metasploit | 82fbb67bf03714661b75a49245c8fe42141e7b68dda3f97f765eb1f2e00a89a9

Resubmissions

09-04-2024 07:01

240409-htps3scd2w 10

09-04-2024 07:01

09-04-2024 07:00

09-04-2024 07:00

07-03-2024 22:29

Analysis

max time kernel
1800s
max time network
1803s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score

10^/10

metasploit redline risepro xworm zgrat 6077866846 backdoor collection discovery evasion infostealer persistence rat spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

6077866846

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

metasploit

Version

metasploit_stager

91.92.247.21:8405

Extracted

Family

xworm

94.156.8.213:58002

Attributes

Install_directory
%Public%
install_file
svchost.exe

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe	family_xworm

Detect ZGRat V1 30 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1576-411-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-415-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-428-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-436-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-439-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-441-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-444-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-453-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-455-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-457-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-459-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-468-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-476-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-478-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-480-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-482-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-487-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-489-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-494-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-499-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-503-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-514-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-535-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-557-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-571-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-579-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-592-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-596-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-599-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-601-0x000000001BCC0000-0x000000001BF31000-memory.dmp	family_zgrat_v1

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/824-231-0x0000000000220000-0x0000000000242000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

mQxBvlTA.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ mQxBvlTA.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	mQxBvlTA.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mQxBvlTA.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mQxBvlTA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	mQxBvlTA.exe

Drops startup file 1 IoCs

Processes:

word.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\word.vbs word.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\word.vbs	word.exe

Executes dropped EXE 24 IoCs

Processes:

mQxBvlTA.exexIPJVPDq.exeAxTdzZWL.execrypted6077866846MVYQY.exei1gcbW1E.exedisable-defender.exepclient.exeMStore.exeProps.exewininit.exe1234.exeISetup8.exetest2.exeu1f4.0.exe1111.exeISetup2.exeword.exeTester.exesvchost.exeu1f4.1.exe555.exeu1f8.0.exeKJKJJEGIDB.exesvchost.exe

pid	process
364	mQxBvlTA.exe
2952	xIPJVPDq.exe
1080	AxTdzZWL.exe
824	crypted6077866846MVYQY.exe
2092	i1gcbW1E.exe
1856	disable-defender.exe
2120	pclient.exe
3000	MStore.exe
2652	Props.exe
2112	wininit.exe
2116	1234.exe
1840	ISetup8.exe
1524	test2.exe
3032	u1f4.0.exe
2184	1111.exe
1844	ISetup2.exe
1556	word.exe
2520	Tester.exe
2508	svchost.exe
2744	u1f4.1.exe
2380	555.exe
2892	u1f8.0.exe
1864	KJKJJEGIDB.exe
2668	svchost.exe

Loads dropped DLL 33 IoCs

Processes:

xIPJVPDq.exeNew Text Document mod.exeISetup8.exewininit.exeISetup2.exeu1f8.0.execmd.exe

pid	process
2952	xIPJVPDq.exe
2952	xIPJVPDq.exe
2176	New Text Document mod.exe
2176	New Text Document mod.exe
2176	New Text Document mod.exe
2324
2176	New Text Document mod.exe
2176	New Text Document mod.exe
2176	New Text Document mod.exe
2176	New Text Document mod.exe
2924
2176	New Text Document mod.exe
2176	New Text Document mod.exe
1840	ISetup8.exe
1840	ISetup8.exe
1840	ISetup8.exe
1840	ISetup8.exe
2176	New Text Document mod.exe
2176	New Text Document mod.exe
2112	wininit.exe
1840	ISetup8.exe
1840	ISetup8.exe
1840	ISetup8.exe
1840	ISetup8.exe
2176	New Text Document mod.exe
2176	New Text Document mod.exe
1844	ISetup2.exe
1844	ISetup2.exe
1844	ISetup2.exe
1844	ISetup2.exe
2892	u1f8.0.exe
2892	u1f8.0.exe
2584	cmd.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\mQxBvlTA.exe	themida
behavioral1/memory/364-222-0x0000000000040000-0x000000000115C000-memory.dmp	themida
behavioral1/memory/364-223-0x0000000000040000-0x000000000115C000-memory.dmp	themida

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

pclient.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	pclient.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

mQxBvlTA.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mQxBvlTA.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

14 raw.githubusercontent.com
15 raw.githubusercontent.com
39 pastebin.com
41 pastebin.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mQxBvlTA.exe

flow	ioc
14	raw.githubusercontent.com
15	raw.githubusercontent.com
39	pastebin.com
41	pastebin.com

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\wininit.exe	autoit_exe
C:\Users\Admin\AppData\Local\directory\word.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

mQxBvlTA.exe

pid process

364 mQxBvlTA.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

word.exesvchost.exe

description	pid	process	target process
PID 1556 set thread context of 2884	1556	word.exe	svchost.exe
PID 2884 set thread context of 2644	2884	svchost.exe	svchost.exe
PID 2884 set thread context of 2484	2884	svchost.exe	svchost.exe
PID 2884 set thread context of 844	2884	svchost.exe	svchost.exe

Drops file in Windows directory 2 IoCs

Processes:

Tester.exe

description ioc process

File created C:\Windows\svchost.exe Tester.exe
File opened for modification C:\Windows\svchost.exe Tester.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\svchost.exe	Tester.exe
File opened for modification	C:\Windows\svchost.exe	Tester.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

u1f4.1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1f4.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1f4.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1f4.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

u1f8.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u1f8.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u1f8.0.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

New Text Document mod.exeMStore.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	New Text Document mod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	MStore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	MStore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	New Text Document mod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	New Text Document mod.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2432 PING.EXE

pid	process
2432	PING.EXE

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

xIPJVPDq.exeAxTdzZWL.execrypted6077866846MVYQY.exedisable-defender.exepowershell.exeTester.exeu1f8.0.exepowershell.exepowershell.exesvchost.exesvchost.exe

pid	process
2952	xIPJVPDq.exe
2952	xIPJVPDq.exe
2952	xIPJVPDq.exe
2952	xIPJVPDq.exe
1080	AxTdzZWL.exe
1080	AxTdzZWL.exe
1080	AxTdzZWL.exe
1080	AxTdzZWL.exe
824	crypted6077866846MVYQY.exe
1856	disable-defender.exe
2240	powershell.exe
2520	Tester.exe
2520	Tester.exe
2520	Tester.exe
2520	Tester.exe
2520	Tester.exe
2520	Tester.exe
2520	Tester.exe
2520	Tester.exe
2520	Tester.exe
2892	u1f8.0.exe
2892	u1f8.0.exe
3008	powershell.exe
1624	powershell.exe
2668	svchost.exe
2644	svchost.exe
2644	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

2884 svchost.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

word.exesvchost.exe

pid process

1556 word.exe
2884 svchost.exe
2884 svchost.exe
2884 svchost.exe

pid	process
2884	svchost.exe

pid	process
1556	word.exe
2884	svchost.exe
2884	svchost.exe
2884	svchost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

New Text Document mod.exexIPJVPDq.exeAxTdzZWL.execrypted6077866846MVYQY.exedisable-defender.exeresponsibilitylead.exepowershell.exeTester.exesvchost.exemQxBvlTA.exevssvc.exepowershell.exepowershell.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2176	New Text Document mod.exe
Token: SeDebugPrivilege	2952	xIPJVPDq.exe
Token: SeDebugPrivilege	1080	AxTdzZWL.exe
Token: SeDebugPrivilege	824	crypted6077866846MVYQY.exe
Token: SeDebugPrivilege	1856	disable-defender.exe
Token: SeImpersonatePrivilege	1856	disable-defender.exe
Token: SeDebugPrivilege	1576	responsibilitylead.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2520	Tester.exe
Token: SeDebugPrivilege	2508	svchost.exe
Token: SeDebugPrivilege	364	mQxBvlTA.exe
Token: SeBackupPrivilege	2220	vssvc.exe
Token: SeRestorePrivilege	2220	vssvc.exe
Token: SeAuditPrivilege	2220	vssvc.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2668	svchost.exe
Token: SeDebugPrivilege	2668	svchost.exe
Token: SeDebugPrivilege	2668	svchost.exe
Token: SeDebugPrivilege	844	svchost.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

wininit.exeword.exeu1f4.1.exe

pid	process
2112	wininit.exe
2112	wininit.exe
1556	word.exe
1556	word.exe
1556	word.exe
2744	u1f4.1.exe
2744	u1f4.1.exe
2744	u1f4.1.exe
2744	u1f4.1.exe
2744	u1f4.1.exe
2744	u1f4.1.exe
2744	u1f4.1.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

wininit.exeword.exeu1f4.1.exe

pid	process
2112	wininit.exe
2112	wininit.exe
1556	word.exe
1556	word.exe
1556	word.exe
2744	u1f4.1.exe
2744	u1f4.1.exe
2744	u1f4.1.exe
2744	u1f4.1.exe
2744	u1f4.1.exe
2744	u1f4.1.exe
2744	u1f4.1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

2668 svchost.exe

pid	process
2668	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New Text Document mod.exexIPJVPDq.exeMStore.execmd.exeISetup8.exe

description	pid	process	target process
PID 2176 wrote to memory of 364	2176	New Text Document mod.exe	mQxBvlTA.exe
PID 2176 wrote to memory of 364	2176	New Text Document mod.exe	mQxBvlTA.exe
PID 2176 wrote to memory of 364	2176	New Text Document mod.exe	mQxBvlTA.exe
PID 2176 wrote to memory of 364	2176	New Text Document mod.exe	mQxBvlTA.exe
PID 2176 wrote to memory of 2952	2176	New Text Document mod.exe	xIPJVPDq.exe
PID 2176 wrote to memory of 2952	2176	New Text Document mod.exe	xIPJVPDq.exe
PID 2176 wrote to memory of 2952	2176	New Text Document mod.exe	xIPJVPDq.exe
PID 2176 wrote to memory of 2952	2176	New Text Document mod.exe	xIPJVPDq.exe
PID 2952 wrote to memory of 1080	2952	xIPJVPDq.exe	AxTdzZWL.exe
PID 2952 wrote to memory of 1080	2952	xIPJVPDq.exe	AxTdzZWL.exe
PID 2952 wrote to memory of 1080	2952	xIPJVPDq.exe	AxTdzZWL.exe
PID 2952 wrote to memory of 1080	2952	xIPJVPDq.exe	AxTdzZWL.exe
PID 2176 wrote to memory of 824	2176	New Text Document mod.exe	crypted6077866846MVYQY.exe
PID 2176 wrote to memory of 824	2176	New Text Document mod.exe	crypted6077866846MVYQY.exe
PID 2176 wrote to memory of 824	2176	New Text Document mod.exe	crypted6077866846MVYQY.exe
PID 2176 wrote to memory of 824	2176	New Text Document mod.exe	crypted6077866846MVYQY.exe
PID 2176 wrote to memory of 2092	2176	New Text Document mod.exe	i1gcbW1E.exe
PID 2176 wrote to memory of 2092	2176	New Text Document mod.exe	i1gcbW1E.exe
PID 2176 wrote to memory of 2092	2176	New Text Document mod.exe	i1gcbW1E.exe
PID 2176 wrote to memory of 1856	2176	New Text Document mod.exe	cmd.exe
PID 2176 wrote to memory of 1856	2176	New Text Document mod.exe	cmd.exe
PID 2176 wrote to memory of 1856	2176	New Text Document mod.exe	cmd.exe
PID 2176 wrote to memory of 2120	2176	New Text Document mod.exe	pclient.exe
PID 2176 wrote to memory of 2120	2176	New Text Document mod.exe	pclient.exe
PID 2176 wrote to memory of 2120	2176	New Text Document mod.exe	pclient.exe
PID 2176 wrote to memory of 3000	2176	New Text Document mod.exe	MStore.exe
PID 2176 wrote to memory of 3000	2176	New Text Document mod.exe	MStore.exe
PID 2176 wrote to memory of 3000	2176	New Text Document mod.exe	MStore.exe
PID 2176 wrote to memory of 2652	2176	New Text Document mod.exe	Props.exe
PID 2176 wrote to memory of 2652	2176	New Text Document mod.exe	Props.exe
PID 2176 wrote to memory of 2652	2176	New Text Document mod.exe	Props.exe
PID 3000 wrote to memory of 2692	3000	MStore.exe	cmd.exe
PID 3000 wrote to memory of 2692	3000	MStore.exe	cmd.exe
PID 3000 wrote to memory of 2692	3000	MStore.exe	cmd.exe
PID 2692 wrote to memory of 2240	2692	cmd.exe	powershell.exe
PID 2692 wrote to memory of 2240	2692	cmd.exe	powershell.exe
PID 2692 wrote to memory of 2240	2692	cmd.exe	powershell.exe
PID 2176 wrote to memory of 2112	2176	New Text Document mod.exe	wininit.exe
PID 2176 wrote to memory of 2112	2176	New Text Document mod.exe	wininit.exe
PID 2176 wrote to memory of 2112	2176	New Text Document mod.exe	wininit.exe
PID 2176 wrote to memory of 2112	2176	New Text Document mod.exe	wininit.exe
PID 2176 wrote to memory of 2116	2176	New Text Document mod.exe	1234.exe
PID 2176 wrote to memory of 2116	2176	New Text Document mod.exe	1234.exe
PID 2176 wrote to memory of 2116	2176	New Text Document mod.exe	1234.exe
PID 2176 wrote to memory of 2116	2176	New Text Document mod.exe	1234.exe
PID 2176 wrote to memory of 1840	2176	New Text Document mod.exe	ISetup8.exe
PID 2176 wrote to memory of 1840	2176	New Text Document mod.exe	ISetup8.exe
PID 2176 wrote to memory of 1840	2176	New Text Document mod.exe	ISetup8.exe
PID 2176 wrote to memory of 1840	2176	New Text Document mod.exe	ISetup8.exe
PID 2176 wrote to memory of 1840	2176	New Text Document mod.exe	ISetup8.exe
PID 2176 wrote to memory of 1840	2176	New Text Document mod.exe	ISetup8.exe
PID 2176 wrote to memory of 1840	2176	New Text Document mod.exe	ISetup8.exe
PID 2176 wrote to memory of 1524	2176	New Text Document mod.exe	test2.exe
PID 2176 wrote to memory of 1524	2176	New Text Document mod.exe	test2.exe
PID 2176 wrote to memory of 1524	2176	New Text Document mod.exe	test2.exe
PID 1840 wrote to memory of 3032	1840	ISetup8.exe	u1f4.0.exe
PID 1840 wrote to memory of 3032	1840	ISetup8.exe	u1f4.0.exe
PID 1840 wrote to memory of 3032	1840	ISetup8.exe	u1f4.0.exe
PID 1840 wrote to memory of 3032	1840	ISetup8.exe	u1f4.0.exe
PID 2176 wrote to memory of 2184	2176	New Text Document mod.exe	1111.exe
PID 2176 wrote to memory of 2184	2176	New Text Document mod.exe	1111.exe
PID 2176 wrote to memory of 2184	2176	New Text Document mod.exe	1111.exe
PID 2176 wrote to memory of 1844	2176	New Text Document mod.exe	ISetup2.exe
PID 2176 wrote to memory of 1844	2176	New Text Document mod.exe	ISetup2.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176

C:\Users\Admin\AppData\Local\Temp\a\mQxBvlTA.exe
"C:\Users\Admin\AppData\Local\Temp\a\mQxBvlTA.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\Users\Admin\AppData\Local\Temp\a\xIPJVPDq.exe
"C:\Users\Admin\AppData\Local\Temp\a\xIPJVPDq.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952

C:\Users\Admin\AppData\Local\Temp\AxTdzZWL.exe
"C:\Users\Admin\AppData\Local\Temp\AxTdzZWL.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe
"C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe"
2⤵
- Executes dropped EXE
PID:2092

C:\Users\Admin\AppData\Local\Temp\a\disable-defender.exe
"C:\Users\Admin\AppData\Local\Temp\a\disable-defender.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Users\Admin\AppData\Local\Temp\a\pclient.exe
"C:\Users\Admin\AppData\Local\Temp\a\pclient.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2120

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Users\Admin\AppData\Local\Temp\a\MStore.exe
"C:\Users\Admin\AppData\Local\Temp\a\MStore.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell Add-MpPreference -ExclusionExtension .exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionExtension .exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Users\Admin\AppData\Local\Temp\a\Props.exe
"C:\Users\Admin\AppData\Local\Temp\a\Props.exe"
2⤵
- Executes dropped EXE
PID:2652

C:\Users\Admin\AppData\Local\Temp\a\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\a\wininit.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2112

C:\Users\Admin\AppData\Local\directory\word.exe
"C:\Users\Admin\AppData\Local\Temp\a\wininit.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1556

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\a\wininit.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
PID:2884

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\bhrytxhzednjbymupllxojrlhzsn"
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2644

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\mjxruqstalfvleayzvyyzwlchfcoeob"
5⤵
- Accesses Microsoft Outlook accounts
PID:2484

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\odcjualuotxankwcqglacagtquuxxzzurc"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Users\Admin\AppData\Local\Temp\a\1234.exe
"C:\Users\Admin\AppData\Local\Temp\a\1234.exe"
2⤵
- Executes dropped EXE
PID:2116

C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe
"C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1840

C:\Users\Admin\AppData\Local\Temp\u1f4.0.exe
"C:\Users\Admin\AppData\Local\Temp\u1f4.0.exe"
3⤵
- Executes dropped EXE
PID:3032

C:\Users\Admin\AppData\Local\Temp\u1f4.1.exe
"C:\Users\Admin\AppData\Local\Temp\u1f4.1.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2744

C:\Users\Admin\AppData\Local\Temp\a\test2.exe
"C:\Users\Admin\AppData\Local\Temp\a\test2.exe"
2⤵
- Executes dropped EXE
PID:1524

C:\Users\Admin\AppData\Local\Temp\a\1111.exe
"C:\Users\Admin\AppData\Local\Temp\a\1111.exe"
2⤵
- Executes dropped EXE
PID:2184

C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe
"C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1844

C:\Users\Admin\AppData\Local\Temp\u1f8.0.exe
"C:\Users\Admin\AppData\Local\Temp\u1f8.0.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KJKJJEGIDB.exe"
4⤵
- Loads dropped DLL
PID:2584

C:\Users\Admin\AppData\Local\Temp\KJKJJEGIDB.exe
"C:\Users\Admin\AppData\Local\Temp\KJKJJEGIDB.exe"
5⤵
- Executes dropped EXE
PID:1864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\KJKJJEGIDB.exe
6⤵
PID:2468

C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
7⤵
- Runs ping.exe
PID:2432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CBAEHCAEGD.exe"
4⤵
PID:1856

C:\Users\Admin\AppData\Local\Temp\a\Tester.exe
"C:\Users\Admin\AppData\Local\Temp\a\Tester.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\svchost.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Users\Admin\AppData\Local\Temp\a\555.exe
"C:\Users\Admin\AppData\Local\Temp\a\555.exe"
2⤵
- Executes dropped EXE
PID:2380

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16641142311005308690-1813521536-82253192581012721810189453597811961201115068193"
1⤵
PID:2508

C:\Windows\system32\taskeng.exe
taskeng.exe {A45F8CEF-C1F9-4E5C-820E-5C2EF1DA7F34} S-1-5-21-1658372521-4246568289-2509113762-1000:PIRBKNPS\Admin:Interactive:[1]
1⤵
PID:1776

C:\Windows\svchost.exe
C:\Windows\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b7c71a848a6cdefbf672192cd46a43d8

SHA1
226eb21d0bcce72e40bcbddd573bc54cc7d6ed57

SHA256
d93ef1ed709e0b9ca250148129968d24ddda223276f35717e8e334206adf8238

SHA512
5df249fd3a08c99ff6ab11a095ec568c86ebd65da45cff2e4179bb083afccc361676fe67e1eee471c34bb561ff5776fff62be2c683d104c61def1acaafee666f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
84a05eec4b5441c3013413c8655402e9

SHA1
aab6568700ad98def053139dca413549b2ec620b

SHA256
762dda1adee819efbbdcb28beeeea42c71aa49c1914593d62c7a4328b3fa52c7

SHA512
20a208c1e653074c33b2aa24d59dfb34eadfb9ecae072b28eb1c134001de6f6b05dd6948a2849df1ae3c9788211da19f52586abf6db823de0413619792f6f7ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a253eb00833159a786ffdf7996b5bf3b

SHA1
0287556591587bb2049ef4ae5921d4f114bf0044

SHA256
ee5b859586cf07639426a8f8495ef64d2ad4a98f3655b15f7ca5349e4fbe3eb1

SHA512
46c26edff676234f726ea0598e86f3d80b94fffad51e6851c669258390fb7e744e364aa50c0ca1aad5c68077b4166138370ed38a975caa4035105574ebe07fca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2c6be9d824b3c9202dad71dd262723d0

SHA1
0ec5923a88c262d12838c48c8740b3353851a120

SHA256
bb9b3a8e51cda6fe8c7abe0193e6fe227d622ef693c062fe2b26a35f89252b86

SHA512
86dbf469d153abd63922fbe6f315b7e5886d04770d43cdde81b6fb0500d1c1e0896e2eceb85ef4e3373d1289380cc7dd1f6a49d1df9b566de14abb2104a05eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\AxTdzZWL.exe

Filesize
5KB

MD5
6a2c09749219d577535d0338c6cffe06

SHA1
576b00c03455a518664308c976097097f691bca4

SHA256
75b57c1c27f33b59ab9b62dc15a2a66b0a0b28a55bdc72119edbb98a1692573c

SHA512
cd5d2269011a79e7bcdf8dfceb78e908f8bb2b6561228a25ebe3161a6194eafb6a6d79a390215e0f1d8bf04f7a2d6f26b7c532835f1187d25fa2889a84be6e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Maianthemum

Filesize
29KB

MD5
1680954b249062aa27483ac80d9d2016

SHA1
acb196e38638fa7332a450b8ed9c127f1d56acff

SHA256
3614592179f15f4bc0cba05bac8e9dd7e545e6f623bd71b841aaa665f82b16cb

SHA512
9c94ec10f0577953a6bbc994b1339d9e414622efd07e4a61f31c5213f588d7327bd772c225a7a127736b721ec026ff836cf4167f9467dbf6df819bdec6e2ed93

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar57D7.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1234.exe

Filesize
1.3MB

MD5
5e13199a94cf8664e5bfbe2f68d4738e

SHA1
8cfaa21f68226ae775615f033507b5756f5ccacc

SHA256
71b320a5d9456acc43494213dcd1f4ae8b7f6e27a15ac80cb42df5f19f692ec5

SHA512
b7b682717cd49b9fff9885c85f1421050613559308aa7160dee7ce493d5bff126c8157727d8f88fdfd602092203c64ab0dbff718b7ce7af9f9f2ad8375d703b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe

Filesize
413KB

MD5
d388d6918f1e8a6a3b34ad993d8159eb

SHA1
cf3cd31a4dd6571cc78016c7b0f97f621b1f253d

SHA256
27d2a005efcb4da7da558eaafb6bc955a008c4beb5814d262cee38cf379f7645

SHA512
54cdbb862536ce1deffc37c5a185e85e52ea1b69bb4c8e0e9137e4d34787ad4b66b047a90b1dbe6694b1d41233e947ffa7119f08e01616f472daf3f72e35761e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe

Filesize
413KB

MD5
94e9960a45131af61e599acee54d21d6

SHA1
39b03e050337d4eb127ae5ff5f0868e986bec7ad

SHA256
7add2d9d67534037b7ae6e8d1682595f5bc45cd71f6bcc933994f53f5ff00172

SHA512
179f713f0ce01a70b176373d042538f95a1653cf364510b7f35d3d46a7fee2d295c6e24755d2a1363e5ca82494caec8252dd94bcd31c7a015ef5640636f7e81a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Props.exe

Filesize
7KB

MD5
9c938f91a0530150a2b1c4546334570c

SHA1
f4ae9acba920744457739fef0205f86443dbdf65

SHA256
35a6319c334d545be1aff625c27d51d583762b44c77f172f532c27021459345a

SHA512
f5b8fa5f95011fe6677f2f751b5364745607a027e49de05d2a11a5bea5040c97b6cb4285007ee34ce05b00217dd9665065b276df21bf37f823691f57ad2a6a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Tester.exe

Filesize
267KB

MD5
0803c1aec008e75859877844cfa81492

SHA1
16924d5802ddf76a2096fcfade0ce06d4c0670bd

SHA256
d5ab98bd209db0ed18272fe616ea4b8be34fd13d36116d25793fa7aa6f8b33e3

SHA512
9001e77da2562652ae51bdb3b8b9bfe686d0ed0c4eb8d338b20b7c4eb6eb8e90a4fae01d8212b1908037d5ff456e982500e4907686c38e5c33e969d55ba914d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe

Filesize
524KB

MD5
c8edf453ed433cefb2696bb859e0f782

SHA1
e34cf939d6c5a34c7bedfd885249bb7fb15336e5

SHA256
0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0

SHA512
61d0ba50f9678d6614e4d8ab8b06d759891979e0debfda88246871ee110a07c16ceeed4e7baec475b4b63de851bc5d62c69c5ae41674ffc207b94515f6ab197c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\disable-defender.exe

Filesize
294KB

MD5
10fc8b2915c43aa16b6a2e2b4529adc5

SHA1
0c15286457963eb86d61d83642870a3473ef38fe

SHA256
feb09cc39b1520d228e9e9274500b8c229016d6fc8018a2bf19aa9d3601492c5

SHA512
421631c06408c3be522953459228d2e1d45eeeafce29dba7746c8485a105b59c3a2c0d9e2ffc6d89126cd825ffd09ebe7eb82223a69d1f5caf441feb01e57897

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe

Filesize
2.3MB

MD5
262a7eb58a01d1aab21b24292c181cd3

SHA1
535312b7048fb90be981e04ea759c5ad8aaf6eda

SHA256
107090a44888272297ecb7a715a9abca4bc17dafe6aa57505436722a5a9926a6

SHA512
358b34a792eadc739446283e42a352147aac1bad6d9a535eedabeb2427735b03e7977d25086cfa6b6e8e17df628e37d9a8cd584dd1a64d703e99a8f7af1a0e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\mQxBvlTA.exe

Filesize
7.7MB

MD5
7aca152e7040f43dae201cfe01ce37b4

SHA1
83eb2fa2d400f96b241e61f81e4d80317eea0200

SHA256
ce602c6700032c737e7f29dc604f3b92f4a78217b5d3970e1666aab998443c50

SHA512
84415dcc06c965ef9cf159a06e492efe37e48ce7e6c55c514ef7c17c9782ee20faeed3fc18e1517711fc83a9fa337f84c0f2a45c10d85d8b3ea826c6b5c472d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe

Filesize
66KB

MD5
00135a86ab829fc2d4678179d7a6e70f

SHA1
ef75c259865d7685d566b6e25b7a20d134952555

SHA256
0b8b21af69d0b465b7b8cd584bdba1f86d062bb0c7c51656f36a66fce8e9bd89

SHA512
011389f2bc93f45b36233238a32991823c3334e3259af98e7dd6cedb455fc930d5b603f51bb69e415ab24f285309eda0b272250f1ec82a21508de0681281a0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test2.exe

Filesize
2.7MB

MD5
5347852b24409aed42423f0118637f03

SHA1
6c7947428231ab857ee8c9dab7a7e62fdeed024b

SHA256
a2e678bb376d2dcec5b7d0abac428c87cd8ae75936e28c03cb4232ae97015131

SHA512
0a52f226be962eb8187f444657317d3e0385d9d47d507e6f1c028143f57153a7b8e34ef7b0c8732bb3b3d361da483a13264f511ca5c80cedda3bc439fe936991

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wininit.exe

Filesize
1.3MB

MD5
ddee86f4db0d3b8010110445b0545526

SHA1
b41380b50d17dd679f85a224771398b81966bb9e

SHA256
0d1277800ce70608ae6223a3361f709c7c68743178ca51fe3a2409a610c76de5

SHA512
4271e530a7090d58e41adc441eed6aacd6238d4e562cbab05bf273549e15a22dda668450746eda64e2435d480dc46531a29de3ba797a235a9c1a411a1f8f3710

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\xIPJVPDq.exe

Filesize
13KB

MD5
0c550ce9bb3efa8c3ce80a507cadfffa

SHA1
6559cb9db9c13147da5139cc3b8d9c60b914b667

SHA256
0dc62bc58b6ae1a7971a73973731b6d3f23e8003280451b84623803c39a3f912

SHA512
c74d6f53192d2dbee74278e1d67f5f7912bc61283c5582fecbff5dcadf699f208dbb60e5cb8272d28a184bbb1209f8558517868e62afbad92fcec14c2a8a6bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\croc

Filesize
483KB

MD5
ceea497fc0601e397a9b0dba479b6ad3

SHA1
b791fd1115d9517d7e9cb9a987db2307aa900f67

SHA256
a17f87f849572c5977fa38198d6697a248424f2559aed98136834e188ac2d3f2

SHA512
702cff5d69b609e25d75545f58352aecf7ed28730c012f3a4ce6113842ebcda3308bc05e7658c27a260dec0bebaf25cad2bda1bff476aa79b2bb0ed4ad561858

Download Submit
C:\Users\Admin\AppData\Local\directory\word.exe

Filesize
104.3MB

MD5
f941bd323c0be428ae957a60a0572cec

SHA1
65b643c1fa2d44f0ccafa9ef42efb0420f9d640a

SHA256
5f84d4e3c18328df131510690c48ab9d21130ed1a1948203bee3e42e9dfb8090

SHA512
0892c9c300fa6ec8bdc59ce0ac47098acf0315209d694b2d62c40ac6d1d3044715682b22efa734fffff7ca156f2ef305cdf10d495794feffbb042c5527d44874

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C4UQ13U95QTGMDQQO1HG.temp

Filesize
7KB

MD5
1cc8163dda2daa0248de377ad44c85d1

SHA1
5cf4afb795ee7b1e06162d04c806d6c676e8432a

SHA256
3f83f27b44469568f184bcb90c3fe592a72670a1e71940f21852eac2e4c61036

SHA512
44e15b152b6e2c965f9fffc9b574dc95605e915b9bc58bd3d4241d0bd3be6e990233e658b0527720eebb00ea7e2936deb4db6fccf1f783c5456976ef231362fb

Download Submit
\Users\Admin\AppData\Local\Temp\a\1111.exe

Filesize
2.8MB

MD5
e670bdc7c82eee75a6d3ada6a7c9134e

SHA1
b0f0bab6f6e92bc86e86fd7bff93c257a4235859

SHA256
a5cf4844df86abc9222fe436dbc0726e09383a61f4708cdc1a3e8a89cc3540fb

SHA512
7384550bb19ccc11243b79d3bfc9c3f25dce84de64891e7f7eb078b246bfedcd26a958a019a3a7b4ecf5ee1c4e8c8d44790f5c958a58266e5676f3a8e58f4643

Download Submit
\Users\Admin\AppData\Local\Temp\a\555.exe

Filesize
2.7MB

MD5
7162024dc024bb3311ee1cf81f37a791

SHA1
be03705f33a8205f90330814f525e2e53dfb5871

SHA256
3e39efae22fcda501f858229af27be129f178c85723d4477ef9be2f80b61a8fd

SHA512
94652b8b770fcdd70ee5059b56ce84aee50c46901b6311e2a602cdb4d97b15abd0148ba4e55f225f722d125bf9c3969185bcefaf07f3911a4347d9a0ca8d2d38

Download Submit
\Users\Admin\AppData\Local\Temp\a\MStore.exe

Filesize
12KB

MD5
282c1ebb16ad0edc41389d1e73a74607

SHA1
fbcdda121484ea6125827ed4e7b1b00f6a88835d

SHA256
7712424f2dec2d08630237c737e5f81789d2e92edc31111c72eaa0388b6df1dc

SHA512
94be4f173c5c63947a6e7902a86c8851ee84a06d1ddec104af91592178adafc3180f652791badc3e0c1139bbc7c9f64b9e47ccd0adadd16159a40ab6c188b292

Download Submit
\Users\Admin\AppData\Local\Temp\a\pclient.exe

Filesize
157KB

MD5
5790d1417f8f00bd7ec6fb7011c79d9c

SHA1
36076ed9457c45d94e664ea291eb01e5c70d084b

SHA256
ad07503bc046f5b3d65eb61646fa826bc39560916c6e1ef2c3437b6465b30a82

SHA512
b19195510624ad16a4730282c97b68d05e4890a33d91f86f24eaf921e23e7786649e4e31aaaec2d9d6c7bb3695c615851d7aed3e53b13083e03acbc8d0543ef0

Download Submit
\Users\Admin\AppData\Local\Temp\u1f4.0.exe

Filesize
271KB

MD5
b95747cad90e982d44da8fd74f50b9a6

SHA1
d7f267d2042f6b67f63542395ff6a5a1b3ba1250

SHA256
7b4d39265da2ddc442c1bc4335c92fe527bf6b8d644d4d465f1476a97a1fb153

SHA512
615d35780262f55313ccbe31e323bb6ba9787120ce06d5236a74844736543c7551e4e227e350bf1604208095165c42564234bb2dafe575785008683ae4e5393c

Download Submit
\Users\Admin\AppData\Local\Temp\u1f4.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
memory/364-104-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-103-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-137-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-149-0x0000000076F70000-0x0000000076F72000-memory.dmp

Filesize
8KB

Download
memory/364-135-0x0000000076470000-0x00000000764B7000-memory.dmp

Filesize
284KB

Download
memory/364-222-0x0000000000040000-0x000000000115C000-memory.dmp

Filesize
17.1MB

Download
memory/364-223-0x0000000000040000-0x000000000115C000-memory.dmp

Filesize
17.1MB

Download
memory/364-125-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-124-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-123-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-112-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-304-0x0000000002F70000-0x00000000030BE000-memory.dmp

Filesize
1.3MB

Download
memory/364-111-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-311-0x0000000001590000-0x00000000015A4000-memory.dmp

Filesize
80KB

Download
memory/364-110-0x0000000076470000-0x00000000764B7000-memory.dmp

Filesize
284KB

Download
memory/364-109-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-108-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-107-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-106-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-105-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-376-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-136-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-102-0x0000000076470000-0x00000000764B7000-memory.dmp

Filesize
284KB

Download
memory/364-101-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-100-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-98-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-97-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-96-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-95-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-94-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-381-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-380-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-379-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-67-0x0000000000040000-0x000000000115C000-memory.dmp

Filesize
17.1MB

Download
memory/364-368-0x0000000000040000-0x000000000115C000-memory.dmp

Filesize
17.1MB

Download
memory/364-369-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-371-0x0000000076470000-0x00000000764B7000-memory.dmp

Filesize
284KB

Download
memory/364-370-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-377-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-378-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-375-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/364-374-0x00000000749F0000-0x0000000074B00000-memory.dmp

Filesize
1.1MB

Download
memory/824-352-0x0000000000640000-0x0000000000680000-memory.dmp

Filesize
256KB

Download
memory/824-303-0x0000000073FA0000-0x000000007468E000-memory.dmp

Filesize
6.9MB

Download
memory/824-231-0x0000000000220000-0x0000000000242000-memory.dmp

Filesize
136KB

Download
memory/1576-482-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-571-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-319-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/1576-489-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-487-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-601-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-411-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-415-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-428-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-599-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-436-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-439-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-441-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-596-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-444-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-453-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-455-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-457-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-592-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-459-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-468-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-476-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-478-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-480-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-579-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-333-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/1576-557-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-494-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-499-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-503-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-514-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1576-338-0x000000001AEF0000-0x000000001AF70000-memory.dmp

Filesize
512KB

Download
memory/1576-535-0x000000001BCC0000-0x000000001BF31000-memory.dmp

Filesize
2.4MB

Download
memory/1840-593-0x0000000000400000-0x0000000002D44000-memory.dmp

Filesize
41.3MB

Download
memory/2092-405-0x000000013FF50000-0x00000001401A4000-memory.dmp

Filesize
2.3MB

Download
memory/2112-373-0x00000000001E0000-0x00000000001E4000-memory.dmp

Filesize
16KB

Download
memory/2176-334-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download
memory/2176-335-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2176-0-0x0000000001160000-0x0000000001168000-memory.dmp

Filesize
32KB

Download
memory/2176-2-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download
memory/2176-1-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2176-323-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2176-336-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2240-344-0x000007FEEE1D0000-0x000007FEEEB6D000-memory.dmp

Filesize
9.6MB

Download
memory/2240-345-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2240-350-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/2240-349-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/2240-351-0x000007FEEE1D0000-0x000007FEEEB6D000-memory.dmp

Filesize
9.6MB

Download
memory/2240-353-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/2240-372-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/2240-343-0x000000001B3F0000-0x000000001B6D2000-memory.dmp

Filesize
2.9MB

Download
memory/2652-337-0x0000000140000000-0x0000000140004278-memory.dmp

Filesize
16KB

Download