2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4

Analysis

max time kernel
119s
max time network
147s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe
Size

400KB
MD5

9476b5f481090ea650cfc65e017dc41c
SHA1

0fa937125a55c299a48d3e1485fee16646555087
SHA256

2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4
SHA512

f97c6bf23101bf357d8e4a4ae47421ecfe8f12c821c036e09a4768a8f0dd9e12ba128cf5f10a0f5d4767ac6a3b7f3497f95ffc07d18ac2b9b4a14c9a2c9c9b6d
SSDEEP

12288:/4sAED7kDhOztcOTx00ll7Qbnck6i+JQnlopoMaJU:iEXkDQztfe0szc3nCloy7

Score

10^/10

persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\howto_recover_file_ddpdn.txt

Ransom Note

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen ? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://fg347djvb.poin84mdgu9e.com/59DA59EF51E586 2. http://hfy28djd6dh.rg7hdts4d2sjfy.com/59DA59EF51E586 3. https://3st7uyjfocyourll.onion.to/59DA59EF51E586 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: 3st7uyjfocyourll.onion/59DA59EF51E586 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal pages: http://fg347djvb.poin84mdgu9e.com/59DA59EF51E586 http://hfy28djd6dh.rg7hdts4d2sjfy.com/59DA59EF51E586 https://3st7uyjfocyourll.onion.to/59DA59EF51E586 Your personal page (using TOR): 3st7uyjfocyourll.onion/59DA59EF51E586 Your personal identification number (if you open the site (or TOR 's) directly): 59DA59EF51E586

URLs

http://fg347djvb.poin84mdgu9e.com/59DA59EF51E586

http://hfy28djd6dh.rg7hdts4d2sjfy.com/59DA59EF51E586

https://3st7uyjfocyourll.onion.to/59DA59EF51E586

http://3st7uyjfocyourll.onion/59DA59EF51E586

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (408) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2072	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\howto_recover_file_ddpdn.html	lowlc-a.exe

Executes dropped EXE 2 IoCs

pid	Process
2648	lowlc-a.exe
2608	lowlc-a.exe

Loads dropped DLL 3 IoCs

pid	Process
1412	2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe
1412	2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe
2648	lowlc-a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\qewr2342 = "C:\\Users\\Admin\\AppData\\Roaming\\lowlc-a.exe"	lowlc-a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qewr2342 = "C:\\Users\\Admin\\AppData\\Roaming\\lowlc-a.exe"	lowlc-a.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	myexternalip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1540 set thread context of 1412	1540	2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe	29
PID 2648 set thread context of 2608	2648	lowlc-a.exe	34

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv	lowlc-a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_s.png	lowlc-a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_h.png	lowlc-a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\howto_recover_file_ddpdn.html	lowlc-a.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\de-DE\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\howto_recover_file_ddpdn.html	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png	lowlc-a.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\es-ES\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\howto_recover_file_ddpdn.html	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\3.png	lowlc-a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\howto_recover_file_ddpdn.html	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Defender\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_SelectionSubpicture.png	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\8.png	lowlc-a.exe
File opened for modification	C:\Program Files\Windows NT\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\picturePuzzle.css	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_rainy.png	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\settings.js	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\settings.js	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_snow.png	lowlc-a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\settings.css	lowlc-a.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\settings.js	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\howto_recover_file_ddpdn.html	lowlc-a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\howto_recover_file_ddpdn.html	lowlc-a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png	lowlc-a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\COPYING.txt	lowlc-a.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png	lowlc-a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_dot.png	lowlc-a.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\howto_recover_file_ddpdn.html	lowlc-a.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\howto_recover_file_ddpdn.html	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\flyout.css	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\howto_recover_file_ddpdn.html	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\howto_recover_file_ddpdn.txt	lowlc-a.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\it-IT\howto_recover_file_ddpdn.html	lowlc-a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\howto_recover_file_ddpdn.html	lowlc-a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\howto_recover_file_ddpdn.html	lowlc-a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\howto_recover_file_ddpdn.html	lowlc-a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1436	vssadmin.exe
2116	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1FCED891-AF1D-11EE-BEA9-FE29290FA5F9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410986881"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0a854f42943da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000033b2baa7c38bc34eb000abaaaac06d7800000000020000000000106600000001000020000000260ad44a43797ca901829730d164ed3fea8f32dda516eeed193e7b7442a96360000000000e80000000020000200000007e424cdfc56c10348ba629ecaf451302a62cb32cde0e4853ac71b245e47ac8fb900000000aebb7b4ac2a4a120056306743c549794109fd5f9f914179a514f52407b566357bea965af622f5b48bb67cf2d8d0e013b305d89f712b5e5a3907d60ee3a3611fcbf1bb81dfcfa9b0849103b1709547f34d223c3d96acf7e53274b6d2cd9479867462d3c97472f60dcaf0ec8c7fd6a9c4b9806dc380b91ea3e76b9a6201cf1c00aa55645de1f500f0348b3f5ad07515fb4000000004d14a5807536736afd57f4b293a6a3bab91930219bd142e32db43c6c0b55f34e142a5ca456cb6cac462c17c14c1ae6aa3cddd84caa06291a2bac7896d7cf095	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000033b2baa7c38bc34eb000abaaaac06d7800000000020000000000106600000001000020000000db8e64a6778d274e0808126799baca8a2a9c415119fb7123291ee4f570c5ce99000000000e800000000200002000000032ec14d96fb2ed3c2060d75570fc50c5af0f58a4ae941dc6c83d44aadf60778a2000000044446c510272d99a144e26bd58ea9f6370a6d6e3e00ee762b3db07000c8583e340000000eb9d10b5dfe7482157abf91f8021956fdff1495b5417bb83d3ecefdf568a5ac68cda9b931683e8f7608550e3d3a0d54bd04d438012f610b6c83a09c696c6c145	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	lowlc-a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	lowlc-a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	lowlc-a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	lowlc-a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	lowlc-a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	lowlc-a.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2448	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe
2608	lowlc-a.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1540	2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe
Token: SeDebugPrivilege	1412	2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe
Token: SeSecurityPrivilege	2648	lowlc-a.exe
Token: SeDebugPrivilege	2608	lowlc-a.exe
Token: SeBackupPrivilege	2732	vssvc.exe
Token: SeRestorePrivilege	2732	vssvc.exe
Token: SeAuditPrivilege	2732	vssvc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2100	iexplore.exe
2792	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2100	iexplore.exe
2100	iexplore.exe
2536	IEXPLORE.EXE
2536	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 1412	1540	2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe	29
PID 1540 wrote to memory of 1412	1540	2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe	29
PID 1540 wrote to memory of 1412	1540	2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe	29
PID 1540 wrote to memory of 1412	1540	2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe	29
PID 1540 wrote to memory of 1412	1540	2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe	29
PID 1540 wrote to memory of 1412	1540	2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe	29
PID 1540 wrote to memory of 1412	1540	2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe	29
PID 1540 wrote to memory of 1412	1540	2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe	29
PID 1540 wrote to memory of 1412	1540	2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe	29
PID 1540 wrote to memory of 1412	1540	2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe	29
PID 1540 wrote to memory of 1412	1540	2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe	29
PID 1412 wrote to memory of 2648	1412	2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe	33
PID 1412 wrote to memory of 2648	1412	2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe	33
PID 1412 wrote to memory of 2648	1412	2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe	33
PID 1412 wrote to memory of 2648	1412	2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe	33
PID 1412 wrote to memory of 2072	1412	2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe	30
PID 1412 wrote to memory of 2072	1412	2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe	30
PID 1412 wrote to memory of 2072	1412	2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe	30
PID 1412 wrote to memory of 2072	1412	2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe	30
PID 2648 wrote to memory of 2608	2648	lowlc-a.exe	34
PID 2648 wrote to memory of 2608	2648	lowlc-a.exe	34
PID 2648 wrote to memory of 2608	2648	lowlc-a.exe	34
PID 2648 wrote to memory of 2608	2648	lowlc-a.exe	34
PID 2648 wrote to memory of 2608	2648	lowlc-a.exe	34
PID 2648 wrote to memory of 2608	2648	lowlc-a.exe	34
PID 2648 wrote to memory of 2608	2648	lowlc-a.exe	34
PID 2648 wrote to memory of 2608	2648	lowlc-a.exe	34
PID 2648 wrote to memory of 2608	2648	lowlc-a.exe	34
PID 2648 wrote to memory of 2608	2648	lowlc-a.exe	34
PID 2648 wrote to memory of 2608	2648	lowlc-a.exe	34
PID 2608 wrote to memory of 1436	2608	lowlc-a.exe	38
PID 2608 wrote to memory of 1436	2608	lowlc-a.exe	38
PID 2608 wrote to memory of 1436	2608	lowlc-a.exe	38
PID 2608 wrote to memory of 1436	2608	lowlc-a.exe	38
PID 2608 wrote to memory of 2448	2608	lowlc-a.exe	41
PID 2608 wrote to memory of 2448	2608	lowlc-a.exe	41
PID 2608 wrote to memory of 2448	2608	lowlc-a.exe	41
PID 2608 wrote to memory of 2448	2608	lowlc-a.exe	41
PID 2608 wrote to memory of 2100	2608	lowlc-a.exe	44
PID 2608 wrote to memory of 2100	2608	lowlc-a.exe	44
PID 2608 wrote to memory of 2100	2608	lowlc-a.exe	44
PID 2608 wrote to memory of 2100	2608	lowlc-a.exe	44
PID 2100 wrote to memory of 2536	2100	iexplore.exe	43
PID 2100 wrote to memory of 2536	2100	iexplore.exe	43
PID 2100 wrote to memory of 2536	2100	iexplore.exe	43
PID 2100 wrote to memory of 2536	2100	iexplore.exe	43
PID 2608 wrote to memory of 2116	2608	lowlc-a.exe	47
PID 2608 wrote to memory of 2116	2608	lowlc-a.exe	47
PID 2608 wrote to memory of 2116	2608	lowlc-a.exe	47
PID 2608 wrote to memory of 2116	2608	lowlc-a.exe	47
PID 2608 wrote to memory of 2416	2608	lowlc-a.exe	54
PID 2608 wrote to memory of 2416	2608	lowlc-a.exe	54
PID 2608 wrote to memory of 2416	2608	lowlc-a.exe	54
PID 2608 wrote to memory of 2416	2608	lowlc-a.exe	54

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lowlc-a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	lowlc-a.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe
"C:\Users\Admin\AppData\Local\Temp\2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Users\Admin\AppData\Local\Temp\2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe
  "C:\Users\Admin\AppData\Local\Temp\2159739a68fa270eb94caddbb7f5d132b1175716efab3b3f25f86dc57c4c0db4exe.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\215973~1.EXE
    3⤵
    - Deletes itself
    PID:2072
- - C:\Users\Admin\AppData\Roaming\lowlc-a.exe
    C:\Users\Admin\AppData\Roaming\lowlc-a.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Users\Admin\AppData\Roaming\lowlc-a.exe
      C:\Users\Admin\AppData\Roaming\lowlc-a.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2608
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:1436
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOWTO_RESTORE_FILES.txt
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:2448
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\HOWTO_RESTORE_FILES.htm
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2100
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:2116
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\lowlc-a.exe
        5⤵
        
        PID:2416

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2100 CREDAT:275457 /prefetch:2
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2536

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\howto_recover_file_ddpdn.html

Filesize
6KB

MD5
7ac0e96cf463fe5498172b481558e6b9

SHA1
ae9575b0c3a588b0dfea622f90102e9cc3b4283e

SHA256
e899843e8b36302eb1b0babdcd163213c9164d57cb0658d6a871d14f6608aae3

SHA512
19c2e86d9ef5a122f68293d50a98bc24fbb55bc210c2449c62a6bec1051f52bb7f8c7db81e207b4f592b93685a604cab57348ce612b2f60c7c171441033bc65e

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\howto_recover_file_ddpdn.txt

Filesize
2KB

MD5
b504419e4037af65060117f35dee1be9

SHA1
25f9783c6a81684ca686d8773819685a799ee362

SHA256
27516892ba010a5635d325a5a3d96a09f0b23c6fbc21392dd08e2eabf65f3bd0

SHA512
93870a37aebab7da53e753816fa340dd5b9583dffcfc096d38088cdb41d86ec2ee22e61f5a75824a8c52feab04adfd38278be07650f79d826188d39143de926c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
fcce58bbd95c0fcad7ad3e1139a494f0

SHA1
d052636778e70512a80de69d40315134ab4b6f55

SHA256
31d8028fead6310fff20eb769d4a72f76f088a2898b5be8a00fb63d5d7241b39

SHA512
5ebc5918de507cdfd40ee2fc9e44f54b6d1296f4b9c8a4b3c6e3854c0125d838fa0a472bff3d148629630fd7615d204cb4517b0382dbe813d7771a1009111307

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
85e17d109934b3b72c064621803d85fe

SHA1
bec75c261793b03d83575d22df24085e8e96ad03

SHA256
bdcae84d56a25f58ffe92ecf4319113a79bf0d4f5c1a88fe476db170c28a4b68

SHA512
f49545a1689e87b9839790b356f17809015898f4c3b2b02d7450bfdcd7f6a99b6da0e377b632a01866d2aedc6487973dc69de244968c0bf06e36ad1d8c5a64e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
695d689f80854b1f1de514b90de08175

SHA1
e58985ea3ad5590f9538dddf0012da87d442091e

SHA256
c95b6352f8f1e30cec5128bfa361445627ad4bbd750604a93c1f74641483c188

SHA512
b4c83817d290408345d3ed1f6f71c880f0a8f3782c5327d8a8d764c3578518f8924f2e314b3f71e9e52b89232537953ec14b1fe7280a8d60bd4a32eeb71a88ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4c1be163e25dbf49d20085bc5c8670dd

SHA1
7f4f6decc45671c0f839948dfdc59764136d9cca

SHA256
16980a3dd977ad6a21cebc767d885ad714af0b4c54865d9797f50e35ecc63df1

SHA512
0b0c944896d6649b11a3719ec209152e8ce4dcbcdbda27933bf3f381c8a40dba8ef754575ffbbde074d6e6a847066c3b723f2365b26d7952b9efa1dfb8797bc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fa82d6af9a26256c87c7535da8d56a1e

SHA1
15f332f995002603c3ef10e38f6e57d9f334c415

SHA256
f8e60a8fa0f62701c024538f4d8efe2a1a9a574d5855a3f29e16f3c14e84c3db

SHA512
b4292f4e7fd37d04a211571e5fef0482f0d26bdeb595e1d18b0aa691d71944d43663780246ceaedc475811a00286d236b18537b2687dc742a38fbce49c845312

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
35bcc53dbb5f67c8e6752c8ea2694718

SHA1
2f6941a0a0a78af8b31e15af3387ac87f3dfb09d

SHA256
4eb198eb6669a543564f74ceec812c6c93c54e51b6c0fd2b4593a9aa21291832

SHA512
b06bd4f0a231b396c12107177abb4e3d28bec190a8720e37b900ad2e3c5344479e91673084d8977ef31912372708f7d67bf650f3d67d2482e17f835821c0aa89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f2b0917bd605e83abb8c87c9f03a867b

SHA1
ba899dbc4360499bbe735b6fa7a2267f4e290f33

SHA256
4955276aeab9a45468295863ea638def346900a784584acd088d3415138e0922

SHA512
bfd6cc88a24987e1b1156c1c67c10e1775ac5ca6f4de4425ed8200db69bdbce81c0c12667f716837537774eeb51183477f54b0fee0dca721b0e98e1e66b75c1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
419c2ce81e1481900d5250be06d2ea4b

SHA1
2932e79a02c26569a3e02917807a5d6ebb16a272

SHA256
63154391d388c1da883df6c7ef9b117b582d857c30abf005f2ccd4177549240a

SHA512
de1ab4a58220cd8255c445ad4bfd0f623b883794df53fca9c5235b83c4be6b1dfdb2ef6ed074d9e39e418a610f8a63311e8da7f1abb4a5d7a0f6a433bc410858

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
064c6b65278276bd3113c5213066ec78

SHA1
12031d5b74b39e59c1268761480aa69fd932de9f

SHA256
9d84bb8d5692de6979b1660f9c497e7f1eafaead4c7689a75ca79a1b203f091b

SHA512
d07a02fd4eb62ed598a4c820e5a2770fb105e8362d9ec76886c28dba465ff3a716750b5aac4627b0ea232bd0b579dc63159757a755808b4f59c327e5238b14bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
01f86d8881a31af26beb3d1c8a2bbef5

SHA1
d6f0de5559857d3014c6a3c25c5010239793014d

SHA256
5dffe0ad1c883a2851ebfc795f59eda85a09b3fe51129cd45894eb86be1a1d62

SHA512
e1658160b137513b662ec5621eda796bc7e2442a84e4f03cc7e264957dda30b3dd0babbb56f0534a06ecf6d9adf5ab7c12f7e98f4e9e3c2eb34d7828e2f0d40c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f6574ed30860064d397b5a63dced0c69

SHA1
ada6fbb61c0cf74bde022d24e2f8d7771a29fff6

SHA256
5561934bbadfb1f6ef167beab4276589cf37132ed19940e8389505739e57ae5f

SHA512
76523f4a4a93b092b7d3d80424f194c68834ce7e52cf4ffa1270211086f3be3e482fd36c02e7fbb1b7f886d4c2472404fb63934e51f5d52b521bb7ac3c444cea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
57bcc0716d8a6d094ab4ea2a180beb7c

SHA1
2af77cf7a4eda607ab4dff7f014619156110ee56

SHA256
f4f3a46f51c1cf8dd6dcf66fe81e410690d71a554d57cae998a3a9f341dc7289

SHA512
0e204ead3414a800bfa9768c96cf24dd89c5f7854a9fd36007bb8ec4eff4a6d7a0cfadf9abc4b6f8ebc40647aeeca4cd22de3e0a567929001b1b349ac4ad16ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1b0e62f2f02c39cc584dec2d7344725b

SHA1
425143628ba8eb1c3b5316719f8efca1180d3c5d

SHA256
19a72f91fd864bffd461238c0e91b476d66884f82da339eb80564e15837b4b3d

SHA512
f19297ad4a019dc3c429146647f46ec18dd4ff44c8ac03f8dd5bf6573bd2244e8dac580679e934829cd9a31c52c6785ddcab893aca9c6ff52055f1057b6126ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4b28db732a52852e46cfa8e619810329

SHA1
02b62843447f982a029b3dbce53d5ac3d5981196

SHA256
967e2f66288a2fc7a73da8550c3755db70aa114fcbbde6de373e42a62f91d58f

SHA512
4a1d40b3f9e038f2cbf85d5a049b998600953727d8b1b396a73060e444f7d02f61f5ba4761486c36abf5287c7d577ca87b3a2075647f80802aa4e3b20ca3f938

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
f074168b63c8904f0560094a0ecea6ed

SHA1
3163bf73492fb549a19c38c1eaa737d198d3d36d

SHA256
bfb28486700c8371f22d639841f2bca0a140eee6d1ab60d946a5887e2625967b

SHA512
e9b0dd0b8ba0d9a0f238da61745c23183183ff8162604fd8dbc4c70540a8e10fb36374bce3f2b738b773f992bfaf4e5ae641660323354357ed0964cc94d3e27d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
179380611bce79432e64b24737142ef7

SHA1
722fdc094dd1b1f4dc41406b4304137992b68c93

SHA256
59b94dcb6a7056a424478e8de3a512c76e971dca759bd059940f160b8c882862

SHA512
bae4fd17bbe2232a99091fa0239a3af889285cf5d9ef49f58f913b3331dea196b7d27c8410bbb397541b222d68c2c5e2667a24670b80a8fa8850f0e562c06131

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Roaming\lowlc-a.exe

Filesize
93KB

MD5
891cefe5912bdd526dc1886895094520

SHA1
4a02bda8820b2cb1ac541250997d13c372ad8f94

SHA256
74bb946899d937d18bfcbc72ea7368617d7b03f3793cdb66b14cb68de0bc4b0c

SHA512
fe7cddf31af1c1508a38423b65d862a4fe2b7771b1e942cb2801093eb1a4c34b1de79cd0c893472f2e180884336f9ccd9c825e3dea7e433132291d452328a140

Download Submit
C:\Users\Admin\AppData\Roaming\lowlc-a.exe

Filesize
92KB

MD5
7d0004e7846975096a5234afbcda0d86

SHA1
28d414fdf7d2a96bece4ddba28cdbfa1d66c09a0

SHA256
62646ed84957329ff0dbc405acd8ee393326b44d380dfa96f4985e5c23074082

SHA512
aa63cf15cac38998499ca0b07a8e2ab584aef22217fcb54c3115e034482ce4f8caf1d8a4121596257fab88e42a67531d27f01035c422a802b1c4ba52ed66f736

Download Submit
C:\Users\Admin\Desktop\HOWTO_RESTORE_FILES.bmp

Filesize
1.6MB

MD5
a5401d7dbf97ab90c01490f3815c9dbb

SHA1
c7b012eed66371e64d56ef7e1fa2c62404519fda

SHA256
4d742a40d03192ba54a21ce3b4b9d1a798815a70251431d44567245e7d073fc8

SHA512
51093d810ff0099d475148f2251573d5857e0b9e250c8e6dbf572653026c80413ae5cfe42b8b4b645ab1491c5762193455c126d166dfdc90a6f6d22db2512de9

Download Submit
memory/1412-16-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1412-23-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1412-14-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1412-8-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1412-38-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1412-6-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1412-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1412-10-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1412-12-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1412-20-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1412-24-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1540-21-0x00000000003F0000-0x00000000003F3000-memory.dmp

Filesize
12KB

Download
memory/1540-5-0x0000000000640000-0x0000000000659000-memory.dmp

Filesize
100KB

Download
memory/1540-4-0x00000000003F0000-0x00000000003F3000-memory.dmp

Filesize
12KB

Download
memory/2608-4302-0x0000000003DB0000-0x0000000003DB2000-memory.dmp

Filesize
8KB

Download
memory/2608-62-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2608-59-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2608-4295-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2608-1915-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2608-4729-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2608-4728-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2608-4776-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2608-908-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2608-60-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2608-61-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2608-64-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2608-5024-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2608-5023-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2608-65-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2608-66-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2648-37-0x0000000000350000-0x0000000000369000-memory.dmp

Filesize
100KB

Download
memory/2792-4981-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2792-4306-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2792-4303-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download