912bae165973c001c205fd879bbca9810339e6b45bda1651e3bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\)B]4A~(74`.exe

Filesize
312KB

MD5
9824d07cea51069c0042eff0e46d1ad2

SHA1
70ef130a8f88076dc671ab9873b2a3a3c45818fc

SHA256
d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7

SHA512
6d38269e1c93c7e8bd6668cd26947cb821043c9bcbcb19d586795e0fb3d52b8a492e3817eef912bae165973c001c205fd879bbca9810339e6b45bda1651e3bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\)B]4A~(74`.exe

Filesize
312KB

MD5
9824d07cea51069c0042eff0e46d1ad2

SHA1
70ef130a8f88076dc671ab9873b2a3a3c45818fc

SHA256
d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7

SHA512
6d38269e1c93c7e8bd6668cd26947cb821043c9bcbcb19d586795e0fb3d52b8a492e3817eef912bae165973c001c205fd879bbca9810339e6b45bda1651e3bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\)B]4A~(74`.exe

Filesize
312KB

MD5
9824d07cea51069c0042eff0e46d1ad2

SHA1
70ef130a8f88076dc671ab9873b2a3a3c45818fc

SHA256
d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7

SHA512
6d38269e1c93c7e8bd6668cd26947cb821043c9bcbcb19d586795e0fb3d52b8a492e3817eef912bae165973c001c205fd879bbca9810339e6b45bda1651e3bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\3v7~I~AV6Q.exe

Filesize
896KB

MD5
7b4f90ff07d0fa2e763fd680b1e963c9

SHA1
47f1d9453dd31b2467f3f11580fba975ed69246d

SHA256
5228ff83506f82456b550462d53e68f7bc82b793d99c167b6674d853aa6b68b0

SHA512
5385fb7df409be3214a1de1b565694ed6e3491ff0f066709084673cc2975560895ab473dfc8a35ec25be999ea32abbc21c7732b99fa51792103f1e05f1e1ea9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\3v7~I~AV6Q.exe

Filesize
896KB

MD5
7b4f90ff07d0fa2e763fd680b1e963c9

SHA1
47f1d9453dd31b2467f3f11580fba975ed69246d

SHA256
5228ff83506f82456b550462d53e68f7bc82b793d99c167b6674d853aa6b68b0

SHA512
5385fb7df409be3214a1de1b565694ed6e3491ff0f066709084673cc2975560895ab473dfc8a35ec25be999ea32abbc21c7732b99fa51792103f1e05f1e1ea9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\)B]4A~(74`.exe.log

Filesize
927B

MD5
ff27e87d4bf1330435001e57e8244d60

SHA1
b22264ed3cd4d35f8236278edd2512c3b7ecb355

SHA256
7e9adf70ba438f8a38feac34e1b25bb4261fa506d00361ea7e5cde784651474e

SHA512
d678aa2b42032ea0d811f9783abff7c94a6d674bd3dee74df706b7f95da7e51d84207320ea36226da4f8651e6ec618ea12d99d2d6d371bd1e98395518b8956e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5242.exe.log

Filesize
927B

MD5
ff27e87d4bf1330435001e57e8244d60

SHA1
b22264ed3cd4d35f8236278edd2512c3b7ecb355

SHA256
7e9adf70ba438f8a38feac34e1b25bb4261fa506d00361ea7e5cde784651474e

SHA512
d678aa2b42032ea0d811f9783abff7c94a6d674bd3dee74df706b7f95da7e51d84207320ea36226da4f8651e6ec618ea12d99d2d6d371bd1e98395518b8956e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\g8`[email protected]

Filesize
300KB

MD5
63c09d4c7e50c09691a411d82c435d47

SHA1
760eaed5e364e9e0ad99223c4567331be91e520f

SHA256
43d5116203db106c30b8025ee4669b11915111a138a87460af43c2fb5f112cd2

SHA512
f66aa2e50234d822fbc87ddd458e0df40c2ad9821624655384d0f14779037d5482529f750eddaa6412e8dfde059ac61c37244f609a61ff9fa0a35306463a3637

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\g8`[email protected]

Filesize
300KB

MD5
63c09d4c7e50c09691a411d82c435d47

SHA1
760eaed5e364e9e0ad99223c4567331be91e520f

SHA256
43d5116203db106c30b8025ee4669b11915111a138a87460af43c2fb5f112cd2

SHA512
f66aa2e50234d822fbc87ddd458e0df40c2ad9821624655384d0f14779037d5482529f750eddaa6412e8dfde059ac61c37244f609a61ff9fa0a35306463a3637

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\g8`[email protected]

Filesize
300KB

MD5
63c09d4c7e50c09691a411d82c435d47

SHA1
760eaed5e364e9e0ad99223c4567331be91e520f

SHA256
43d5116203db106c30b8025ee4669b11915111a138a87460af43c2fb5f112cd2

SHA512
f66aa2e50234d822fbc87ddd458e0df40c2ad9821624655384d0f14779037d5482529f750eddaa6412e8dfde059ac61c37244f609a61ff9fa0a35306463a3637

Download Submit
C:\Users\Admin\AppData\Local\Temp\5242.exe

Filesize
312KB

MD5
9824d07cea51069c0042eff0e46d1ad2

SHA1
70ef130a8f88076dc671ab9873b2a3a3c45818fc

SHA256
d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7

SHA512
6d38269e1c93c7e8bd6668cd26947cb821043c9bcbcb19d586795e0fb3d52b8a492e3817eef912bae165973c001c205fd879bbca9810339e6b45bda1651e3bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5242.exe

Filesize
312KB

MD5
9824d07cea51069c0042eff0e46d1ad2

SHA1
70ef130a8f88076dc671ab9873b2a3a3c45818fc

SHA256
d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7

SHA512
6d38269e1c93c7e8bd6668cd26947cb821043c9bcbcb19d586795e0fb3d52b8a492e3817eef912bae165973c001c205fd879bbca9810339e6b45bda1651e3bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5242.exe

Filesize
312KB

MD5
9824d07cea51069c0042eff0e46d1ad2

SHA1
70ef130a8f88076dc671ab9873b2a3a3c45818fc

SHA256
d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7

SHA512
6d38269e1c93c7e8bd6668cd26947cb821043c9bcbcb19d586795e0fb3d52b8a492e3817eef912bae165973c001c205fd879bbca9810339e6b45bda1651e3bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5242.exe

Filesize
312KB

MD5
9824d07cea51069c0042eff0e46d1ad2

SHA1
70ef130a8f88076dc671ab9873b2a3a3c45818fc

SHA256
d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7

SHA512
6d38269e1c93c7e8bd6668cd26947cb821043c9bcbcb19d586795e0fb3d52b8a492e3817eef912bae165973c001c205fd879bbca9810339e6b45bda1651e3bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5242.exe

Filesize
312KB

MD5
9824d07cea51069c0042eff0e46d1ad2

SHA1
70ef130a8f88076dc671ab9873b2a3a3c45818fc

SHA256
d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7

SHA512
6d38269e1c93c7e8bd6668cd26947cb821043c9bcbcb19d586795e0fb3d52b8a492e3817eef912bae165973c001c205fd879bbca9810339e6b45bda1651e3bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5242.exe

Filesize
312KB

MD5
9824d07cea51069c0042eff0e46d1ad2

SHA1
70ef130a8f88076dc671ab9873b2a3a3c45818fc

SHA256
d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7

SHA512
6d38269e1c93c7e8bd6668cd26947cb821043c9bcbcb19d586795e0fb3d52b8a492e3817eef912bae165973c001c205fd879bbca9810339e6b45bda1651e3bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5437.exe

Filesize
335KB

MD5
b767d6220ad7a3aaf39761a415c927af

SHA1
297c8a96997998f547a3eadce7e7fe04096492f1

SHA256
cd0ea12bd2eb7aac8fae5cd9fb2ae2857aecdc4a0de6c3179cec29221292df42

SHA512
2e24f5e5d00b9c423218996264df83756a18b89ea2d68629c788edb32178119f971c33bdfc9fd1b9151faace2a6de4bed24d418c46ffab984e0aa318f2fb4b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5437.exe

Filesize
335KB

MD5
b767d6220ad7a3aaf39761a415c927af

SHA1
297c8a96997998f547a3eadce7e7fe04096492f1

SHA256
cd0ea12bd2eb7aac8fae5cd9fb2ae2857aecdc4a0de6c3179cec29221292df42

SHA512
2e24f5e5d00b9c423218996264df83756a18b89ea2d68629c788edb32178119f971c33bdfc9fd1b9151faace2a6de4bed24d418c46ffab984e0aa318f2fb4b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9304.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\9304.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b7jtu2fw.default-release\cookies.sqlite.id[A4CAF2F9-3483].[[email protected]].8base

Filesize
96KB

MD5
3ea0b5899a3963acdbf4902ed56ea260

SHA1
523c3392491e3ca14a8741a61028bc01d5780743

SHA256
e94d15f53771bfab2f22a49270f6a29856d7b16de09715099decc60a43dd690f

SHA512
2dfa3ca5abe2298ff0bbd9b7f7749c7f601c54d32af5aa7bb86f9ca8565f8d6e8cdc1141c07f3ea87b66b219f62703b9f0be5990d77bf9b28c20313f6a342c9a

Download Submit
C:\Users\Admin\AppData\Roaming\ctretrw

Filesize
300KB

MD5
63c09d4c7e50c09691a411d82c435d47

SHA1
760eaed5e364e9e0ad99223c4567331be91e520f

SHA256
43d5116203db106c30b8025ee4669b11915111a138a87460af43c2fb5f112cd2

SHA512
f66aa2e50234d822fbc87ddd458e0df40c2ad9821624655384d0f14779037d5482529f750eddaa6412e8dfde059ac61c37244f609a61ff9fa0a35306463a3637

Download Submit
C:\Users\Admin\AppData\Roaming\ctretrw

Filesize
300KB

MD5
63c09d4c7e50c09691a411d82c435d47

SHA1
760eaed5e364e9e0ad99223c4567331be91e520f

SHA256
43d5116203db106c30b8025ee4669b11915111a138a87460af43c2fb5f112cd2

SHA512
f66aa2e50234d822fbc87ddd458e0df40c2ad9821624655384d0f14779037d5482529f750eddaa6412e8dfde059ac61c37244f609a61ff9fa0a35306463a3637

Download Submit
memory/1144-5-0x00000000052B0000-0x0000000005318000-memory.dmp

Filesize
416KB

Download
memory/1144-12-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/1144-0-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/1144-6-0x0000000005460000-0x00000000054AC000-memory.dmp

Filesize
304KB

Download
memory/1144-3-0x0000000005220000-0x0000000005298000-memory.dmp

Filesize
480KB

Download
memory/1144-4-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/1144-1-0x0000000000800000-0x0000000000886000-memory.dmp

Filesize
536KB

Download
memory/1144-2-0x00000000058F0000-0x0000000005E94000-memory.dmp

Filesize
5.6MB

Download
memory/1368-2041-0x0000024507B60000-0x0000024507BA0000-memory.dmp

Filesize
256KB

Download
memory/1368-2034-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/1668-72-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1668-108-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1668-76-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1696-77-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/1696-62-0x0000000004AA0000-0x0000000004AD4000-memory.dmp

Filesize
208KB

Download
memory/1696-61-0x00000000049C0000-0x0000000004A06000-memory.dmp

Filesize
280KB

Download
memory/1696-54-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/1696-55-0x0000000000150000-0x00000000001A4000-memory.dmp

Filesize
336KB

Download
memory/1696-63-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/3164-106-0x0000000002BD0000-0x0000000002BE6000-memory.dmp

Filesize
88KB

Download
memory/3364-66-0x0000000005020000-0x0000000005052000-memory.dmp

Filesize
200KB

Download
memory/3364-59-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/3364-81-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/3364-60-0x00000000005C0000-0x0000000000612000-memory.dmp

Filesize
328KB

Download
memory/3364-67-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/3364-64-0x0000000004EE0000-0x0000000004F24000-memory.dmp

Filesize
272KB

Download
memory/4284-91-0x000001F3C9CD0000-0x000001F3C9DA0000-memory.dmp

Filesize
832KB

Download
memory/4284-90-0x000001F3C9AE0000-0x000001F3C9AF0000-memory.dmp

Filesize
64KB

Download
memory/4284-88-0x000001F3C9AF0000-0x000001F3C9BD2000-memory.dmp

Filesize
904KB

Download
memory/4284-86-0x00007FFB26460000-0x00007FFB26F21000-memory.dmp

Filesize
10.8MB

Download
memory/4284-105-0x00007FFB26460000-0x00007FFB26F21000-memory.dmp

Filesize
10.8MB

Download
memory/4284-84-0x000001F3AF540000-0x000001F3AF626000-memory.dmp

Filesize
920KB

Download
memory/4288-99-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4288-808-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4356-393-0x000001C0FE070000-0x000001C0FE080000-memory.dmp

Filesize
64KB

Download
memory/4356-111-0x000001C0801C0000-0x000001C080216000-memory.dmp

Filesize
344KB

Download
memory/4356-100-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4356-584-0x000001C0FE070000-0x000001C0FE080000-memory.dmp

Filesize
64KB

Download
memory/4356-110-0x000001C0801B0000-0x000001C0801B8000-memory.dmp

Filesize
32KB

Download
memory/4356-1065-0x00007FFB26460000-0x00007FFB26F21000-memory.dmp

Filesize
10.8MB

Download
memory/4356-1074-0x000001C0FE070000-0x000001C0FE080000-memory.dmp

Filesize
64KB

Download
memory/4356-101-0x000001C0FDE80000-0x000001C0FDF82000-memory.dmp

Filesize
1.0MB

Download
memory/4356-2033-0x000001C0FE070000-0x000001C0FE080000-memory.dmp

Filesize
64KB

Download
memory/4356-102-0x00007FFB26460000-0x00007FFB26F21000-memory.dmp

Filesize
10.8MB

Download
memory/4356-103-0x000001C0FE070000-0x000001C0FE080000-memory.dmp

Filesize
64KB

Download
memory/4356-2040-0x000001C0FE070000-0x000001C0FE080000-memory.dmp

Filesize
64KB

Download
memory/4512-41-0x00007FF4936C0000-0x00007FF4937EF000-memory.dmp

Filesize
1.2MB

Download
memory/4512-34-0x00007FF4936C0000-0x00007FF4937EF000-memory.dmp

Filesize
1.2MB

Download
memory/4512-49-0x00007FF4936C0000-0x00007FF4937EF000-memory.dmp

Filesize
1.2MB

Download
memory/4512-48-0x00000224FB4A0000-0x00000224FB4A7000-memory.dmp

Filesize
28KB

Download
memory/4512-38-0x00007FF4936C0000-0x00007FF4937EF000-memory.dmp

Filesize
1.2MB

Download
memory/4512-40-0x00007FF4936C0000-0x00007FF4937EF000-memory.dmp

Filesize
1.2MB

Download
memory/4512-36-0x00007FF4936C0000-0x00007FF4937EF000-memory.dmp

Filesize
1.2MB

Download
memory/4512-47-0x00007FF4936C0000-0x00007FF4937EF000-memory.dmp

Filesize
1.2MB

Download
memory/4512-46-0x00007FF4936C0000-0x00007FF4937EF000-memory.dmp

Filesize
1.2MB

Download
memory/4512-45-0x00007FF4936C0000-0x00007FF4937EF000-memory.dmp

Filesize
1.2MB

Download
memory/4512-44-0x00007FF4936C0000-0x00007FF4937EF000-memory.dmp

Filesize
1.2MB

Download
memory/4512-43-0x00007FFB44EF0000-0x00007FFB450E5000-memory.dmp

Filesize
2.0MB

Download
memory/4512-42-0x00007FF4936C0000-0x00007FF4937EF000-memory.dmp

Filesize
1.2MB

Download
memory/4512-800-0x00000224FB4A0000-0x00000224FB4A7000-memory.dmp

Filesize
28KB

Download
memory/4512-18-0x00000224FB200000-0x00000224FB203000-memory.dmp

Filesize
12KB

Download
memory/4512-30-0x00000224FB200000-0x00000224FB203000-memory.dmp

Filesize
12KB

Download
memory/4512-31-0x00000224FB4A0000-0x00000224FB4A7000-memory.dmp

Filesize
28KB

Download
memory/4512-32-0x00007FF4936C0000-0x00007FF4937EF000-memory.dmp

Filesize
1.2MB

Download
memory/4512-33-0x00007FF4936C0000-0x00007FF4937EF000-memory.dmp

Filesize
1.2MB

Download
memory/4512-53-0x00007FFB44EF0000-0x00007FFB450E5000-memory.dmp

Filesize
2.0MB

Download
memory/4512-35-0x00007FF4936C0000-0x00007FF4937EF000-memory.dmp

Filesize
1.2MB

Download
memory/4512-801-0x00007FFB44EF0000-0x00007FFB450E5000-memory.dmp

Filesize
2.0MB

Download
memory/4660-87-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/4660-97-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/4660-85-0x0000000005410000-0x0000000005456000-memory.dmp

Filesize
280KB

Download
memory/4660-89-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/4800-129-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4800-133-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4800-123-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4800-266-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4800-181-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4800-183-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4800-153-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4800-144-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4800-127-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4800-125-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4800-2028-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4800-122-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4800-68-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4800-73-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4800-78-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5020-28-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5020-26-0x0000000003DA0000-0x0000000003DD6000-memory.dmp

Filesize
216KB

Download
memory/5020-27-0x0000000003040000-0x0000000003440000-memory.dmp

Filesize
4.0MB

Download
memory/5020-25-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5020-19-0x0000000003DA0000-0x0000000003DD6000-memory.dmp

Filesize
216KB

Download
memory/5020-29-0x0000000003040000-0x0000000003440000-memory.dmp

Filesize
4.0MB

Download
memory/5020-17-0x0000000003040000-0x0000000003440000-memory.dmp

Filesize
4.0MB

Download
memory/5020-16-0x0000000003040000-0x0000000003440000-memory.dmp

Filesize
4.0MB

Download
memory/5020-15-0x0000000003040000-0x0000000003440000-memory.dmp

Filesize
4.0MB

Download
memory/5020-14-0x0000000003040000-0x0000000003440000-memory.dmp

Filesize
4.0MB

Download
memory/5020-13-0x0000000002DA0000-0x0000000002DA7000-memory.dmp

Filesize
28KB

Download
memory/5020-11-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5020-10-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5020-7-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download