ammyyadmin | ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619

Analysis

max time kernel
144s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
26-10-2023 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
Size

2.5MB
MD5

7578811db1dc86e9298cad006320a938
SHA1

42e8584d1d13fdab51fb8f9d05335f4a52ff97ad
SHA256

ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619
SHA512

5263f7335bf8388f1b6c28c2e143c5c56e78c3cdd297dde943489ce909b6faf923d5603a898b1927301e1265ffff9f3a62b61cbdaeaa47d492e41bf36d78a11b
SSDEEP

49152:PJo/il+XOWqWhpXIoGtCGs7avcKgiQW0BepMk4Vm5o:PJbm1GL4Gs7McKgiQBepll

Score

10^/10

ammyyadmin flawedammyy phobos rhadamanthys smokeloader backdoor bootkit collection discovery evasion persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://servermlogs27.xyz/statweb255/

http://servmblog45.xyz/statweb255/

http://demblog575.xyz/statweb255/

http://admlogs85x.xyz/statweb255/

http://blogmstat389.xyz/statweb255/

http://blogmstat255.xyz/statweb255/

rc4.i32

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\4711.tmp\svchost.exe	family_ammyyadmin
C:\Users\Admin\AppData\Local\Temp\4711.tmp\svchost.exe	family_ammyyadmin

Detect rhadamanthys stealer shellcode 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4628-17-0x0000000003120000-0x0000000003520000-memory.dmp	family_rhadamanthys
behavioral1/memory/4628-18-0x0000000003120000-0x0000000003520000-memory.dmp	family_rhadamanthys
behavioral1/memory/4628-19-0x0000000003120000-0x0000000003520000-memory.dmp	family_rhadamanthys
behavioral1/memory/4628-20-0x0000000003120000-0x0000000003520000-memory.dmp	family_rhadamanthys
behavioral1/memory/4628-30-0x0000000003120000-0x0000000003520000-memory.dmp	family_rhadamanthys
behavioral1/memory/4628-32-0x0000000003120000-0x0000000003520000-memory.dmp	family_rhadamanthys

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe

description pid process target process

PID 4628 created 3092 4628 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4356 bcdedit.exe
2716 bcdedit.exe
Renames multiple (321) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

4484 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

5040 netsh.exe
4484 netsh.exe

description	pid	process	target process
PID 4628 created 3092	4628	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe	Explorer.EXE

pid	process
4356	bcdedit.exe
2716	bcdedit.exe

pid	process
4484	wbadmin.exe

pid	process
5040	netsh.exe
4484	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

G64izER5T.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	G64izER5T.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	svchost.exe

Deletes itself 1 IoCs

Processes:

certreq.exe

pid process

232 certreq.exe
Drops startup file 1 IoCs

Processes:

9333.exe

description ioc process

File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\9333.exe 9333.exe
Executes dropped EXE 10 IoCs

Processes:

oEq.exe~1j%([6%P.exeG64izER5T.exeoEq.exeoEq.exe9333.exe9333.exe9333.exe9333.exesvchost.exe

pid process

1176 oEq.exe
2052 ~1j%([6%P.exe
2988 G64izER5T.exe
3848 oEq.exe
1244 oEq.exe
3880 9333.exe
1960 9333.exe
4492 9333.exe
2496 9333.exe
2960 svchost.exe
Loads dropped DLL 3 IoCs

Processes:

G64izER5T.exerundll32.exe

pid process

2988 G64izER5T.exe
2988 G64izER5T.exe
3824 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
232	certreq.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\9333.exe	9333.exe

pid	process
1176	oEq.exe
2052	~1j%([6%P.exe
2988	G64izER5T.exe
3848	oEq.exe
1244	oEq.exe
3880	9333.exe
1960	9333.exe
4492	9333.exe
2496	9333.exe
2960	svchost.exe

pid	process
2988	G64izER5T.exe
2988	G64izER5T.exe
3824	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

Processes:

certreq.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9333.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9333 = "C:\\Users\\Admin\\AppData\\Local\\9333.exe"	9333.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9333 = "C:\\Users\\Admin\\AppData\\Local\\9333.exe"	9333.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

Processes:

9333.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	9333.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1873812795-1433807462-1429862679-1000\desktop.ini	9333.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1873812795-1433807462-1429862679-1000\desktop.ini	9333.exe
File opened for modification	C:\Program Files\desktop.ini	9333.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

svchost.exe

description ioc process

File opened for modification \??\PhysicalDrive0 svchost.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exeoEq.exe9333.exe9333.exe

description	pid	process	target process
PID 2020 set thread context of 4628	2020	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
PID 1176 set thread context of 1244	1176	oEq.exe	oEq.exe
PID 3880 set thread context of 1960	3880	9333.exe	9333.exe
PID 4492 set thread context of 2496	4492	9333.exe	9333.exe

Drops file in Program Files directory 64 IoCs

Processes:

9333.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE	9333.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javac.exe.id[6438419B-3483].[[email protected]].8base	9333.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.id[6438419B-3483].[[email protected]].8base	9333.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Interceptor.tlb.id[6438419B-3483].[[email protected]].8base	9333.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ppd.xrm-ms.id[6438419B-3483].[[email protected]].8base	9333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSQRY32.CHM	9333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\TimeCard.xltx	9333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\THMBNAIL.PNG	9333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE	9333.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json	9333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms	9333.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-oob.xrm-ms.id[6438419B-3483].[[email protected]].8base	9333.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Shared.Windows.dll.id[6438419B-3483].[[email protected]].8base	9333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\msipc.dll.mui	9333.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNoteFilter.dll.id[6438419B-3483].[[email protected]].8base	9333.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Utilities.v3.5.resources.dll	9333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-pl.xrm-ms	9333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-environment-l1-1-0.dll	9333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinEditors.v8.1.dll	9333.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets	9333.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Speech.resources.dll	9333.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\hprof.dll.id[6438419B-3483].[[email protected]].8base	9333.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md.id[6438419B-3483].[[email protected]].8base	9333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ppd.xrm-ms	9333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MUOPTIN.DLL	9333.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\NETWORK.ELM.id[6438419B-3483].[[email protected]].8base	9333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql2000.xsl	9333.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig	9333.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jli.dll	9333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-ms	9333.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected][6438419B-3483].[[email protected]].8base	9333.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SignalRClient.dll.id[6438419B-3483].[[email protected]].8base	9333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIE.dll	9333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms	9333.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.LEX.id[6438419B-3483].[[email protected]].8base	9333.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Resources.pri.id[6438419B-3483].[[email protected]].8base	9333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml	9333.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ppd.xrm-ms.id[6438419B-3483].[[email protected]].8base	9333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OAuth.dll	9333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN097.XML	9333.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN121.XML.id[6438419B-3483].[[email protected]].8base	9333.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui	9333.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack.dll.id[6438419B-3483].[[email protected]].8base	9333.exe
File created	C:\Program Files\Java\jre-1.8\lib\jvm.hprof.txt.id[6438419B-3483].[[email protected]].8base	9333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	9333.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png	9333.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ppd.xrm-ms.id[6438419B-3483].[[email protected]].8base	9333.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul-oob.xrm-ms.id[6438419B-3483].[[email protected]].8base	9333.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-phn.xrm-ms.id[6438419B-3483].[[email protected]].8base	9333.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui	9333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-ms	9333.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-pl.xrm-ms.id[6438419B-3483].[[email protected]].8base	9333.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms.id[6438419B-3483].[[email protected]].8base	9333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-pl.xrm-ms	9333.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll	9333.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-2-0.dll	9333.exe
File opened for modification	C:\Program Files\Microsoft Office\FileSystemMetadata.xml	9333.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\vlc.mo	9333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ppd.xrm-ms	9333.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL.id[6438419B-3483].[[email protected]].8base	9333.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.TLB.id[6438419B-3483].[[email protected]].8base	9333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-180.png	9333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OsfTaskengine.dll.id[6438419B-3483].[[email protected]].8base	9333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml	9333.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4848 2988 WerFault.exe G64izER5T.exe

pid	pid_target	process	target process
4848	2988	WerFault.exe	G64izER5T.exe

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

oEq.exevds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	oEq.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	oEq.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	oEq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

G64izER5T.execertreq.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	G64izER5T.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	G64izER5T.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1956 timeout.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2920 vssadmin.exe

pid	process
1956	timeout.exe

pid	process
2920	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exeff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.execertreq.exeoEq.exeoEq.exeG64izER5T.exeExplorer.EXE

pid	process
2020	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
2020	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
2020	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
2020	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
4628	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
4628	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
4628	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
4628	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
232	certreq.exe
232	certreq.exe
232	certreq.exe
232	certreq.exe
1176	oEq.exe
1176	oEq.exe
1244	oEq.exe
1244	oEq.exe
2988	G64izER5T.exe
2988	G64izER5T.exe
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3092 Explorer.EXE

pid	process
3092	Explorer.EXE

Suspicious behavior: MapViewOfSection 33 IoCs

Processes:

oEq.exeExplorer.EXEexplorer.exe

pid	process
1244	oEq.exe
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
4000	explorer.exe
4000	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exeoEq.exeExplorer.EXE9333.exe9333.exe9333.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2020	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
Token: SeDebugPrivilege	1176	oEq.exe
Token: SeShutdownPrivilege	3092	Explorer.EXE
Token: SeCreatePagefilePrivilege	3092	Explorer.EXE
Token: SeShutdownPrivilege	3092	Explorer.EXE
Token: SeCreatePagefilePrivilege	3092	Explorer.EXE
Token: SeShutdownPrivilege	3092	Explorer.EXE
Token: SeCreatePagefilePrivilege	3092	Explorer.EXE
Token: SeShutdownPrivilege	3092	Explorer.EXE
Token: SeCreatePagefilePrivilege	3092	Explorer.EXE
Token: SeShutdownPrivilege	3092	Explorer.EXE
Token: SeCreatePagefilePrivilege	3092	Explorer.EXE
Token: SeShutdownPrivilege	3092	Explorer.EXE
Token: SeCreatePagefilePrivilege	3092	Explorer.EXE
Token: SeDebugPrivilege	3880	9333.exe
Token: SeShutdownPrivilege	3092	Explorer.EXE
Token: SeCreatePagefilePrivilege	3092	Explorer.EXE
Token: SeDebugPrivilege	4492	9333.exe
Token: SeShutdownPrivilege	3092	Explorer.EXE
Token: SeCreatePagefilePrivilege	3092	Explorer.EXE
Token: SeDebugPrivilege	1960	9333.exe
Token: SeBackupPrivilege	2348	vssvc.exe
Token: SeRestorePrivilege	2348	vssvc.exe
Token: SeAuditPrivilege	2348	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4400	WMIC.exe
Token: SeSecurityPrivilege	4400	WMIC.exe
Token: SeTakeOwnershipPrivilege	4400	WMIC.exe
Token: SeLoadDriverPrivilege	4400	WMIC.exe
Token: SeSystemProfilePrivilege	4400	WMIC.exe
Token: SeSystemtimePrivilege	4400	WMIC.exe
Token: SeProfSingleProcessPrivilege	4400	WMIC.exe
Token: SeIncBasePriorityPrivilege	4400	WMIC.exe
Token: SeCreatePagefilePrivilege	4400	WMIC.exe
Token: SeBackupPrivilege	4400	WMIC.exe
Token: SeRestorePrivilege	4400	WMIC.exe
Token: SeShutdownPrivilege	4400	WMIC.exe
Token: SeDebugPrivilege	4400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4400	WMIC.exe
Token: SeRemoteShutdownPrivilege	4400	WMIC.exe
Token: SeUndockPrivilege	4400	WMIC.exe
Token: SeManageVolumePrivilege	4400	WMIC.exe
Token: 33	4400	WMIC.exe
Token: 34	4400	WMIC.exe
Token: 35	4400	WMIC.exe
Token: 36	4400	WMIC.exe
Token: SeShutdownPrivilege	3092	Explorer.EXE
Token: SeCreatePagefilePrivilege	3092	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	4400	WMIC.exe
Token: SeSecurityPrivilege	4400	WMIC.exe
Token: SeTakeOwnershipPrivilege	4400	WMIC.exe
Token: SeLoadDriverPrivilege	4400	WMIC.exe
Token: SeSystemProfilePrivilege	4400	WMIC.exe
Token: SeSystemtimePrivilege	4400	WMIC.exe
Token: SeProfSingleProcessPrivilege	4400	WMIC.exe
Token: SeIncBasePriorityPrivilege	4400	WMIC.exe
Token: SeCreatePagefilePrivilege	4400	WMIC.exe
Token: SeBackupPrivilege	4400	WMIC.exe
Token: SeRestorePrivilege	4400	WMIC.exe
Token: SeShutdownPrivilege	4400	WMIC.exe
Token: SeDebugPrivilege	4400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4400	WMIC.exe
Token: SeRemoteShutdownPrivilege	4400	WMIC.exe
Token: SeUndockPrivilege	4400	WMIC.exe
Token: SeManageVolumePrivilege	4400	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

svchost.exe

pid process

2960 svchost.exe

pid	process
2960	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exeff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exeoEq.exeG64izER5T.execmd.exeExplorer.EXE9333.exe9333.exe9333.execmd.execmd.exe

description	pid	process	target process
PID 2020 wrote to memory of 2692	2020	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
PID 2020 wrote to memory of 2692	2020	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
PID 2020 wrote to memory of 2692	2020	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
PID 2020 wrote to memory of 1300	2020	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
PID 2020 wrote to memory of 1300	2020	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
PID 2020 wrote to memory of 1300	2020	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
PID 2020 wrote to memory of 4628	2020	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
PID 2020 wrote to memory of 4628	2020	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
PID 2020 wrote to memory of 4628	2020	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
PID 2020 wrote to memory of 4628	2020	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
PID 2020 wrote to memory of 4628	2020	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
PID 2020 wrote to memory of 4628	2020	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
PID 2020 wrote to memory of 4628	2020	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
PID 2020 wrote to memory of 4628	2020	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
PID 4628 wrote to memory of 232	4628	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe	certreq.exe
PID 4628 wrote to memory of 232	4628	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe	certreq.exe
PID 4628 wrote to memory of 232	4628	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe	certreq.exe
PID 4628 wrote to memory of 232	4628	ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe	certreq.exe
PID 1176 wrote to memory of 3848	1176	oEq.exe	oEq.exe
PID 1176 wrote to memory of 3848	1176	oEq.exe	oEq.exe
PID 1176 wrote to memory of 3848	1176	oEq.exe	oEq.exe
PID 1176 wrote to memory of 1244	1176	oEq.exe	oEq.exe
PID 1176 wrote to memory of 1244	1176	oEq.exe	oEq.exe
PID 1176 wrote to memory of 1244	1176	oEq.exe	oEq.exe
PID 1176 wrote to memory of 1244	1176	oEq.exe	oEq.exe
PID 1176 wrote to memory of 1244	1176	oEq.exe	oEq.exe
PID 1176 wrote to memory of 1244	1176	oEq.exe	oEq.exe
PID 2988 wrote to memory of 4220	2988	G64izER5T.exe	cmd.exe
PID 2988 wrote to memory of 4220	2988	G64izER5T.exe	cmd.exe
PID 2988 wrote to memory of 4220	2988	G64izER5T.exe	cmd.exe
PID 4220 wrote to memory of 1956	4220	cmd.exe	timeout.exe
PID 4220 wrote to memory of 1956	4220	cmd.exe	timeout.exe
PID 4220 wrote to memory of 1956	4220	cmd.exe	timeout.exe
PID 3092 wrote to memory of 3880	3092	Explorer.EXE	9333.exe
PID 3092 wrote to memory of 3880	3092	Explorer.EXE	9333.exe
PID 3092 wrote to memory of 3880	3092	Explorer.EXE	9333.exe
PID 3880 wrote to memory of 1960	3880	9333.exe	9333.exe
PID 3880 wrote to memory of 1960	3880	9333.exe	9333.exe
PID 3880 wrote to memory of 1960	3880	9333.exe	9333.exe
PID 3880 wrote to memory of 1960	3880	9333.exe	9333.exe
PID 3880 wrote to memory of 1960	3880	9333.exe	9333.exe
PID 3880 wrote to memory of 1960	3880	9333.exe	9333.exe
PID 3880 wrote to memory of 1960	3880	9333.exe	9333.exe
PID 3880 wrote to memory of 1960	3880	9333.exe	9333.exe
PID 3880 wrote to memory of 1960	3880	9333.exe	9333.exe
PID 3880 wrote to memory of 1960	3880	9333.exe	9333.exe
PID 4492 wrote to memory of 2496	4492	9333.exe	9333.exe
PID 4492 wrote to memory of 2496	4492	9333.exe	9333.exe
PID 4492 wrote to memory of 2496	4492	9333.exe	9333.exe
PID 4492 wrote to memory of 2496	4492	9333.exe	9333.exe
PID 4492 wrote to memory of 2496	4492	9333.exe	9333.exe
PID 4492 wrote to memory of 2496	4492	9333.exe	9333.exe
PID 4492 wrote to memory of 2496	4492	9333.exe	9333.exe
PID 4492 wrote to memory of 2496	4492	9333.exe	9333.exe
PID 4492 wrote to memory of 2496	4492	9333.exe	9333.exe
PID 4492 wrote to memory of 2496	4492	9333.exe	9333.exe
PID 1960 wrote to memory of 4300	1960	9333.exe	cmd.exe
PID 1960 wrote to memory of 4300	1960	9333.exe	cmd.exe
PID 1960 wrote to memory of 4380	1960	9333.exe	cmd.exe
PID 1960 wrote to memory of 4380	1960	9333.exe	cmd.exe
PID 4380 wrote to memory of 4484	4380	cmd.exe	netsh.exe
PID 4380 wrote to memory of 4484	4380	cmd.exe	wbadmin.exe
PID 4300 wrote to memory of 2920	4300	cmd.exe	vssadmin.exe
PID 4300 wrote to memory of 2920	4300	cmd.exe	vssadmin.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Users\Admin\AppData\Local\Temp\ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
  "C:\Users\Admin\AppData\Local\Temp\ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Users\Admin\AppData\Local\Temp\ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
    C:\Users\Admin\AppData\Local\Temp\ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
    3⤵
    PID:2692
- - C:\Users\Admin\AppData\Local\Temp\ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
    C:\Users\Admin\AppData\Local\Temp\ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4628
- - C:\Users\Admin\AppData\Local\Temp\ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
    C:\Users\Admin\AppData\Local\Temp\ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
    3⤵
    PID:1300
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  - Deletes itself
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:232
- C:\Users\Admin\AppData\Local\Temp\9333.exe
  C:\Users\Admin\AppData\Local\Temp\9333.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Users\Admin\AppData\Local\Temp\9333.exe
    C:\Users\Admin\AppData\Local\Temp\9333.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\9333.exe
      "C:\Users\Admin\AppData\Local\Temp\9333.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4492
    - - C:\Users\Admin\AppData\Local\Temp\9333.exe
        
        C:\Users\Admin\AppData\Local\Temp\9333.exe
        5⤵
        Executes dropped EXE
        
        PID:2496
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4300
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:2920
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4400
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4356
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2716
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        5⤵
        Deletes backup catalog
        
        PID:4484
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4380
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        5⤵
        Modifies Windows Firewall
        
        PID:4484
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=disable
        5⤵
        Modifies Windows Firewall
        
        PID:5040
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - outlook_office_path
  - outlook_win_path
  PID:1332
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:5004
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:4896
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:808
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:4176
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:1176
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:2664
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:4884
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:3880
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:3460
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:296
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:912
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:2120
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:620
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  - Suspicious behavior: MapViewOfSection
  PID:4000
- - C:\Users\Admin\AppData\Local\Temp\4711.tmp\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\4711.tmp\svchost.exe -debug
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of FindShellTrayWindow
    PID:2960
  - - C:\Windows\SYSTEM32\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\4711.tmp\aa_nts.dll",run
      4⤵
      Loads dropped DLL
      PID:3824

C:\Users\Admin\AppData\Local\Microsoft\oEq.exe
"C:\Users\Admin\AppData\Local\Microsoft\oEq.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\AppData\Local\Microsoft\oEq.exe
  C:\Users\Admin\AppData\Local\Microsoft\oEq.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Users\Admin\AppData\Local\Microsoft\oEq.exe
  C:\Users\Admin\AppData\Local\Microsoft\oEq.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1244

C:\Users\Admin\AppData\Local\Microsoft\~1j%([6%P.exe
"C:\Users\Admin\AppData\Local\Microsoft\~1j%([6%P.exe"
1⤵
- Executes dropped EXE
PID:2052

C:\Users\Admin\AppData\Local\Microsoft\G64izER5T.exe
"C:\Users\Admin\AppData\Local\Microsoft\G64izER5T.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Microsoft\G64izER5T.exe" & del "C:\ProgramData\*.dll"" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:1956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 2428
  2⤵
  - Program crash
  PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2988 -ip 2988
1⤵
PID:4276

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2780

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2824

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4900

C:\Users\Admin\AppData\Roaming\bjgedie
C:\Users\Admin\AppData\Roaming\bjgedie
1⤵
PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id[6438419B-3483].[[email protected]].8base

Filesize
2.7MB

MD5
e01fd98166ea3b557442b1be1db44667

SHA1
a3905e07b0b8e32241afc1b77dbee7f2f6104f10

SHA256
97eed8c172b3fcec3ffc48ec5a7eda26410c71a29492bda3c5db1e068a78455a

SHA512
ac6bb72607724c9342755ff2e36e443f04875f667a1d84416326aa8fc2d035a628dbda9a5456362a8fbe4786ae275cba3e2aee7fa55b7e708723fb8973c0b1fe

Download Submit
C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\9333.exe

Filesize
2.6MB

MD5
f4d64c9ae825a8b1e0db64c93d37eb2a

SHA1
03d03b2fcafc1fc36b960b6351e951fe40fb0c66

SHA256
c83894f6f01a0d4a492c2e05966816e27dac6b9093f83b499b6a5b2f28b53cec

SHA512
5bc061c49628d4c72114366ef81b451f44f14d2ab8a8dedb9699d894156091dab2dca4f04f810651397876959139e8a28d6acba81da803b3e723c834d88749fa

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9333.exe.log

Filesize
1016B

MD5
4353288293ab8929e492327245a7ccb2

SHA1
89b365f2f5e14faaf17715e5764b60d344250d67

SHA256
61954fc5184dd88a959f803ee98ca9af53eb0c942dbb00b98ba4f8a46081b587

SHA512
48c07ca1b769cf02af6ec938aad8b5a03133e82a451bdff5a03bf4ba47cfd7add0ab28ee6622c22fb54e127472a7cf68dd7d05da15ec439cc18aed2ca76cd08a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\G64izER5T.exe

Filesize
284KB

MD5
72415112539a03fe18a25f3924650d06

SHA1
e371c4a85311200f061871455c9496e7ea1e552f

SHA256
0890a21c1f335ae3c5c73f158659204204bc4ba403edbc34b37b856cfe1af8d7

SHA512
281bb33bd0b84761fe5ed540885e4952b3c87929098463be4fda008a750efc428df3eb2b93f4c1339d8505abf3d2b2b5d1560163bc04beb78d203ec65f5bed16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\G64izER5T.exe

Filesize
284KB

MD5
72415112539a03fe18a25f3924650d06

SHA1
e371c4a85311200f061871455c9496e7ea1e552f

SHA256
0890a21c1f335ae3c5c73f158659204204bc4ba403edbc34b37b856cfe1af8d7

SHA512
281bb33bd0b84761fe5ed540885e4952b3c87929098463be4fda008a750efc428df3eb2b93f4c1339d8505abf3d2b2b5d1560163bc04beb78d203ec65f5bed16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\oEq.exe

Filesize
2.5MB

MD5
a5e52d00a57904485aeb8e6580ce4666

SHA1
8f10588d8fcb6bb4d734c6e31fdaf2c165f87d92

SHA256
13d55838fe9e2e638ea8d21e86dab4fc28c8d9ba94526b79d48d0e83ce21fe71

SHA512
f14ca4c6017ffff6df0141cd706770225b9418029b69e37ff1f7d50ce2941cefb1e3f6d20df1897cb6cf3dc8db8e171d4ee94b72dac0b9375c31cb2e652b0b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\oEq.exe

Filesize
2.5MB

MD5
a5e52d00a57904485aeb8e6580ce4666

SHA1
8f10588d8fcb6bb4d734c6e31fdaf2c165f87d92

SHA256
13d55838fe9e2e638ea8d21e86dab4fc28c8d9ba94526b79d48d0e83ce21fe71

SHA512
f14ca4c6017ffff6df0141cd706770225b9418029b69e37ff1f7d50ce2941cefb1e3f6d20df1897cb6cf3dc8db8e171d4ee94b72dac0b9375c31cb2e652b0b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\oEq.exe

Filesize
2.5MB

MD5
a5e52d00a57904485aeb8e6580ce4666

SHA1
8f10588d8fcb6bb4d734c6e31fdaf2c165f87d92

SHA256
13d55838fe9e2e638ea8d21e86dab4fc28c8d9ba94526b79d48d0e83ce21fe71

SHA512
f14ca4c6017ffff6df0141cd706770225b9418029b69e37ff1f7d50ce2941cefb1e3f6d20df1897cb6cf3dc8db8e171d4ee94b72dac0b9375c31cb2e652b0b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\oEq.exe

Filesize
2.5MB

MD5
a5e52d00a57904485aeb8e6580ce4666

SHA1
8f10588d8fcb6bb4d734c6e31fdaf2c165f87d92

SHA256
13d55838fe9e2e638ea8d21e86dab4fc28c8d9ba94526b79d48d0e83ce21fe71

SHA512
f14ca4c6017ffff6df0141cd706770225b9418029b69e37ff1f7d50ce2941cefb1e3f6d20df1897cb6cf3dc8db8e171d4ee94b72dac0b9375c31cb2e652b0b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\~1j%([6%P.exe

Filesize
968KB

MD5
2a40a56b3dbe361864baac57a7815de4

SHA1
a0b67c7eb5bb378010ada7a3cf6bfe4101df9049

SHA256
3d62c31dd2a3749a264d72bd87c287c9367d3198d612c5566ca54809b714af99

SHA512
6c426f00cac5bbf67fd6e56c95561b8ad94da32d1199cfbf5d9e3b2627b39cdf8e089856fd346a44097006a0f32a78480b32554f39ba4ceaf72182126f78e4b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\~1j%([6%P.exe

Filesize
968KB

MD5
2a40a56b3dbe361864baac57a7815de4

SHA1
a0b67c7eb5bb378010ada7a3cf6bfe4101df9049

SHA256
3d62c31dd2a3749a264d72bd87c287c9367d3198d612c5566ca54809b714af99

SHA512
6c426f00cac5bbf67fd6e56c95561b8ad94da32d1199cfbf5d9e3b2627b39cdf8e089856fd346a44097006a0f32a78480b32554f39ba4ceaf72182126f78e4b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1048.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\4711.tmp\aa_nts.dll

Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4711.tmp\aa_nts.dll

Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4711.tmp\aa_nts.msg

Filesize
46B

MD5
3f05819f995b4dafa1b5d55ce8d1f411

SHA1
404449b79a16bfc4f64f2fd55cd73d5d27a85d71

SHA256
7e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0

SHA512
34abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026

Download Submit
C:\Users\Admin\AppData\Local\Temp\4711.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\4711.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\9333.exe

Filesize
2.6MB

MD5
f4d64c9ae825a8b1e0db64c93d37eb2a

SHA1
03d03b2fcafc1fc36b960b6351e951fe40fb0c66

SHA256
c83894f6f01a0d4a492c2e05966816e27dac6b9093f83b499b6a5b2f28b53cec

SHA512
5bc061c49628d4c72114366ef81b451f44f14d2ab8a8dedb9699d894156091dab2dca4f04f810651397876959139e8a28d6acba81da803b3e723c834d88749fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\9333.exe

Filesize
2.6MB

MD5
f4d64c9ae825a8b1e0db64c93d37eb2a

SHA1
03d03b2fcafc1fc36b960b6351e951fe40fb0c66

SHA256
c83894f6f01a0d4a492c2e05966816e27dac6b9093f83b499b6a5b2f28b53cec

SHA512
5bc061c49628d4c72114366ef81b451f44f14d2ab8a8dedb9699d894156091dab2dca4f04f810651397876959139e8a28d6acba81da803b3e723c834d88749fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\9333.exe

Filesize
2.6MB

MD5
f4d64c9ae825a8b1e0db64c93d37eb2a

SHA1
03d03b2fcafc1fc36b960b6351e951fe40fb0c66

SHA256
c83894f6f01a0d4a492c2e05966816e27dac6b9093f83b499b6a5b2f28b53cec

SHA512
5bc061c49628d4c72114366ef81b451f44f14d2ab8a8dedb9699d894156091dab2dca4f04f810651397876959139e8a28d6acba81da803b3e723c834d88749fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\9333.exe

Filesize
2.6MB

MD5
f4d64c9ae825a8b1e0db64c93d37eb2a

SHA1
03d03b2fcafc1fc36b960b6351e951fe40fb0c66

SHA256
c83894f6f01a0d4a492c2e05966816e27dac6b9093f83b499b6a5b2f28b53cec

SHA512
5bc061c49628d4c72114366ef81b451f44f14d2ab8a8dedb9699d894156091dab2dca4f04f810651397876959139e8a28d6acba81da803b3e723c834d88749fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\9333.exe

Filesize
2.6MB

MD5
f4d64c9ae825a8b1e0db64c93d37eb2a

SHA1
03d03b2fcafc1fc36b960b6351e951fe40fb0c66

SHA256
c83894f6f01a0d4a492c2e05966816e27dac6b9093f83b499b6a5b2f28b53cec

SHA512
5bc061c49628d4c72114366ef81b451f44f14d2ab8a8dedb9699d894156091dab2dca4f04f810651397876959139e8a28d6acba81da803b3e723c834d88749fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF7.tmp

Filesize
92KB

MD5
4bd8313fab1caf1004295d44aab77860

SHA1
0b84978fd191001c7cf461063ac63b243ffb7283

SHA256
604e2ecd34c77664dae4ceb0dab0b3e4bb6afb2778d3ed21f8d8791edd1408d9

SHA512
ca96d92a8abbd3a762e19f8e77514ee0018b7e5dc21493c37e83e22047b3cc892eced2fc80b78e6861bb972e20b93007eb46bcb7b562965be2bfa98a24c2ed65

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\cookies.sqlite.id[6438419B-3483].[[email protected]].8base

Filesize
96KB

MD5
e81ca85dd3ea4824dba3bc6d7ffd24c4

SHA1
90179e23dc133ca5ab429a6dca791e74570a42bf

SHA256
1e01065b6272f94d19cd1282cdad1e1d014dd62c79d2bd93662f0c01e9b88ecd

SHA512
19e422044432da08329126445b5437a64b1e1f0ce98408d15f4701606b43c67821df0b2d850c18c0ed7eb4666ffda97beafd36b021f3abafa7edf1d1a97c5b2b

Download Submit
C:\Users\Admin\AppData\Roaming\bjgedie

Filesize
2.3MB

MD5
791147ed059d663af515fc859977cdeb

SHA1
6810607e9675118b73c4e9ad8f785fd320dee4de

SHA256
568a0946df892f6460b40b03ceaaecfac76c953cf97e5c0a1eaa03b1bc950b6c

SHA512
8ccf807e551e02a60753189d4aa21ff83b6ba0c943f65c1b66b5c5bab204fcbaf5e21864ad30638b86c88a5490c6fd3b403fdb793d6380a395c86f8074ce5aeb

Download Submit
C:\Users\Admin\AppData\Roaming\bjgedie

Filesize
2.5MB

MD5
373c5c9f13e29e5645bae98ac0b19244

SHA1
c95981705d7ca8c8239e67343bbf5126c0b726ca

SHA256
e5aab2aa82e052559739b7e1c9f15fde7a943d4acbaad7dfec89259726f8035e

SHA512
d7f257476784fd9ed32ad49a2ca351225331da4b0269eee92cd7dc9d2e98f9390f3c2c34ccc9bee941d3bbf40d25de55f729d47ec8837f5cdb5b9f2c9ccac81b

Download Submit
memory/232-33-0x000001EE20750000-0x000001EE20753000-memory.dmp

Filesize
12KB

Download
memory/232-37-0x00007FF485570000-0x00007FF48569F000-memory.dmp

Filesize
1.2MB

Download
memory/232-39-0x00007FF485570000-0x00007FF48569F000-memory.dmp

Filesize
1.2MB

Download
memory/232-41-0x00007FF485570000-0x00007FF48569F000-memory.dmp

Filesize
1.2MB

Download
memory/232-43-0x00007FF485570000-0x00007FF48569F000-memory.dmp

Filesize
1.2MB

Download
memory/232-44-0x00007FF485570000-0x00007FF48569F000-memory.dmp

Filesize
1.2MB

Download
memory/232-45-0x00007FF485570000-0x00007FF48569F000-memory.dmp

Filesize
1.2MB

Download
memory/232-46-0x00007FFF802D0000-0x00007FFF804C5000-memory.dmp

Filesize
2.0MB

Download
memory/232-47-0x00007FF485570000-0x00007FF48569F000-memory.dmp

Filesize
1.2MB

Download
memory/232-48-0x00007FF485570000-0x00007FF48569F000-memory.dmp

Filesize
1.2MB

Download
memory/232-49-0x00007FF485570000-0x00007FF48569F000-memory.dmp

Filesize
1.2MB

Download
memory/232-50-0x00007FF485570000-0x00007FF48569F000-memory.dmp

Filesize
1.2MB

Download
memory/232-51-0x00007FF485570000-0x00007FF48569F000-memory.dmp

Filesize
1.2MB

Download
memory/232-38-0x00007FF485570000-0x00007FF48569F000-memory.dmp

Filesize
1.2MB

Download
memory/232-36-0x00007FF485570000-0x00007FF48569F000-memory.dmp

Filesize
1.2MB

Download
memory/232-35-0x00007FF485570000-0x00007FF48569F000-memory.dmp

Filesize
1.2MB

Download
memory/232-55-0x00007FFF802D0000-0x00007FFF804C5000-memory.dmp

Filesize
2.0MB

Download
memory/232-121-0x00007FFF802D0000-0x00007FFF804C5000-memory.dmp

Filesize
2.0MB

Download
memory/232-120-0x000001EE227F0000-0x000001EE227F5000-memory.dmp

Filesize
20KB

Download
memory/232-34-0x000001EE227F0000-0x000001EE227F7000-memory.dmp

Filesize
28KB

Download
memory/232-21-0x000001EE20750000-0x000001EE20753000-memory.dmp

Filesize
12KB

Download
memory/808-2856-0x0000000000A40000-0x0000000000A4A000-memory.dmp

Filesize
40KB

Download
memory/808-2857-0x0000000000A30000-0x0000000000A3B000-memory.dmp

Filesize
44KB

Download
memory/808-2858-0x0000000000A30000-0x0000000000A3B000-memory.dmp

Filesize
44KB

Download
memory/1176-72-0x0000000006150000-0x0000000006182000-memory.dmp

Filesize
200KB

Download
memory/1176-60-0x0000000005BB0000-0x0000000005CCA000-memory.dmp

Filesize
1.1MB

Download
memory/1176-56-0x0000000000FC0000-0x000000000124E000-memory.dmp

Filesize
2.6MB

Download
memory/1176-70-0x0000000005D50000-0x0000000005D9A000-memory.dmp

Filesize
296KB

Download
memory/1176-71-0x0000000005DC0000-0x0000000005DF2000-memory.dmp

Filesize
200KB

Download
memory/1176-57-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/1176-59-0x0000000005BA0000-0x0000000005BB0000-memory.dmp

Filesize
64KB

Download
memory/1176-78-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/1244-77-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1244-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1244-126-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1332-2329-0x0000000000520000-0x000000000058B000-memory.dmp

Filesize
428KB

Download
memory/1332-1832-0x0000000000800000-0x0000000000875000-memory.dmp

Filesize
468KB

Download
memory/1332-1866-0x0000000000520000-0x000000000058B000-memory.dmp

Filesize
428KB

Download
memory/1960-195-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1960-194-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1960-485-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1960-189-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2020-8-0x00000000057C0000-0x000000000580C000-memory.dmp

Filesize
304KB

Download
memory/2020-9-0x0000000005FF0000-0x0000000006594000-memory.dmp

Filesize
5.6MB

Download
memory/2020-0-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/2020-1-0x00000000005D0000-0x000000000085C000-memory.dmp

Filesize
2.5MB

Download
memory/2020-3-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/2020-15-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/2020-4-0x0000000005330000-0x0000000005526000-memory.dmp

Filesize
2.0MB

Download
memory/2020-5-0x00000000059C0000-0x0000000005A40000-memory.dmp

Filesize
512KB

Download
memory/2020-6-0x00000000056D0000-0x0000000005738000-memory.dmp

Filesize
416KB

Download
memory/2020-7-0x0000000005740000-0x00000000057A8000-memory.dmp

Filesize
416KB

Download
memory/2020-2-0x00000000051F0000-0x0000000005282000-memory.dmp

Filesize
584KB

Download
memory/2496-204-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2988-155-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/2988-171-0x0000000000400000-0x000000000062D000-memory.dmp

Filesize
2.2MB

Download
memory/2988-68-0x00000000007B0000-0x00000000007CB000-memory.dmp

Filesize
108KB

Download
memory/2988-161-0x0000000000400000-0x000000000062D000-memory.dmp

Filesize
2.2MB

Download
memory/2988-79-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2988-67-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/2988-160-0x0000000000400000-0x000000000062D000-memory.dmp

Filesize
2.2MB

Download
memory/2988-69-0x0000000000400000-0x000000000062D000-memory.dmp

Filesize
2.2MB

Download
memory/3092-125-0x0000000008650000-0x0000000008666000-memory.dmp

Filesize
88KB

Download
memory/3880-188-0x00000000058E0000-0x0000000005914000-memory.dmp

Filesize
208KB

Download
memory/3880-184-0x0000000005340000-0x0000000005466000-memory.dmp

Filesize
1.1MB

Download
memory/3880-182-0x0000000000760000-0x00000000009FA000-memory.dmp

Filesize
2.6MB

Download
memory/3880-185-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/3880-183-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/3880-186-0x0000000005850000-0x000000000589E000-memory.dmp

Filesize
312KB

Download
memory/3880-187-0x00000000058A0000-0x00000000058D6000-memory.dmp

Filesize
216KB

Download
memory/3880-193-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/4176-2875-0x0000000000C20000-0x0000000000C27000-memory.dmp

Filesize
28KB

Download
memory/4492-203-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/4492-198-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/4628-10-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4628-28-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4628-17-0x0000000003120000-0x0000000003520000-memory.dmp

Filesize
4.0MB

Download
memory/4628-32-0x0000000003120000-0x0000000003520000-memory.dmp

Filesize
4.0MB

Download
memory/4628-31-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4628-29-0x0000000003EE0000-0x0000000003F16000-memory.dmp

Filesize
216KB

Download
memory/4628-30-0x0000000003120000-0x0000000003520000-memory.dmp

Filesize
4.0MB

Download
memory/4628-20-0x0000000003120000-0x0000000003520000-memory.dmp

Filesize
4.0MB

Download
memory/4628-14-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4628-19-0x0000000003120000-0x0000000003520000-memory.dmp

Filesize
4.0MB

Download
memory/4628-16-0x00000000013A0000-0x00000000013A7000-memory.dmp

Filesize
28KB

Download
memory/4628-22-0x0000000003EE0000-0x0000000003F16000-memory.dmp

Filesize
216KB

Download
memory/4628-18-0x0000000003120000-0x0000000003520000-memory.dmp

Filesize
4.0MB

Download
memory/4628-13-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4896-2801-0x0000000000840000-0x0000000000849000-memory.dmp

Filesize
36KB

Download
memory/4896-2798-0x0000000000850000-0x0000000000854000-memory.dmp

Filesize
16KB

Download
memory/5004-2344-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

Filesize
48KB

Download
memory/5004-2341-0x0000000000BE0000-0x0000000000BE7000-memory.dmp

Filesize
28KB

Download