metasploit | 82fbb67bf03714661b75a49245c8fe42141e7b68dda3f97f765eb1f2e00a89a9

Resubmissions

09-04-2024 07:01

240409-htps3scd2w 10

09-04-2024 07:01

09-04-2024 07:00

09-04-2024 07:00

07-03-2024 22:29

Analysis

max time kernel
299s
max time network
291s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score

10^/10

metasploit redline risepro stealc xworm zgrat 6077866846 backdoor discovery infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

6077866846

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

metasploit

Version

metasploit_stager

91.92.247.21:8405

Extracted

Family

stealc

http://185.172.128.209

Attributes

url_path
/3cd2b41cbde8fc9c.php

Extracted

Family

xworm

94.156.8.213:58002

Attributes

Install_directory
%Public%
install_file
svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/352-821-0x0000000000B10000-0x0000000000B26000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe	family_xworm

Detect ZGRat V1 32 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2220-561-0x000000001C2C0000-0x000000001C536000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-562-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-563-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-565-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-567-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-571-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-573-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-578-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-576-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-588-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-601-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-605-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-608-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-612-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-614-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-617-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-619-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-621-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-623-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-625-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-627-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-629-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-631-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-633-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-635-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-637-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-639-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-641-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-643-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-645-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2220-648-0x000000001C2C0000-0x000000001C531000-memory.dmp	family_zgrat_v1
behavioral1/memory/2644-856-0x000000001EF30000-0x000000001F040000-memory.dmp	family_zgrat_v1

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2228-178-0x0000000000070000-0x0000000000092000-memory.dmp	family_redline
behavioral1/memory/2228-183-0x0000000004260000-0x00000000042A0000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Executes dropped EXE 21 IoCs

Processes:

crypted6077866846MVYQY.exei1gcbW1E.exedisable-defender.exepclient.exeresponsibilitylead.exeMStore.exeProps.exewininit.exe1234.exeISetup8.exetest2.exeun8.0.exeun8.1.exeMService.exe1111.exeISetup2.exeTester.exesvchost.exeresponsiibilitylead.exe555.exesvchost.exe

pid	process
2228	crypted6077866846MVYQY.exe
996	i1gcbW1E.exe
1536	disable-defender.exe
900	pclient.exe
2220	responsibilitylead.exe
1864	MStore.exe
892	Props.exe
2668	wininit.exe
1744	1234.exe
836	ISetup8.exe
2428	test2.exe
2532	un8.0.exe
1244	un8.1.exe
1700	MService.exe
1516	1111.exe
2652	ISetup2.exe
2044	Tester.exe
352	svchost.exe
1444	responsiibilitylead.exe
2088	555.exe
1976	svchost.exe

Loads dropped DLL 28 IoCs

Processes:

New Text Document mod.exepclient.exeISetup8.exeMStore.exeun8.0.exe

pid	process
2964	New Text Document mod.exe
2964	New Text Document mod.exe
2964	New Text Document mod.exe
1564
2964	New Text Document mod.exe
900	pclient.exe
2964	New Text Document mod.exe
3044
2964	New Text Document mod.exe
2964	New Text Document mod.exe
2964	New Text Document mod.exe
2964	New Text Document mod.exe
836	ISetup8.exe
836	ISetup8.exe
836	ISetup8.exe
836	ISetup8.exe
836	ISetup8.exe
836	ISetup8.exe
836	ISetup8.exe
836	ISetup8.exe
1864	MStore.exe
1864	MStore.exe
2964	New Text Document mod.exe
2964	New Text Document mod.exe
2532	un8.0.exe
2532	un8.0.exe
2964	New Text Document mod.exe
2964	New Text Document mod.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

pclient.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	pclient.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

12 raw.githubusercontent.com
13 raw.githubusercontent.com
27 pastebin.com
29 pastebin.com

flow	ioc
12	raw.githubusercontent.com
13	raw.githubusercontent.com
27	pastebin.com
29	pastebin.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\wininit.exe	autoit_exe

Drops file in System32 directory 1 IoCs

Processes:

MStore.exe

description ioc process

File created C:\Windows\SysWOW64\MService.exe MStore.exe
Drops file in Windows directory 2 IoCs

Processes:

Tester.exe

description ioc process

File created C:\Windows\svchost.exe Tester.exe
File opened for modification C:\Windows\svchost.exe Tester.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\MService.exe	MStore.exe

description	ioc	process
File created	C:\Windows\svchost.exe	Tester.exe
File opened for modification	C:\Windows\svchost.exe	Tester.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

un8.1.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	un8.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	un8.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	un8.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

un8.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	un8.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	un8.0.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

MStore.exeNew Text Document mod.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	MStore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	MStore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	New Text Document mod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	MStore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	MStore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	MStore.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

crypted6077866846MVYQY.exedisable-defender.exepowershell.exeun8.0.exeTester.exepowershell.exepowershell.exesvchost.exe

pid	process
2228	crypted6077866846MVYQY.exe
1536	disable-defender.exe
2272	powershell.exe
2228	crypted6077866846MVYQY.exe
2228	crypted6077866846MVYQY.exe
2228	crypted6077866846MVYQY.exe
2228	crypted6077866846MVYQY.exe
2228	crypted6077866846MVYQY.exe
2228	crypted6077866846MVYQY.exe
2228	crypted6077866846MVYQY.exe
2532	un8.0.exe
2044	Tester.exe
2044	Tester.exe
2044	Tester.exe
2044	Tester.exe
2044	Tester.exe
332	powershell.exe
1944	powershell.exe
1976	svchost.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

New Text Document mod.execrypted6077866846MVYQY.exedisable-defender.exeresponsibilitylead.exepowershell.exesvchost.exeTester.exeresponsiibilitylead.exevssvc.exepowershell.exepowershell.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2964	New Text Document mod.exe
Token: SeDebugPrivilege	2228	crypted6077866846MVYQY.exe
Token: SeDebugPrivilege	1536	disable-defender.exe
Token: SeImpersonatePrivilege	1536	disable-defender.exe
Token: SeDebugPrivilege	2220	responsibilitylead.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	352	svchost.exe
Token: SeDebugPrivilege	2044	Tester.exe
Token: SeDebugPrivilege	1444	responsiibilitylead.exe
Token: SeBackupPrivilege	2568	vssvc.exe
Token: SeRestorePrivilege	2568	vssvc.exe
Token: SeAuditPrivilege	2568	vssvc.exe
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	1976	svchost.exe
Token: SeDebugPrivilege	1976	svchost.exe
Token: SeDebugPrivilege	1976	svchost.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

wininit.exeun8.1.exe

pid process

2668 wininit.exe
2668 wininit.exe
1244 un8.1.exe
1244 un8.1.exe
1244 un8.1.exe
1244 un8.1.exe
1244 un8.1.exe
1244 un8.1.exe
1244 un8.1.exe
Suspicious use of SendNotifyMessage 9 IoCs

Processes:

wininit.exeun8.1.exe

pid process

2668 wininit.exe
2668 wininit.exe
1244 un8.1.exe
1244 un8.1.exe
1244 un8.1.exe
1244 un8.1.exe
1244 un8.1.exe
1244 un8.1.exe
1244 un8.1.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

1976 svchost.exe

pid	process
2668	wininit.exe
2668	wininit.exe
1244	un8.1.exe
1244	un8.1.exe
1244	un8.1.exe
1244	un8.1.exe
1244	un8.1.exe
1244	un8.1.exe
1244	un8.1.exe

pid	process
2668	wininit.exe
2668	wininit.exe
1244	un8.1.exe
1244	un8.1.exe
1244	un8.1.exe
1244	un8.1.exe
1244	un8.1.exe
1244	un8.1.exe
1244	un8.1.exe

pid	process
1976	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New Text Document mod.exepclient.exeMStore.execmd.exeISetup8.exe

description	pid	process	target process
PID 2964 wrote to memory of 2228	2964	New Text Document mod.exe	crypted6077866846MVYQY.exe
PID 2964 wrote to memory of 2228	2964	New Text Document mod.exe	crypted6077866846MVYQY.exe
PID 2964 wrote to memory of 2228	2964	New Text Document mod.exe	crypted6077866846MVYQY.exe
PID 2964 wrote to memory of 2228	2964	New Text Document mod.exe	crypted6077866846MVYQY.exe
PID 2964 wrote to memory of 996	2964	New Text Document mod.exe	i1gcbW1E.exe
PID 2964 wrote to memory of 996	2964	New Text Document mod.exe	i1gcbW1E.exe
PID 2964 wrote to memory of 996	2964	New Text Document mod.exe	i1gcbW1E.exe
PID 2964 wrote to memory of 1536	2964	New Text Document mod.exe	disable-defender.exe
PID 2964 wrote to memory of 1536	2964	New Text Document mod.exe	disable-defender.exe
PID 2964 wrote to memory of 1536	2964	New Text Document mod.exe	disable-defender.exe
PID 2964 wrote to memory of 900	2964	New Text Document mod.exe	pclient.exe
PID 2964 wrote to memory of 900	2964	New Text Document mod.exe	pclient.exe
PID 2964 wrote to memory of 900	2964	New Text Document mod.exe	pclient.exe
PID 900 wrote to memory of 2220	900	pclient.exe	responsibilitylead.exe
PID 900 wrote to memory of 2220	900	pclient.exe	responsibilitylead.exe
PID 900 wrote to memory of 2220	900	pclient.exe	responsibilitylead.exe
PID 2964 wrote to memory of 1864	2964	New Text Document mod.exe	MStore.exe
PID 2964 wrote to memory of 1864	2964	New Text Document mod.exe	MStore.exe
PID 2964 wrote to memory of 1864	2964	New Text Document mod.exe	MStore.exe
PID 1864 wrote to memory of 1652	1864	MStore.exe	cmd.exe
PID 1864 wrote to memory of 1652	1864	MStore.exe	cmd.exe
PID 1864 wrote to memory of 1652	1864	MStore.exe	cmd.exe
PID 2964 wrote to memory of 892	2964	New Text Document mod.exe	Props.exe
PID 2964 wrote to memory of 892	2964	New Text Document mod.exe	Props.exe
PID 2964 wrote to memory of 892	2964	New Text Document mod.exe	Props.exe
PID 1652 wrote to memory of 2272	1652	cmd.exe	powershell.exe
PID 1652 wrote to memory of 2272	1652	cmd.exe	powershell.exe
PID 1652 wrote to memory of 2272	1652	cmd.exe	powershell.exe
PID 2964 wrote to memory of 2668	2964	New Text Document mod.exe	wininit.exe
PID 2964 wrote to memory of 2668	2964	New Text Document mod.exe	wininit.exe
PID 2964 wrote to memory of 2668	2964	New Text Document mod.exe	wininit.exe
PID 2964 wrote to memory of 2668	2964	New Text Document mod.exe	wininit.exe
PID 2964 wrote to memory of 1744	2964	New Text Document mod.exe	1234.exe
PID 2964 wrote to memory of 1744	2964	New Text Document mod.exe	1234.exe
PID 2964 wrote to memory of 1744	2964	New Text Document mod.exe	1234.exe
PID 2964 wrote to memory of 1744	2964	New Text Document mod.exe	1234.exe
PID 2964 wrote to memory of 836	2964	New Text Document mod.exe	ISetup8.exe
PID 2964 wrote to memory of 836	2964	New Text Document mod.exe	ISetup8.exe
PID 2964 wrote to memory of 836	2964	New Text Document mod.exe	ISetup8.exe
PID 2964 wrote to memory of 836	2964	New Text Document mod.exe	ISetup8.exe
PID 2964 wrote to memory of 836	2964	New Text Document mod.exe	ISetup8.exe
PID 2964 wrote to memory of 836	2964	New Text Document mod.exe	ISetup8.exe
PID 2964 wrote to memory of 836	2964	New Text Document mod.exe	ISetup8.exe
PID 2964 wrote to memory of 2428	2964	New Text Document mod.exe	test2.exe
PID 2964 wrote to memory of 2428	2964	New Text Document mod.exe	test2.exe
PID 2964 wrote to memory of 2428	2964	New Text Document mod.exe	test2.exe
PID 836 wrote to memory of 2532	836	ISetup8.exe	un8.0.exe
PID 836 wrote to memory of 2532	836	ISetup8.exe	un8.0.exe
PID 836 wrote to memory of 2532	836	ISetup8.exe	un8.0.exe
PID 836 wrote to memory of 2532	836	ISetup8.exe	un8.0.exe
PID 836 wrote to memory of 1244	836	ISetup8.exe	un8.1.exe
PID 836 wrote to memory of 1244	836	ISetup8.exe	un8.1.exe
PID 836 wrote to memory of 1244	836	ISetup8.exe	un8.1.exe
PID 836 wrote to memory of 1244	836	ISetup8.exe	un8.1.exe
PID 1864 wrote to memory of 1700	1864	MStore.exe	MService.exe
PID 1864 wrote to memory of 1700	1864	MStore.exe	MService.exe
PID 1864 wrote to memory of 1700	1864	MStore.exe	MService.exe
PID 2964 wrote to memory of 1516	2964	New Text Document mod.exe	1111.exe
PID 2964 wrote to memory of 1516	2964	New Text Document mod.exe	1111.exe
PID 2964 wrote to memory of 1516	2964	New Text Document mod.exe	1111.exe
PID 2964 wrote to memory of 2652	2964	New Text Document mod.exe	ISetup2.exe
PID 2964 wrote to memory of 2652	2964	New Text Document mod.exe	ISetup2.exe
PID 2964 wrote to memory of 2652	2964	New Text Document mod.exe	ISetup2.exe
PID 2964 wrote to memory of 2652	2964	New Text Document mod.exe	ISetup2.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964

C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe
"C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe"
2⤵
- Executes dropped EXE
PID:996

C:\Users\Admin\AppData\Local\Temp\a\disable-defender.exe
"C:\Users\Admin\AppData\Local\Temp\a\disable-defender.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Users\Admin\AppData\Local\Temp\a\pclient.exe
"C:\Users\Admin\AppData\Local\Temp\a\pclient.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Users\Admin\AppData\Local\Temp\a\MStore.exe
"C:\Users\Admin\AppData\Local\Temp\a\MStore.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell Add-MpPreference -ExclusionExtension .exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionExtension .exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\SysWOW64\MService.exe
"C:\Windows\SysWOW64\MService.exe"
3⤵
- Executes dropped EXE
PID:1700

C:\Users\Admin\AppData\Local\Temp\a\Props.exe
"C:\Users\Admin\AppData\Local\Temp\a\Props.exe"
2⤵
- Executes dropped EXE
PID:892

C:\Users\Admin\AppData\Local\Temp\a\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\a\wininit.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2668

C:\Users\Admin\AppData\Local\Temp\a\1234.exe
"C:\Users\Admin\AppData\Local\Temp\a\1234.exe"
2⤵
- Executes dropped EXE
PID:1744

C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe
"C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:836

C:\Users\Admin\AppData\Local\Temp\un8.0.exe
"C:\Users\Admin\AppData\Local\Temp\un8.0.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2532

C:\Users\Admin\AppData\Local\Temp\un8.1.exe
"C:\Users\Admin\AppData\Local\Temp\un8.1.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1244

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
4⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\a\test2.exe
"C:\Users\Admin\AppData\Local\Temp\a\test2.exe"
2⤵
- Executes dropped EXE
PID:2428

C:\Users\Admin\AppData\Local\Temp\a\1111.exe
"C:\Users\Admin\AppData\Local\Temp\a\1111.exe"
2⤵
- Executes dropped EXE
PID:1516

C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe
"C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe"
2⤵
- Executes dropped EXE
PID:2652

C:\Users\Admin\AppData\Local\Temp\a\Tester.exe
"C:\Users\Admin\AppData\Local\Temp\a\Tester.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\svchost.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:352

C:\Users\Admin\AppData\Local\Temp\a\555.exe
"C:\Users\Admin\AppData\Local\Temp\a\555.exe"
2⤵
- Executes dropped EXE
PID:2088

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\system32\taskeng.exe
taskeng.exe {213883DD-5FE2-4E73-BDC7-44E2B799ECE2} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
PID:1228

C:\Windows\svchost.exe
C:\Windows\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ffd72ed38e9c301df9fdafa98fa2ff88

SHA1
9064936f95c33a560aa8b3e52303526b3900693a

SHA256
af647422d82515b4ec5019fe94ef5840c365cfcc6712b1938c46419221ca9e9b

SHA512
b45b687a267abdc2b79f457eaa4d1547d73f44279049eaa54aafd746a3c6ae6401ecc7b19fea393888cff7342b174bb8e1981bf814107df8ae21cdfd1e5e1826

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
656bd6cf13195fb01f8db957e4115c64

SHA1
4f57ac6cc65655d82aaf81a2a01f35e389c54e86

SHA256
d92a26752902b643c131da35d7500bed60b332cb53fa9b126083915710b37a43

SHA512
50c1ac3cd9306fea2949e8eca1e94992e0f9e26ff917be1bebdace71feeb535c186402a95cf7a93433238ed68a8e2fb65b3e7af233d824c43299a05dbdbb75d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c43e17af3f37890c15987ca2c1bcc049

SHA1
8f9539d2f77b64d8290166ce80c454bd9f25c953

SHA256
99f2fcb2271915260b442325c11e8c4a2dbacfc46dd9be1fd3102d1e0a2d593c

SHA512
2c1462e40988fe8d43548e11b5ab8d944f739f3b3c8a7ca85a390ab5753bfef6ffa20721792a4d5220703208802c5a88ab87ea34dfe5fe16181678f419ce6128

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
Filesize
6KB

MD5
f7930c4859ccd34bd2b80a9995f49926

SHA1
8b5b95fb51619e20246f90d60f2137da7654fc5e

SHA256
163969ebee8180e125eb00c02307adda1eb31174ba6f7e011b7b4b3441d8950a

SHA512
8f5a440541b227083f3d2a3a251758bf699a290db3c066ae3209d4c2df5e1e933b9c24cd4c0da0a7f3cb6ca0ce025acf22f65cc06ee1e306ecb9b1318a223a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe
Filesize
6KB

MD5
a0c8b99e0780c3e8f8319f5ec3abf9f4

SHA1
561a59a4d6af134797b2e2907590efee9e519ca3

SHA256
4588ad64c432d7a20ba41949327be873c25f7eaa0cbba71b3435463739510035

SHA512
30bd51b731ab989188ae3597f37ba74d56d78287afcb2c2243f657a131618ba6e83d34b82253b6d42efab7a01da0397fb496478628393b4cffca4c907d39f961

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar23CD.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1111.exe
Filesize
2.8MB

MD5
e670bdc7c82eee75a6d3ada6a7c9134e

SHA1
b0f0bab6f6e92bc86e86fd7bff93c257a4235859

SHA256
a5cf4844df86abc9222fe436dbc0726e09383a61f4708cdc1a3e8a89cc3540fb

SHA512
7384550bb19ccc11243b79d3bfc9c3f25dce84de64891e7f7eb078b246bfedcd26a958a019a3a7b4ecf5ee1c4e8c8d44790f5c958a58266e5676f3a8e58f4643

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1234.exe
Filesize
1.3MB

MD5
5e13199a94cf8664e5bfbe2f68d4738e

SHA1
8cfaa21f68226ae775615f033507b5756f5ccacc

SHA256
71b320a5d9456acc43494213dcd1f4ae8b7f6e27a15ac80cb42df5f19f692ec5

SHA512
b7b682717cd49b9fff9885c85f1421050613559308aa7160dee7ce493d5bff126c8157727d8f88fdfd602092203c64ab0dbff718b7ce7af9f9f2ad8375d703b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\555.exe
Filesize
2.7MB

MD5
7162024dc024bb3311ee1cf81f37a791

SHA1
be03705f33a8205f90330814f525e2e53dfb5871

SHA256
3e39efae22fcda501f858229af27be129f178c85723d4477ef9be2f80b61a8fd

SHA512
94652b8b770fcdd70ee5059b56ce84aee50c46901b6311e2a602cdb4d97b15abd0148ba4e55f225f722d125bf9c3969185bcefaf07f3911a4347d9a0ca8d2d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe
Filesize
413KB

MD5
d388d6918f1e8a6a3b34ad993d8159eb

SHA1
cf3cd31a4dd6571cc78016c7b0f97f621b1f253d

SHA256
27d2a005efcb4da7da558eaafb6bc955a008c4beb5814d262cee38cf379f7645

SHA512
54cdbb862536ce1deffc37c5a185e85e52ea1b69bb4c8e0e9137e4d34787ad4b66b047a90b1dbe6694b1d41233e947ffa7119f08e01616f472daf3f72e35761e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe
Filesize
413KB

MD5
94e9960a45131af61e599acee54d21d6

SHA1
39b03e050337d4eb127ae5ff5f0868e986bec7ad

SHA256
7add2d9d67534037b7ae6e8d1682595f5bc45cd71f6bcc933994f53f5ff00172

SHA512
179f713f0ce01a70b176373d042538f95a1653cf364510b7f35d3d46a7fee2d295c6e24755d2a1363e5ca82494caec8252dd94bcd31c7a015ef5640636f7e81a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Props.exe
Filesize
7KB

MD5
9c938f91a0530150a2b1c4546334570c

SHA1
f4ae9acba920744457739fef0205f86443dbdf65

SHA256
35a6319c334d545be1aff625c27d51d583762b44c77f172f532c27021459345a

SHA512
f5b8fa5f95011fe6677f2f751b5364745607a027e49de05d2a11a5bea5040c97b6cb4285007ee34ce05b00217dd9665065b276df21bf37f823691f57ad2a6a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Tester.exe
Filesize
267KB

MD5
0803c1aec008e75859877844cfa81492

SHA1
16924d5802ddf76a2096fcfade0ce06d4c0670bd

SHA256
d5ab98bd209db0ed18272fe616ea4b8be34fd13d36116d25793fa7aa6f8b33e3

SHA512
9001e77da2562652ae51bdb3b8b9bfe686d0ed0c4eb8d338b20b7c4eb6eb8e90a4fae01d8212b1908037d5ff456e982500e4907686c38e5c33e969d55ba914d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe
Filesize
524KB

MD5
c8edf453ed433cefb2696bb859e0f782

SHA1
e34cf939d6c5a34c7bedfd885249bb7fb15336e5

SHA256
0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0

SHA512
61d0ba50f9678d6614e4d8ab8b06d759891979e0debfda88246871ee110a07c16ceeed4e7baec475b4b63de851bc5d62c69c5ae41674ffc207b94515f6ab197c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe
Filesize
2.3MB

MD5
262a7eb58a01d1aab21b24292c181cd3

SHA1
535312b7048fb90be981e04ea759c5ad8aaf6eda

SHA256
107090a44888272297ecb7a715a9abca4bc17dafe6aa57505436722a5a9926a6

SHA512
358b34a792eadc739446283e42a352147aac1bad6d9a535eedabeb2427735b03e7977d25086cfa6b6e8e17df628e37d9a8cd584dd1a64d703e99a8f7af1a0e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\pclient.exe
Filesize
157KB

MD5
5790d1417f8f00bd7ec6fb7011c79d9c

SHA1
36076ed9457c45d94e664ea291eb01e5c70d084b

SHA256
ad07503bc046f5b3d65eb61646fa826bc39560916c6e1ef2c3437b6465b30a82

SHA512
b19195510624ad16a4730282c97b68d05e4890a33d91f86f24eaf921e23e7786649e4e31aaaec2d9d6c7bb3695c615851d7aed3e53b13083e03acbc8d0543ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
Filesize
66KB

MD5
00135a86ab829fc2d4678179d7a6e70f

SHA1
ef75c259865d7685d566b6e25b7a20d134952555

SHA256
0b8b21af69d0b465b7b8cd584bdba1f86d062bb0c7c51656f36a66fce8e9bd89

SHA512
011389f2bc93f45b36233238a32991823c3334e3259af98e7dd6cedb455fc930d5b603f51bb69e415ab24f285309eda0b272250f1ec82a21508de0681281a0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test2.exe
Filesize
2.7MB

MD5
5347852b24409aed42423f0118637f03

SHA1
6c7947428231ab857ee8c9dab7a7e62fdeed024b

SHA256
a2e678bb376d2dcec5b7d0abac428c87cd8ae75936e28c03cb4232ae97015131

SHA512
0a52f226be962eb8187f444657317d3e0385d9d47d507e6f1c028143f57153a7b8e34ef7b0c8732bb3b3d361da483a13264f511ca5c80cedda3bc439fe936991

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wininit.exe
Filesize
1.3MB

MD5
ddee86f4db0d3b8010110445b0545526

SHA1
b41380b50d17dd679f85a224771398b81966bb9e

SHA256
0d1277800ce70608ae6223a3361f709c7c68743178ca51fe3a2409a610c76de5

SHA512
4271e530a7090d58e41adc441eed6aacd6238d4e562cbab05bf273549e15a22dda668450746eda64e2435d480dc46531a29de3ba797a235a9c1a411a1f8f3710

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
Filesize
2KB

MD5
b1df5ce96aa56363ca2d7fd5c93f8a0c

SHA1
39f84fa86ed377237fa323390e63bfd47ec5471d

SHA256
e3bc58d3dabe5664526d6fc03032beb572b1518588cb7fe634e1b7e657924649

SHA512
fd5806535c617d8d188d0cee9dff9da1300e7b24ec23a7d879a078bab01308a9cc1dd9be586e386271618ecc0038b063891d8bb6ae335af2ed12b8867af3a2b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
Filesize
3KB

MD5
847c1d7adcf2a9046bdff113e46ee327

SHA1
9815635c5390a6373e173eaaf4ad29e194b110ee

SHA256
0a6ab53dc1fcbb7ed374ed2d62386bc98b541cb344224f94df2ca8e8d08c95ef

SHA512
9c0361e179fecfeaf08b1320843583087e81401b1f973895e8f0efe349b556493bc4951c19c20cf31d85933c3780a867ad5a93ce41876219dd269137c3985538

Download Submit
C:\Users\Admin\AppData\Local\Temp\un8.0.exe
Filesize
271KB

MD5
b95747cad90e982d44da8fd74f50b9a6

SHA1
d7f267d2042f6b67f63542395ff6a5a1b3ba1250

SHA256
7b4d39265da2ddc442c1bc4335c92fe527bf6b8d644d4d465f1476a97a1fb153

SHA512
615d35780262f55313ccbe31e323bb6ba9787120ce06d5236a74844736543c7551e4e227e350bf1604208095165c42564234bb2dafe575785008683ae4e5393c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
7eab56af44f4b61c4038e0de4ba92634

SHA1
03426c482eb8e0dd058e4f4c73edaad62c6f8607

SHA256
a1450c139763a8c00805b0f71eab9a3402077ac43172e268260767c1c8e3f5a6

SHA512
76398ee863a2fe7e36306c21d91ab9402c3ddb0156e49418c26d685f1bc359143f0b677ba7aaea419a65c3ed38899efff241c9c8b66994fd3a56a21f4b5d93b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DLSEGPT3W08RKVXN185E.temp
Filesize
7KB

MD5
3b048ce0a77f8e3be42be4d9b5ed0e6e

SHA1
6f6a07bce11ccdbf615ffd1543b1ac7770b36a3b

SHA256
b67eb3833db34084be72ded8f650523f72363f1c8d4ea30b05dfc14aa18cfa35

SHA512
5405befaf35bf37c5ba1e6dfb3b138c9c0c59ead87b3f173bfcd3d5b048e6054cf226afebd5d9dcf7a701a7e231d440a8d30d0aa804c8c9f5af49c4a765ca963

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\a\555.exe
Filesize
1.9MB

MD5
7bd6badeb0f6d1aa8e216ab823c02f0c

SHA1
7fced2644b3b027d4fa44271907ba29c909c3f39

SHA256
2d9fc05fc146d5c8517644717b6a5fa4170b3d7424c44b493bdaea3577f8d594

SHA512
114b7864a3715707d1c8c08eef9acd99f0c8dc6531a205e4d18be89ec6301a86e410d14f6f886ed1a3b5f3c1e81d44b1a8a894c320b69a99f362426510b54c3a

Download Submit
\Users\Admin\AppData\Local\Temp\a\555.exe
Filesize
2.1MB

MD5
0b46e766d3b77c96be73d500a576aa53

SHA1
fde8266a6cbe8c0773563e2d4b4e6ae5e22699d8

SHA256
6a93186aa4a6a4bc070e98e62b5e27600d4525e1aa647deca9f146f97ad445a3

SHA512
d4c3c2c483c90edb023c815a8baa5de99daa2a490901dc4710f8a392741640eebd251527958b3f27640b782530340cd9f34d3d80fe484b6a5bf6ecbbc26cc124

Download Submit
\Users\Admin\AppData\Local\Temp\a\MStore.exe
Filesize
12KB

MD5
282c1ebb16ad0edc41389d1e73a74607

SHA1
fbcdda121484ea6125827ed4e7b1b00f6a88835d

SHA256
7712424f2dec2d08630237c737e5f81789d2e92edc31111c72eaa0388b6df1dc

SHA512
94be4f173c5c63947a6e7902a86c8851ee84a06d1ddec104af91592178adafc3180f652791badc3e0c1139bbc7c9f64b9e47ccd0adadd16159a40ab6c188b292

Download Submit
\Users\Admin\AppData\Local\Temp\a\disable-defender.exe
Filesize
294KB

MD5
10fc8b2915c43aa16b6a2e2b4529adc5

SHA1
0c15286457963eb86d61d83642870a3473ef38fe

SHA256
feb09cc39b1520d228e9e9274500b8c229016d6fc8018a2bf19aa9d3601492c5

SHA512
421631c06408c3be522953459228d2e1d45eeeafce29dba7746c8485a105b59c3a2c0d9e2ffc6d89126cd825ffd09ebe7eb82223a69d1f5caf441feb01e57897

Download Submit
\Users\Admin\AppData\Local\Temp\un8.1.exe
Filesize
1.4MB

MD5
5ac226b79dbc538d948a422b0da803c2

SHA1
ad981113bf43ee0b347f3a0e881496cec0816173

SHA256
615bff877e3efdff24f95f948a536a1f72bee2ad4043e31e1d58cf67f41e0d3e

SHA512
44e46d1a59f18a87b220c7ef1dfcfeb19a8eefb046e64affd6f16e74e733a76075a5f091152656b72cb3f14b25a03d8aa512b44c3e7ddd0d862bab210930de36

Download Submit
\Users\Admin\AppData\Local\Temp\un8.1.exe
Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
\Users\Admin\AppData\Local\Temp\un8.1.exe
Filesize
2.8MB

MD5
74e52168f2ae714da4a52c75e78effcc

SHA1
97636f0e3c47a714a9553924428015584c985ed9

SHA256
f59e0e9ef3491fdbb3b50fa47bba17d6cb54613851c436a27fa417dbcaf3b0f7

SHA512
5d4a160b390c6cbf909bec1f8f39ba8d17ea3965ce11aaf20e232828c11e77cc0fe5413a37dd09e3ccd09c25fbe241df67b409ed36056f446b8e179a6e2f5726

Download Submit
memory/332-886-0x000000001B860000-0x000000001BB42000-memory.dmp

Filesize
2.9MB

Download
memory/332-887-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/352-829-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/352-879-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/352-821-0x0000000000B10000-0x0000000000B26000-memory.dmp

Filesize
88KB

Download
memory/836-698-0x0000000000400000-0x0000000002D44000-memory.dmp

Filesize
41.3MB

Download
memory/836-507-0x0000000002E80000-0x0000000002F80000-memory.dmp

Filesize
1024KB

Download
memory/836-508-0x0000000000240000-0x00000000002AC000-memory.dmp

Filesize
432KB

Download
memory/836-520-0x0000000000400000-0x0000000002D44000-memory.dmp

Filesize
41.3MB

Download
memory/836-693-0x0000000000240000-0x00000000002AC000-memory.dmp

Filesize
432KB

Download
memory/836-690-0x0000000002E80000-0x0000000002F80000-memory.dmp

Filesize
1024KB

Download
memory/892-290-0x0000000140000000-0x0000000140004278-memory.dmp

Filesize
16KB

Download
memory/996-259-0x000000013FF60000-0x00000001401B4000-memory.dmp

Filesize
2.3MB

Download
memory/1244-692-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1444-853-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/1444-861-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/1444-869-0x0000000004700000-0x0000000004740000-memory.dmp

Filesize
256KB

Download
memory/2044-835-0x000000001B050000-0x000000001B0D0000-memory.dmp

Filesize
512KB

Download
memory/2044-828-0x0000000000CA0000-0x0000000000CEA000-memory.dmp

Filesize
296KB

Download
memory/2044-822-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2220-567-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-639-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-272-0x0000000000FC0000-0x0000000000FC6000-memory.dmp

Filesize
24KB

Download
memory/2220-608-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-601-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-612-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-588-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-614-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-576-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-617-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-619-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-621-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-623-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-625-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-627-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-629-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-631-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-633-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-578-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-635-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-637-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-605-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-641-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-643-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-645-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-648-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-573-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-571-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-565-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-688-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2220-563-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-562-0x000000001C2C0000-0x000000001C531000-memory.dmp

Filesize
2.4MB

Download
memory/2220-561-0x000000001C2C0000-0x000000001C536000-memory.dmp

Filesize
2.5MB

Download
memory/2220-279-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2220-713-0x000000001AF30000-0x000000001AFB0000-memory.dmp

Filesize
512KB

Download
memory/2220-845-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2220-280-0x000000001AF30000-0x000000001AFB0000-memory.dmp

Filesize
512KB

Download
memory/2228-877-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/2228-506-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/2228-607-0x0000000004260000-0x00000000042A0000-memory.dmp

Filesize
256KB

Download
memory/2228-183-0x0000000004260000-0x00000000042A0000-memory.dmp

Filesize
256KB

Download
memory/2228-182-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/2228-178-0x0000000000070000-0x0000000000092000-memory.dmp

Filesize
136KB

Download
memory/2272-305-0x000007FEEEFE0000-0x000007FEEF97D000-memory.dmp

Filesize
9.6MB

Download
memory/2272-303-0x0000000002C20000-0x0000000002CA0000-memory.dmp

Filesize
512KB

Download
memory/2272-296-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2272-297-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2272-298-0x000007FEEEFE0000-0x000007FEEF97D000-memory.dmp

Filesize
9.6MB

Download
memory/2272-299-0x0000000002C20000-0x0000000002CA0000-memory.dmp

Filesize
512KB

Download
memory/2272-301-0x0000000002C20000-0x0000000002CA0000-memory.dmp

Filesize
512KB

Download
memory/2272-300-0x000007FEEEFE0000-0x000007FEEF97D000-memory.dmp

Filesize
9.6MB

Download
memory/2272-304-0x0000000002C20000-0x0000000002CA0000-memory.dmp

Filesize
512KB

Download
memory/2532-611-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/2532-609-0x0000000002DB0000-0x0000000002EB0000-memory.dmp

Filesize
1024KB

Download
memory/2532-846-0x0000000000400000-0x0000000002D21000-memory.dmp

Filesize
41.1MB

Download
memory/2532-862-0x0000000002DB0000-0x0000000002EB0000-memory.dmp

Filesize
1024KB

Download
memory/2532-616-0x0000000000400000-0x0000000002D21000-memory.dmp

Filesize
41.1MB

Download
memory/2644-836-0x0000000000EF0000-0x00000000047E8000-memory.dmp

Filesize
57.0MB

Download
memory/2644-833-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2644-860-0x000000001EAA0000-0x000000001EB20000-memory.dmp

Filesize
512KB

Download
memory/2644-856-0x000000001EF30000-0x000000001F040000-memory.dmp

Filesize
1.1MB

Download
memory/2644-863-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2652-799-0x0000000002EF0000-0x0000000002FF0000-memory.dmp

Filesize
1024KB

Download
memory/2652-854-0x0000000000400000-0x0000000002D44000-memory.dmp

Filesize
41.3MB

Download
memory/2652-800-0x0000000000400000-0x0000000002D44000-memory.dmp

Filesize
41.3MB

Download
memory/2668-365-0x00000000001E0000-0x00000000001E4000-memory.dmp

Filesize
16KB

Download
memory/2964-364-0x000000001B330000-0x000000001B3B0000-memory.dmp

Filesize
512KB

Download
memory/2964-302-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2964-873-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2964-774-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2964-289-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2964-717-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2964-0-0x0000000001180000-0x0000000001188000-memory.dmp

Filesize
32KB

Download
memory/2964-291-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2964-2-0x000000001B330000-0x000000001B3B0000-memory.dmp

Filesize
512KB

Download
memory/2964-1-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download