313897bcfd2d0d82e6f41eef6161976f84c602ebed626ee29feaec6ee36f2c94

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2023 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wireguard-pro.exe
Size

722KB
MD5

c3fdabfa7e016aa9b2cacbb5fc9860a8
SHA1

70e5f0dfb1a1dc4d6668f6333ecbf83aa49d13bf
SHA256

313897bcfd2d0d82e6f41eef6161976f84c602ebed626ee29feaec6ee36f2c94
SHA512

27a44617e0df5faa6051a968151206373b2d961c647c9bf2ac3888308e92b2a2d78511648b6a70b72602a69794f4234ad23c79c5b338061763faaf96987d1562
SSDEEP

12288:tNTeVyTF63SThrGvvmfjje59IUwnZH0h:PB43SThy07

Score

7^/10

collection persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	wireguard-pro.exe

Executes dropped EXE 6 IoCs

pid	Process
3880	IREHE5WL.exe
4552	16RIF1SA.exe
2356	wireguard.exe
4660	wireguard.exe
2856	wireguard.exe
3712	wireguard.exe

Loads dropped DLL 6 IoCs

pid	Process
4528	MsiExec.exe
4528	MsiExec.exe
4528	MsiExec.exe
2180	MsiExec.exe
2180	MsiExec.exe
2180	MsiExec.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	16RIF1SA.exe
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	16RIF1SA.exe
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	16RIF1SA.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyOtApp = "C:\\Users\\Admin\\AppData\\Roaming\\audddd\\audddd.exe"	16RIF1SA.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	checkip.dyndns.org

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WireGuard\Data\log.bin	wireguard.exe
File created	C:\Program Files\WireGuard\wg.exe	msiexec.exe
File created	C:\Program Files\WireGuard\wireguard.exe	msiexec.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIF6E8.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f428.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF93C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF64A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF708.tmp	msiexec.exe
File created	C:\Windows\Installer\{2FDB79CE-5193-4A39-82BB-E00158CC1533}\wireguard.ico	msiexec.exe
File created	C:\Windows\Installer\e57f424.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f424.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF649.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2FDB79CE-5193-4A39-82BB-E00158CC1533}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF699.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF52D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF59C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{2FDB79CE-5193-4A39-82BB-E00158CC1533}\wireguard.ico	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 17 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	wireguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	wireguard.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000d5202569a554c8040000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000d52025690000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900d5202569000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dd5202569000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000d520256900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	wireguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	wireguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	wireguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	wireguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	wireguard.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	wireguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	wireguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	wireguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	wireguard.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	wireguard.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	wireguard.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	wireguard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E	wireguard.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	wireguard.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	wireguard.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	wireguard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	wireguard.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	wireguard.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	wireguard.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	wireguard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wireguard.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	wireguard.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	wireguard.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	wireguard.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\ProductName = "WireGuard"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\ProductIcon = "C:\\Windows\\Installer\\{2FDB79CE-5193-4A39-82BB-E00158CC1533}\\wireguard.ico"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5AD1A5E563ABD40429CE1450D0C197C9	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EC97BDF2391593A428BB0E1085CC5133\WireGuardFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\SourceList\LastUsedSource = "n;1;C:\\Windows\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\PackageCode = "95F92915D6255534F9EA3FE06731F9BB"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\Version = "327683"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EC97BDF2391593A428BB0E1085CC5133	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5AD1A5E563ABD40429CE1450D0C197C9\EC97BDF2391593A428BB0E1085CC5133	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\SourceList\PackageName = "e01f385500de93fbb92306238bdaad977b93f8ef0c5ecdddcc36b3f59cdacc74"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\SourceList\Net\1 = "C:\\Windows\\Temp\\"	msiexec.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	IREHE5WL.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	IREHE5WL.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	IREHE5WL.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0400000001000000100000004be2c99196650cf40e5a9392a00afeb20f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d4190000000100000010000000fa46ce7cbb85cfb4310075313a09ee052000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	IREHE5WL.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 5c000000010000000400000000080000190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd940400000001000000100000004be2c99196650cf40e5a9392a00afeb22000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	IREHE5WL.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3712	wireguard.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4552	16RIF1SA.exe
4552	16RIF1SA.exe
4552	16RIF1SA.exe
2492	msiexec.exe
2492	msiexec.exe
2856	wireguard.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4552	16RIF1SA.exe
Token: SeShutdownPrivilege	3880	IREHE5WL.exe
Token: SeIncreaseQuotaPrivilege	3880	IREHE5WL.exe
Token: SeSecurityPrivilege	2492	msiexec.exe
Token: SeCreateTokenPrivilege	3880	IREHE5WL.exe
Token: SeAssignPrimaryTokenPrivilege	3880	IREHE5WL.exe
Token: SeLockMemoryPrivilege	3880	IREHE5WL.exe
Token: SeIncreaseQuotaPrivilege	3880	IREHE5WL.exe
Token: SeMachineAccountPrivilege	3880	IREHE5WL.exe
Token: SeTcbPrivilege	3880	IREHE5WL.exe
Token: SeSecurityPrivilege	3880	IREHE5WL.exe
Token: SeTakeOwnershipPrivilege	3880	IREHE5WL.exe
Token: SeLoadDriverPrivilege	3880	IREHE5WL.exe
Token: SeSystemProfilePrivilege	3880	IREHE5WL.exe
Token: SeSystemtimePrivilege	3880	IREHE5WL.exe
Token: SeProfSingleProcessPrivilege	3880	IREHE5WL.exe
Token: SeIncBasePriorityPrivilege	3880	IREHE5WL.exe
Token: SeCreatePagefilePrivilege	3880	IREHE5WL.exe
Token: SeCreatePermanentPrivilege	3880	IREHE5WL.exe
Token: SeBackupPrivilege	3880	IREHE5WL.exe
Token: SeRestorePrivilege	3880	IREHE5WL.exe
Token: SeShutdownPrivilege	3880	IREHE5WL.exe
Token: SeDebugPrivilege	3880	IREHE5WL.exe
Token: SeAuditPrivilege	3880	IREHE5WL.exe
Token: SeSystemEnvironmentPrivilege	3880	IREHE5WL.exe
Token: SeChangeNotifyPrivilege	3880	IREHE5WL.exe
Token: SeRemoteShutdownPrivilege	3880	IREHE5WL.exe
Token: SeUndockPrivilege	3880	IREHE5WL.exe
Token: SeSyncAgentPrivilege	3880	IREHE5WL.exe
Token: SeEnableDelegationPrivilege	3880	IREHE5WL.exe
Token: SeManageVolumePrivilege	3880	IREHE5WL.exe
Token: SeImpersonatePrivilege	3880	IREHE5WL.exe
Token: SeCreateGlobalPrivilege	3880	IREHE5WL.exe
Token: SeBackupPrivilege	1652	vssvc.exe
Token: SeRestorePrivilege	1652	vssvc.exe
Token: SeAuditPrivilege	1652	vssvc.exe
Token: SeBackupPrivilege	2492	msiexec.exe
Token: SeRestorePrivilege	2492	msiexec.exe
Token: SeRestorePrivilege	2492	msiexec.exe
Token: SeTakeOwnershipPrivilege	2492	msiexec.exe
Token: SeRestorePrivilege	2492	msiexec.exe
Token: SeTakeOwnershipPrivilege	2492	msiexec.exe
Token: SeRestorePrivilege	2492	msiexec.exe
Token: SeTakeOwnershipPrivilege	2492	msiexec.exe
Token: SeRestorePrivilege	2492	msiexec.exe
Token: SeTakeOwnershipPrivilege	2492	msiexec.exe
Token: SeRestorePrivilege	2492	msiexec.exe
Token: SeTakeOwnershipPrivilege	2492	msiexec.exe
Token: SeRestorePrivilege	2492	msiexec.exe
Token: SeTakeOwnershipPrivilege	2492	msiexec.exe
Token: SeRestorePrivilege	2492	msiexec.exe
Token: SeTakeOwnershipPrivilege	2492	msiexec.exe
Token: SeRestorePrivilege	2492	msiexec.exe
Token: SeTakeOwnershipPrivilege	2492	msiexec.exe
Token: SeRestorePrivilege	2492	msiexec.exe
Token: SeTakeOwnershipPrivilege	2492	msiexec.exe
Token: SeRestorePrivilege	2492	msiexec.exe
Token: SeTakeOwnershipPrivilege	2492	msiexec.exe
Token: SeRestorePrivilege	2492	msiexec.exe
Token: SeTakeOwnershipPrivilege	2492	msiexec.exe
Token: SeRestorePrivilege	2492	msiexec.exe
Token: SeTakeOwnershipPrivilege	2492	msiexec.exe
Token: SeRestorePrivilege	2492	msiexec.exe
Token: SeTakeOwnershipPrivilege	2492	msiexec.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
3880	IREHE5WL.exe
3880	IREHE5WL.exe
3712	wireguard.exe
3712	wireguard.exe
3712	wireguard.exe
3712	wireguard.exe
3712	wireguard.exe
3712	wireguard.exe
3712	wireguard.exe
3712	wireguard.exe
3712	wireguard.exe
3712	wireguard.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3712	wireguard.exe
3712	wireguard.exe
3712	wireguard.exe
3712	wireguard.exe
3712	wireguard.exe
3712	wireguard.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4552	16RIF1SA.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 3880	4080	wireguard-pro.exe	86
PID 4080 wrote to memory of 3880	4080	wireguard-pro.exe	86
PID 4080 wrote to memory of 3880	4080	wireguard-pro.exe	86
PID 4080 wrote to memory of 4552	4080	wireguard-pro.exe	87
PID 4080 wrote to memory of 4552	4080	wireguard-pro.exe	87
PID 4080 wrote to memory of 4552	4080	wireguard-pro.exe	87
PID 2492 wrote to memory of 1088	2492	msiexec.exe	107
PID 2492 wrote to memory of 1088	2492	msiexec.exe	107
PID 2492 wrote to memory of 4528	2492	msiexec.exe	110
PID 2492 wrote to memory of 4528	2492	msiexec.exe	110
PID 2492 wrote to memory of 2180	2492	msiexec.exe	111
PID 2492 wrote to memory of 2180	2492	msiexec.exe	111
PID 2492 wrote to memory of 2356	2492	msiexec.exe	112
PID 2492 wrote to memory of 2356	2492	msiexec.exe	112
PID 2356 wrote to memory of 4660	2356	wireguard.exe	115
PID 2356 wrote to memory of 4660	2356	wireguard.exe	115
PID 2856 wrote to memory of 3712	2856	wireguard.exe	116
PID 2856 wrote to memory of 3712	2856	wireguard.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	16RIF1SA.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	16RIF1SA.exe

C:\Users\Admin\AppData\Local\Temp\wireguard-pro.exe
"C:\Users\Admin\AppData\Local\Temp\wireguard-pro.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Users\Admin\AppData\Roaming\Adobe\IREHE5WL.exe
  "C:\Users\Admin\AppData\Roaming\Adobe\IREHE5WL.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3880
- C:\Users\Admin\AppData\Roaming\Adobe\16RIF1SA.exe
  "C:\Users\Admin\AppData\Roaming\Adobe\16RIF1SA.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:4552

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1088
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding EF371959327622731446D04333E51F2D
  2⤵
  - Loads dropped DLL
  PID:4528
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 42BF622D04D4D80E80B249A6C399D006 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:2180
- C:\Program Files\WireGuard\wireguard.exe
  "C:\Program Files\WireGuard\wireguard.exe"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Program Files\WireGuard\wireguard.exe
    "C:\Program Files\WireGuard\wireguard.exe" /installmanagerservice
    3⤵
    - Executes dropped EXE
    PID:4660

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Program Files\WireGuard\wireguard.exe
"C:\Program Files\WireGuard\wireguard.exe" /managerservice
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Program Files\WireGuard\wireguard.exe
  "C:\Program Files\WireGuard\wireguard.exe" /ui 712 708 720 728
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57f427.rbs

Filesize
8KB

MD5
f672d3963f8d50e2662e044c6d5fd904

SHA1
ec25fe6f9999ab68f54339fc11af4df9993e7adb

SHA256
451de7b2cc65c892261337fb413260afd9d0f74ae7f815dd3710af4dd9b04410

SHA512
5d845efe7dbd9826c272bf4191f21367dc1486b55334ee06123f386dd12f8b5de0c98770be3ef3ba0b263e606069ac38e52c8bd489a018aa1af63be1517cbcd8

Download Submit
C:\Config.Msi\e57f429.rbs

Filesize
456B

MD5
41dd1d540bf5d4e15b39172606efc07b

SHA1
a7ea9e2c2de0ecc098216eb0abe7edeffc5764d0

SHA256
419c98f66f9f563c5034e3b58f510d073be863de4fe12bf161c80107c6190691

SHA512
e6695aa952486392e3914c9ca1f3c13a37b9fd36845a5817f4cadac552d34bb89753be7254a8007b328f0ad77771fba53acd9c19f232662b58d12b737301abf4

Download Submit
C:\Program Files\WireGuard\wireguard.exe

Filesize
7.8MB

MD5
18d5b6964a434af936e1db19d969dbbb

SHA1
61ab3ac36394d5a49b6e24cf6498a1f80f3a6a99

SHA256
32717d15b57965adf78b33f61db32cb26e11759dd78d441a218dd349c731a160

SHA512
73588b50a865f0191c057e0896e93168b54436656a2c08ca7f2777593bb528e2ab16c5a37dafa7489765f2736381a9ccf4bfa43374da22208c3a87c14165bb03

Download Submit
C:\Program Files\WireGuard\wireguard.exe

Filesize
7.8MB

MD5
18d5b6964a434af936e1db19d969dbbb

SHA1
61ab3ac36394d5a49b6e24cf6498a1f80f3a6a99

SHA256
32717d15b57965adf78b33f61db32cb26e11759dd78d441a218dd349c731a160

SHA512
73588b50a865f0191c057e0896e93168b54436656a2c08ca7f2777593bb528e2ab16c5a37dafa7489765f2736381a9ccf4bfa43374da22208c3a87c14165bb03

Download Submit
C:\Program Files\WireGuard\wireguard.exe

Filesize
7.8MB

MD5
18d5b6964a434af936e1db19d969dbbb

SHA1
61ab3ac36394d5a49b6e24cf6498a1f80f3a6a99

SHA256
32717d15b57965adf78b33f61db32cb26e11759dd78d441a218dd349c731a160

SHA512
73588b50a865f0191c057e0896e93168b54436656a2c08ca7f2777593bb528e2ab16c5a37dafa7489765f2736381a9ccf4bfa43374da22208c3a87c14165bb03

Download Submit
C:\Program Files\WireGuard\wireguard.exe

Filesize
7.8MB

MD5
18d5b6964a434af936e1db19d969dbbb

SHA1
61ab3ac36394d5a49b6e24cf6498a1f80f3a6a99

SHA256
32717d15b57965adf78b33f61db32cb26e11759dd78d441a218dd349c731a160

SHA512
73588b50a865f0191c057e0896e93168b54436656a2c08ca7f2777593bb528e2ab16c5a37dafa7489765f2736381a9ccf4bfa43374da22208c3a87c14165bb03

Download Submit
C:\Program Files\WireGuard\wireguard.exe

Filesize
7.8MB

MD5
18d5b6964a434af936e1db19d969dbbb

SHA1
61ab3ac36394d5a49b6e24cf6498a1f80f3a6a99

SHA256
32717d15b57965adf78b33f61db32cb26e11759dd78d441a218dd349c731a160

SHA512
73588b50a865f0191c057e0896e93168b54436656a2c08ca7f2777593bb528e2ab16c5a37dafa7489765f2736381a9ccf4bfa43374da22208c3a87c14165bb03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\026A86A161D256DBB33076EDF20C0E5E_86AB612B21DEDF3B8CD155ED2E4114FF

Filesize
812B

MD5
25c5faca96f6451a176f9e3776b22324

SHA1
66339a1e2c9fa166c00bc135a42c9a35b1fed9f2

SHA256
5ca35412eb9395b3a5ff2002aeaff77cf582f76f33647116ed6004f6e79eaddd

SHA512
f868a52d12fe853c28ad4b8c8a0208793341a84aa3bdfa7a1bb8c2088801883f6f08c5212c973c0ecf00261fd47cab72e2d82e25f7b69301510258628a68fc93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A37B8BA80004D3266CB4D93B2052DC10_EBDB5A7037F08CDFB408DBFC0D44B43D

Filesize
1KB

MD5
c3a139540d2c2c61078b106b4f8a9b36

SHA1
b01e3444da82b7260107731332530d984fbd8085

SHA256
75541e200b7ecf6003a95a2a940db0ce2b3fdd35fb905b7a212d644a49511c5f

SHA512
a29b4f1aa8d39ce95bbda5dbd1bffdd0e1aeaa82df7a9733c62caa450d30c59d12531037b86922ba8af8e8c82b037abf724887106514de596e22bf1aa40cbd70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AF360AACB1570042DEFBC833317997D0_6D40F27EBCB4D57A7D8447DAAC4FFE30

Filesize
806B

MD5
5f8ef5be1bdcc35ab5f3c3c65aa8ccc5

SHA1
94017ddc70b188b1c11aae087b5078b80ce6a3d3

SHA256
9f1218c50bdb829232ec4f5deea027072514cd3b833e60f527377dca1f25325c

SHA512
daf243ed3ec9f6d3251f69a3dfc792901a1970d8575425c35145b0f52dc854c6081be2dfa26798ea8098eaee2965d04f5fa09b21262f54cad8a33162641b11dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\026A86A161D256DBB33076EDF20C0E5E_86AB612B21DEDF3B8CD155ED2E4114FF

Filesize
540B

MD5
064ba62f2999fe8c0c4d79a3392d9012

SHA1
559eea8d95f1acd40918c5689dd33704fb5934a5

SHA256
efa717bd6bd238f3d89f8eef00d17f2ea80afa7c9f2b80cf1ef07dfc1c3db3a6

SHA512
9c2c41faebc1e92b92eb528954baf0f579d608e2dd1a5580955d742183d4a1e7b91393555bac61ae5ad809f5d56e18b27730ac5c3968dc23fdc965ac699c01c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A37B8BA80004D3266CB4D93B2052DC10_EBDB5A7037F08CDFB408DBFC0D44B43D

Filesize
528B

MD5
d5854eee04e61874d33eec288413785a

SHA1
63266cc62b7997596b50eabe598665b52439f79e

SHA256
cb7f1fc84f54296a5fc52746c309f2c783b3f16846339e212dd5acefdcbbf3f7

SHA512
b80dadadaaa0e1f3262cf59bf5894e1198dc8d5beb2fab6d78ab6cac3e3c0414ab8615e80785638d7aaf11c1bcf07e2e3f0b2d45e956e52cd7ba512426dcfb4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AF360AACB1570042DEFBC833317997D0_6D40F27EBCB4D57A7D8447DAAC4FFE30

Filesize
540B

MD5
cd751674db4e247ed0f51bb3e174b810

SHA1
e29d44376481a2b2a8a3c11763a161ed627f5383

SHA256
636780663de17c519171c0470793886b05ee1a4664f0e1713663c3d44ff4ec90

SHA512
5e15f0887488652f4195fd3c758f05c93b8bd717a7314d2fe10c97333fe5e4c86a0a88b7a2a0b91adb868b2d609bc8abc1a663c4aeeff5b82f5a7819492f9af7

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\16RIF1SA.exe

Filesize
183KB

MD5
64a509a5d856c0e1bc482e64e5ea8556

SHA1
ac04f5364ce8df715bc99f9d7bae5725c18dde59

SHA256
d366f0980a9c490f3a9a2c6a7680d011899f345fd2d0bdc5c1642b436bbab262

SHA512
d424681e9398409db1846303e06b873de9bed8644c627df798bb90094aace358432b2e302e0a0a20b703a231023ba0f9a6ac603dd34d82417070e363c6ab917a

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\16RIF1SA.exe

Filesize
183KB

MD5
64a509a5d856c0e1bc482e64e5ea8556

SHA1
ac04f5364ce8df715bc99f9d7bae5725c18dde59

SHA256
d366f0980a9c490f3a9a2c6a7680d011899f345fd2d0bdc5c1642b436bbab262

SHA512
d424681e9398409db1846303e06b873de9bed8644c627df798bb90094aace358432b2e302e0a0a20b703a231023ba0f9a6ac603dd34d82417070e363c6ab917a

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\16RIF1SA.exe

Filesize
183KB

MD5
64a509a5d856c0e1bc482e64e5ea8556

SHA1
ac04f5364ce8df715bc99f9d7bae5725c18dde59

SHA256
d366f0980a9c490f3a9a2c6a7680d011899f345fd2d0bdc5c1642b436bbab262

SHA512
d424681e9398409db1846303e06b873de9bed8644c627df798bb90094aace358432b2e302e0a0a20b703a231023ba0f9a6ac603dd34d82417070e363c6ab917a

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\IREHE5WL.exe

Filesize
85KB

MD5
1cf9257c07936d7fbf508dc113e9b6d5

SHA1
324f8a1f0779fe42baabc544bc7f6814a3d150ca

SHA256
eeee2b0a6ad1c7e4614fed4dfbe58b63776f6a3a6758267b5a976b4dc4315f48

SHA512
081fa75e73138fb403aa01cb09f3051b7ee6954ab0a15366016cabe873d7a64f8374c85d9bcdf068fa019930419c818d102063983a5547ae5107773fe25e5c12

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\IREHE5WL.exe

Filesize
85KB

MD5
1cf9257c07936d7fbf508dc113e9b6d5

SHA1
324f8a1f0779fe42baabc544bc7f6814a3d150ca

SHA256
eeee2b0a6ad1c7e4614fed4dfbe58b63776f6a3a6758267b5a976b4dc4315f48

SHA512
081fa75e73138fb403aa01cb09f3051b7ee6954ab0a15366016cabe873d7a64f8374c85d9bcdf068fa019930419c818d102063983a5547ae5107773fe25e5c12

Download Submit
C:\Windows\Installer\MSIF52D.tmp

Filesize
34KB

MD5
457659d4d9c2058d1fca89dbc40c999b

SHA1
0c50d8e9127916409c150046a5ade7421d9b4c70

SHA256
f98350383a6a65079f742a03d38d04227ef7f045fc8d6844c3b1d087734c1da6

SHA512
98554de9a26b3fd358af3379c067c3e9ed275f9b79492b25fb318919ecd205f4d21f23de84651c2a5576a27a38ce2b6f5b77c306b537b11430fd257f7709df2e

Download Submit
C:\Windows\Installer\MSIF52D.tmp

Filesize
34KB

MD5
457659d4d9c2058d1fca89dbc40c999b

SHA1
0c50d8e9127916409c150046a5ade7421d9b4c70

SHA256
f98350383a6a65079f742a03d38d04227ef7f045fc8d6844c3b1d087734c1da6

SHA512
98554de9a26b3fd358af3379c067c3e9ed275f9b79492b25fb318919ecd205f4d21f23de84651c2a5576a27a38ce2b6f5b77c306b537b11430fd257f7709df2e

Download Submit
C:\Windows\Installer\MSIF59C.tmp

Filesize
34KB

MD5
457659d4d9c2058d1fca89dbc40c999b

SHA1
0c50d8e9127916409c150046a5ade7421d9b4c70

SHA256
f98350383a6a65079f742a03d38d04227ef7f045fc8d6844c3b1d087734c1da6

SHA512
98554de9a26b3fd358af3379c067c3e9ed275f9b79492b25fb318919ecd205f4d21f23de84651c2a5576a27a38ce2b6f5b77c306b537b11430fd257f7709df2e

Download Submit
C:\Windows\Installer\MSIF59C.tmp

Filesize
34KB

MD5
457659d4d9c2058d1fca89dbc40c999b

SHA1
0c50d8e9127916409c150046a5ade7421d9b4c70

SHA256
f98350383a6a65079f742a03d38d04227ef7f045fc8d6844c3b1d087734c1da6

SHA512
98554de9a26b3fd358af3379c067c3e9ed275f9b79492b25fb318919ecd205f4d21f23de84651c2a5576a27a38ce2b6f5b77c306b537b11430fd257f7709df2e

Download Submit
C:\Windows\Installer\MSIF64A.tmp

Filesize
34KB

MD5
457659d4d9c2058d1fca89dbc40c999b

SHA1
0c50d8e9127916409c150046a5ade7421d9b4c70

SHA256
f98350383a6a65079f742a03d38d04227ef7f045fc8d6844c3b1d087734c1da6

SHA512
98554de9a26b3fd358af3379c067c3e9ed275f9b79492b25fb318919ecd205f4d21f23de84651c2a5576a27a38ce2b6f5b77c306b537b11430fd257f7709df2e

Download Submit
C:\Windows\Installer\MSIF64A.tmp

Filesize
34KB

MD5
457659d4d9c2058d1fca89dbc40c999b

SHA1
0c50d8e9127916409c150046a5ade7421d9b4c70

SHA256
f98350383a6a65079f742a03d38d04227ef7f045fc8d6844c3b1d087734c1da6

SHA512
98554de9a26b3fd358af3379c067c3e9ed275f9b79492b25fb318919ecd205f4d21f23de84651c2a5576a27a38ce2b6f5b77c306b537b11430fd257f7709df2e

Download Submit
C:\Windows\Installer\MSIF64A.tmp

Filesize
34KB

MD5
457659d4d9c2058d1fca89dbc40c999b

SHA1
0c50d8e9127916409c150046a5ade7421d9b4c70

SHA256
f98350383a6a65079f742a03d38d04227ef7f045fc8d6844c3b1d087734c1da6

SHA512
98554de9a26b3fd358af3379c067c3e9ed275f9b79492b25fb318919ecd205f4d21f23de84651c2a5576a27a38ce2b6f5b77c306b537b11430fd257f7709df2e

Download Submit
C:\Windows\Installer\MSIF699.tmp

Filesize
34KB

MD5
457659d4d9c2058d1fca89dbc40c999b

SHA1
0c50d8e9127916409c150046a5ade7421d9b4c70

SHA256
f98350383a6a65079f742a03d38d04227ef7f045fc8d6844c3b1d087734c1da6

SHA512
98554de9a26b3fd358af3379c067c3e9ed275f9b79492b25fb318919ecd205f4d21f23de84651c2a5576a27a38ce2b6f5b77c306b537b11430fd257f7709df2e

Download Submit
C:\Windows\Installer\MSIF699.tmp

Filesize
34KB

MD5
457659d4d9c2058d1fca89dbc40c999b

SHA1
0c50d8e9127916409c150046a5ade7421d9b4c70

SHA256
f98350383a6a65079f742a03d38d04227ef7f045fc8d6844c3b1d087734c1da6

SHA512
98554de9a26b3fd358af3379c067c3e9ed275f9b79492b25fb318919ecd205f4d21f23de84651c2a5576a27a38ce2b6f5b77c306b537b11430fd257f7709df2e

Download Submit
C:\Windows\Installer\MSIF6E8.tmp

Filesize
34KB

MD5
457659d4d9c2058d1fca89dbc40c999b

SHA1
0c50d8e9127916409c150046a5ade7421d9b4c70

SHA256
f98350383a6a65079f742a03d38d04227ef7f045fc8d6844c3b1d087734c1da6

SHA512
98554de9a26b3fd358af3379c067c3e9ed275f9b79492b25fb318919ecd205f4d21f23de84651c2a5576a27a38ce2b6f5b77c306b537b11430fd257f7709df2e

Download Submit
C:\Windows\Installer\MSIF6E8.tmp

Filesize
34KB

MD5
457659d4d9c2058d1fca89dbc40c999b

SHA1
0c50d8e9127916409c150046a5ade7421d9b4c70

SHA256
f98350383a6a65079f742a03d38d04227ef7f045fc8d6844c3b1d087734c1da6

SHA512
98554de9a26b3fd358af3379c067c3e9ed275f9b79492b25fb318919ecd205f4d21f23de84651c2a5576a27a38ce2b6f5b77c306b537b11430fd257f7709df2e

Download Submit
C:\Windows\Installer\MSIF708.tmp

Filesize
34KB

MD5
457659d4d9c2058d1fca89dbc40c999b

SHA1
0c50d8e9127916409c150046a5ade7421d9b4c70

SHA256
f98350383a6a65079f742a03d38d04227ef7f045fc8d6844c3b1d087734c1da6

SHA512
98554de9a26b3fd358af3379c067c3e9ed275f9b79492b25fb318919ecd205f4d21f23de84651c2a5576a27a38ce2b6f5b77c306b537b11430fd257f7709df2e

Download Submit
C:\Windows\Installer\MSIF708.tmp

Filesize
34KB

MD5
457659d4d9c2058d1fca89dbc40c999b

SHA1
0c50d8e9127916409c150046a5ade7421d9b4c70

SHA256
f98350383a6a65079f742a03d38d04227ef7f045fc8d6844c3b1d087734c1da6

SHA512
98554de9a26b3fd358af3379c067c3e9ed275f9b79492b25fb318919ecd205f4d21f23de84651c2a5576a27a38ce2b6f5b77c306b537b11430fd257f7709df2e

Download Submit
C:\Windows\Temp\e01f385500de93fbb92306238bdaad977b93f8ef0c5ecdddcc36b3f59cdacc74

Filesize
2.7MB

MD5
7b284c4a07504facad872fbc4348b663

SHA1
1c88b528f51bfdff964580567860de85bbb7363d

SHA256
76fcec042c5989c5b816cd32eaed1e5b1c3b998a4b1c9eca55f299e3314ef7e4

SHA512
fdb8a2fbe22f80331114db09b297fcb19d870bfbed2d49cc567b3df8d179d5b47774cc915bed7cf78d8b5a716645ca11ecd019126f35e10839da631c6af0ec77

Download Submit
C:\Windows\Temp\e01f385500de93fbb92306238bdaad977b93f8ef0c5ecdddcc36b3f59cdacc74

Filesize
2.7MB

MD5
7b284c4a07504facad872fbc4348b663

SHA1
1c88b528f51bfdff964580567860de85bbb7363d

SHA256
76fcec042c5989c5b816cd32eaed1e5b1c3b998a4b1c9eca55f299e3314ef7e4

SHA512
fdb8a2fbe22f80331114db09b297fcb19d870bfbed2d49cc567b3df8d179d5b47774cc915bed7cf78d8b5a716645ca11ecd019126f35e10839da631c6af0ec77

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
43d1e647e45a548dc7fdbad391bb7784

SHA1
535284748bef860782605c639acc5e5a861da003

SHA256
6381130fa23f9eb5be35c7aee3561886e7f8da2473557caf9b5286b5ede06cba

SHA512
c51f8f0af2b41cf481df4815778807c21b949feb035c05f89fadda64edcf873e2fd64a791d8bfa5c3b90aa578443b7d4681c528e7584ff2b52e807be43a10081

Download Submit
\??\Volume{692520d5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4531d007-ec00-4376-b7e0-1f8ab83b09ec}_OnDiskSnapshotProp

Filesize
5KB

MD5
696bb525d22d270d9f5ad11c2c9bfa04

SHA1
ad52068b016fd4f6638592db6ab27975faf954bb

SHA256
7c2b9c1d6ef618f250a0e5f3bd070026842dfb6999a75c32220824f867ec052e

SHA512
ae4e20e60b68e46f88c5ea57543b9c02b6e1be763ad4ad69c73eb729ca0a717976f87dbfe461cbcbbce466d25e6c5d668a2fd35b0114aaa02aba8797d93c68a6

Download Submit
memory/4080-55-0x00007FF90B2B0000-0x00007FF90BD71000-memory.dmp

Filesize
10.8MB

Download
memory/4080-0-0x0000000000230000-0x00000000002EA000-memory.dmp

Filesize
744KB

Download
memory/4080-3-0x00007FF90B2B0000-0x00007FF90BD71000-memory.dmp

Filesize
10.8MB

Download
memory/4552-57-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/4552-25-0x00000000051E0000-0x0000000005784000-memory.dmp

Filesize
5.6MB

Download
memory/4552-63-0x0000000006AD0000-0x0000000006ADA000-memory.dmp

Filesize
40KB

Download
memory/4552-58-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/4552-28-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/4552-27-0x0000000004D70000-0x0000000004E0C000-memory.dmp

Filesize
624KB

Download
memory/4552-26-0x0000000004CD0000-0x0000000004D62000-memory.dmp

Filesize
584KB

Download
memory/4552-29-0x0000000005190000-0x00000000051A8000-memory.dmp

Filesize
96KB

Download
memory/4552-24-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/4552-23-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/4552-30-0x0000000005940000-0x00000000059A6000-memory.dmp

Filesize
408KB

Download
memory/4552-61-0x0000000006610000-0x000000000661A000-memory.dmp

Filesize
40KB

Download
memory/4552-62-0x0000000006A40000-0x0000000006A90000-memory.dmp

Filesize
320KB

Download
memory/4552-142-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/4552-144-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download