ploutus | 22224274b8cae5885476e60705675edb03845d3728ab207fb0ab20dda464e66d

Analysis

max time kernel
308s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
Size

63.9MB
MD5

f49e304a05be6fb206a6ead8130ae8b6
SHA1

d9bed284d019da309ef9eb21f7dc537b12270c0a
SHA256

22224274b8cae5885476e60705675edb03845d3728ab207fb0ab20dda464e66d
SHA512

66b776a7cc9b3fa08388e4f6b8505451eae1ac197804a68f09d1637d5c029e61d144cff0fbe834203851fcb83011e20fbe2e66c1613de424cc70ed5d1589d3bf
SSDEEP

786432:exS05J4yh46IoWZXoCysKIeHtQj5KYS3WP:eD5JUXoCysKIPQYS3WP

Score

10^/10

ploutus atm backdoor spyware stealer

Malware Config

Signatures

Detected Ploutus loader 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023537-66.dat	family_ploutus
behavioral2/files/0x0009000000023536-123.dat	family_ploutus

Ploutus
Ploutus is an ATM malware written in C#.
backdoor atm ploutus

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002353e-8.dat	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables manipulated with Fody 4 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023537-66.dat	INDICATOR_EXE_Packed_Fody
behavioral2/memory/1984-87-0x0000028078620000-0x0000028078A5A000-memory.dmp	INDICATOR_EXE_Packed_Fody
behavioral2/files/0x0009000000023536-123.dat	INDICATOR_EXE_Packed_Fody
behavioral2/memory/1108-125-0x000001CFEF390000-0x000001CFEF83E000-memory.dmp	INDICATOR_EXE_Packed_Fody

Nirsoft 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002353e-8.dat	Nirsoft

Executes dropped EXE 6 IoCs

pid	Process
3896	tmp73100209.exe
3772	tmp3656198399.exe
1984	tmp3152572647.exe
1108	LECmd.exe
4220	tmp1856491138.exe
1596	tmp3766736782.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	LECmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	tmp3152572647.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	tmp3152572647.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	tmp3152572647.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	tmp3152572647.exe
Key created	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	LECmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	tmp3152572647.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	tmp3152572647.exe
Key created	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	tmp3152572647.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
3772	tmp3656198399.exe
3772	tmp3656198399.exe
3896	tmp73100209.exe
3896	tmp73100209.exe
3772	tmp3656198399.exe
3772	tmp3656198399.exe
3896	tmp73100209.exe
3896	tmp73100209.exe
3896	tmp73100209.exe
3772	tmp3656198399.exe
3896	tmp73100209.exe
3772	tmp3656198399.exe
3896	tmp73100209.exe
3896	tmp73100209.exe
3772	tmp3656198399.exe
3772	tmp3656198399.exe
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
4220	tmp1856491138.exe
4220	tmp1856491138.exe
4220	tmp1856491138.exe
4220	tmp1856491138.exe
4220	tmp1856491138.exe
4220	tmp1856491138.exe
4220	tmp1856491138.exe
4220	tmp1856491138.exe
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
1596	tmp3766736782.exe
1596	tmp3766736782.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
Token: SeBackupPrivilege	2404	vssvc.exe
Token: SeRestorePrivilege	2404	vssvc.exe
Token: SeAuditPrivilege	2404	vssvc.exe
Token: SeDebugPrivilege	1108	LECmd.exe
Token: SeDebugPrivilege	1984	tmp3152572647.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 3772	4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	95
PID 4584 wrote to memory of 3772	4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	95
PID 4584 wrote to memory of 3896	4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	96
PID 4584 wrote to memory of 3896	4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	96
PID 4584 wrote to memory of 1984	4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	103
PID 4584 wrote to memory of 1984	4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	103
PID 4584 wrote to memory of 1108	4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	104
PID 4584 wrote to memory of 1108	4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	104
PID 4584 wrote to memory of 4220	4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	105
PID 4584 wrote to memory of 4220	4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	105
PID 4584 wrote to memory of 1596	4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	106
PID 4584 wrote to memory of 1596	4584	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	106

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Users\Admin\AppData\Local\Temp\tmp3656198399.exe
  C:\Users\Admin\AppData\Local\Temp\tmp3656198399.exe /VisitTimeFilterType 1 /HistorySource 1 /LoadIE 1 /LoadFirefox 1 /LoadChrome 1 /LoadSafari 1 /scomma C:\Users\Admin\AppData\Local\Temp\tmp1563242077.csv /SaveDirect
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3772
- C:\Users\Admin\AppData\Local\Temp\tmp73100209.exe
  C:\Users\Admin\AppData\Local\Temp\tmp73100209.exe /VisitTimeFilterType 1 /HistorySource 1 /LoadIE 1 /LoadFirefox 1 /LoadChrome 1 /LoadSafari 1 /scomma C:\Users\Admin\AppData\Local\Temp\tmp3994241598.csv /SaveDirect
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3896
- C:\Users\Admin\AppData\Local\Temp\tmp3152572647.exe
  C:\Users\Admin\AppData\Local\Temp\tmp3152572647.exe -d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations --csv C:\Users\Admin\AppData\Local\Temp\tmp632599451 -q
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Users\Admin\AppData\Local\Temp\tmp4146193937\LECmd.exe
  C:\Users\Admin\AppData\Local\Temp\tmp4146193937\LECmd.exe -d c:/ --csv C:\Users\Admin\AppData\Local\Temp\tmp4146193937lecmd --csvf results.csv
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:1108
- C:\Users\Admin\AppData\Local\Temp\tmp1856491138.exe
  C:\Users\Admin\AppData\Local\Temp\tmp1856491138.exe /VisitTimeFilterType 1 /HistorySource 1 /LoadIE 1 /LoadFirefox 1 /LoadChrome 1 /LoadSafari 1 /scomma C:\Users\Admin\AppData\Local\Temp\tmp1178762801.csv /SaveDirect
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4220
- C:\Users\Admin\AppData\Local\Temp\tmp3766736782.exe
  C:\Users\Admin\AppData\Local\Temp\tmp3766736782.exe /VisitTimeFilterType 1 /HistorySource 1 /LoadIE 1 /LoadFirefox 1 /LoadChrome 1 /LoadSafari 1 /scomma C:\Users\Admin\AppData\Local\Temp\tmp694609405.csv /SaveDirect
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1596

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0968A1E3A40D2582E7FD463BAEB59CD

Filesize
1KB

MD5
285ec909c4ab0d2d57f5086b225799aa

SHA1
d89e3bd43d5d909b47a18977aa9d5ce36cee184c

SHA256
68b9c761219a5b1f0131784474665db61bbdb109e00f05ca9f74244ee5f5f52b

SHA512
4cf305b95f94c7a9504c53c7f2dc8068e647a326d95976b7f4d80433b2284506fc5e3bb9a80a4e9a9889540bbf92908dd39ee4eb25f2566fe9ab37b4dc9a7c09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0968A1E3A40D2582E7FD463BAEB59CD

Filesize
306B

MD5
d875ba85f328d2a7c8215953387f5979

SHA1
fc59ca3b939fbcdc1a8f1c175060b282dfcba76e

SHA256
bdd834b1356727a480fe87c7cb4d7158a518785eeaadc71328cde5037b8d234d

SHA512
97d5d7c4c553819e02418278497af4b8834d4da0a7d43256b0b398883c74af0ff45d4ceb667d3a6d3a86c8efe8f1c72d9b5d5c458f1eedb0d01b4485faa8e249

Download Submit
C:\Users\Admin\AppData\Local\Temp\chiCA3E.tmp

Filesize
192KB

MD5
8ccb6c13863fb6e99ed9a29a95f273fe

SHA1
b809aadcbd64fc29edb0cf27fb223784563a911f

SHA256
6b5e07d7137e1d3bee13888a7e8c81fae36ef046c9c7ba074e5fef67e6a594b4

SHA512
635bd5e4a1f9c0bf4dd331912f47d65de52496ae4e8fd8de84fac2008064c5c07b60fc33dd318cdf091ad9de2d14a0ff326a95d14f8084f0e5abbcaa98c7f0bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqpCA4F.tmp

Filesize
5.0MB

MD5
a1148298fcd4d96c022941c6e9b173c6

SHA1
3ca7bfdf95ddb0a76b50c21e2d39b896a73296ca

SHA256
4445ac98128a170e6eea80a1d3dd79f5a66a52c3e208ed40e2a376fe0f82ca4d

SHA512
288241604eec8e217472df225c32a1a94e9940b392aaf52bfe98e91dc6a05b9a6d6b16f1931d026b39a20e4a78f38cefd5e2e4cbd61536ca93343e466cc1e68a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1740978822

Filesize
5B

MD5
c146a7a9edbe218b6ed3bcb62ec4ad24

SHA1
2808ac9ccb1acdcf5aff036d0f71f86fd51d13e9

SHA256
f067985d352d2da6dfaef4844a66d06c5371ecbd9530a4d195ac599fef8b3427

SHA512
4f275042bf4bd0401f7a6b3e89f69818958ce8ef5fee2fc5bb9152c232479cdd9ed471d09099ec3dd20f321c5dbbbdcd8f920783edc68eace705fdd2dd10463a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3152572647.exe

Filesize
4.2MB

MD5
030360a2cdbba7df39a7c2698b78ff73

SHA1
0f36bdec0a6603a53107065614182e6f44e3e7d3

SHA256
30d2e6dd472d5c55047852b6302b29d070d0da301d11990e5ba57f46bd69edfd

SHA512
143d294624a25a7a39784b788b6ce4c3367eb774140043c68ca35a9ce96d74cec44191a5ab3df94a3c95406e2639c61fa892625bf68bf58f0a89b0fdbc561c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3656198399.exe

Filesize
975KB

MD5
cc6fe70941a288634532ee999f133f33

SHA1
62de5dd97e2aafe521c8463287b08e5bf8c54def

SHA256
c50d3f139bc7ed05fb0f5e25671ec0268b577d5930f27964291cc8747970f2c3

SHA512
1fe494fe8fb10ea792c96b2dcce3e6339a082fbf2897a88c663cf937bf47c0e6ecab42311b7535ed41f81ea840bf4107f666f3b39f7df97a70e05a3dcc572aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3994241598.csv

Filesize
2KB

MD5
d43502cdceee07c054a447419501b1eb

SHA1
b5d3a03056e81655fdd59b6f0d6363baf242efec

SHA256
7a03a0c7a813c39983f3c516535aa7e26b67445d10f068de97f22a3d7e246ae9

SHA512
e835e646fa55b1bde09f0324deda4e8934ca99dd7c4343023f5e283d62b81c96d473a100beee7997ef656f926a0bf6a1513e21ac6a1f6d2ffc0eeb78a056a954

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4146193937\LECmd.exe

Filesize
4.7MB

MD5
10e26753f3e1b6d9bc43d48776da1672

SHA1
fee7dbfcd10f3a78e4a6322a3c8a4cec2a2cfc7c

SHA256
94bc3f3cfb747e74147209d9e63c4b50cdbb141b4901fa95fcd30cac3764c91e

SHA512
523510dc92ffa11885874a4234bf245ef6d5d5f6596a7bac4eb6b1c3ab74e2de63cdf7719cdda2f84faa90c4d6fcda11b47478f7e503c8226f65949334c3b350

Download Submit
memory/1108-202-0x000001CFF2CD0000-0x000001CFF2D7A000-memory.dmp

Filesize
680KB

Download
memory/1108-132-0x000001CFF1470000-0x000001CFF14AC000-memory.dmp

Filesize
240KB

Download
memory/1108-262-0x000001CFF1D90000-0x000001CFF1DA0000-memory.dmp

Filesize
64KB

Download
memory/1108-234-0x00007FFDA92A0000-0x00007FFDA9D61000-memory.dmp

Filesize
10.8MB

Download
memory/1108-214-0x000001CFF2DA0000-0x000001CFF2DA8000-memory.dmp

Filesize
32KB

Download
memory/1108-201-0x000001CFF2B40000-0x000001CFF2B50000-memory.dmp

Filesize
64KB

Download
memory/1108-200-0x000001CFF2CA0000-0x000001CFF2CD6000-memory.dmp

Filesize
216KB

Download
memory/1108-197-0x000001CFF2B20000-0x000001CFF2B3E000-memory.dmp

Filesize
120KB

Download
memory/1108-194-0x000001CFF2B50000-0x000001CFF2B58000-memory.dmp

Filesize
32KB

Download
memory/1108-184-0x000001CFF2AF0000-0x000001CFF2B16000-memory.dmp

Filesize
152KB

Download
memory/1108-174-0x000001CFF1D70000-0x000001CFF1D78000-memory.dmp

Filesize
32KB

Download
memory/1108-136-0x000001CFF1450000-0x000001CFF1460000-memory.dmp

Filesize
64KB

Download
memory/1108-135-0x000001CFF1CC0000-0x000001CFF1D22000-memory.dmp

Filesize
392KB

Download
memory/1108-125-0x000001CFEF390000-0x000001CFEF83E000-memory.dmp

Filesize
4.7MB

Download
memory/1108-128-0x00007FFDA92A0000-0x00007FFDA9D61000-memory.dmp

Filesize
10.8MB

Download
memory/1108-127-0x000001CFF1400000-0x000001CFF1428000-memory.dmp

Filesize
160KB

Download
memory/1108-131-0x000001CFF1EA0000-0x000001CFF1FA0000-memory.dmp

Filesize
1024KB

Download
memory/1108-130-0x000001CFF1D90000-0x000001CFF1DA0000-memory.dmp

Filesize
64KB

Download
memory/1984-212-0x000002807BCB0000-0x000002807BCE0000-memory.dmp

Filesize
192KB

Download
memory/1984-228-0x00007FFDA92A0000-0x00007FFDA9D61000-memory.dmp

Filesize
10.8MB

Download
memory/1984-129-0x000002807B170000-0x000002807B26A000-memory.dmp

Filesize
1000KB

Download
memory/1984-134-0x000002807B030000-0x000002807B04E000-memory.dmp

Filesize
120KB

Download
memory/1984-126-0x000002807A7E0000-0x000002807A840000-memory.dmp

Filesize
384KB

Download
memory/1984-87-0x0000028078620000-0x0000028078A5A000-memory.dmp

Filesize
4.2MB

Download
memory/1984-121-0x0000028078E50000-0x0000028078E6A000-memory.dmp

Filesize
104KB

Download
memory/1984-257-0x000002807BCE0000-0x000002807BCEC000-memory.dmp

Filesize
48KB

Download
memory/1984-106-0x0000028078E00000-0x0000028078E12000-memory.dmp

Filesize
72KB

Download
memory/1984-229-0x0000028078E40000-0x0000028078E50000-memory.dmp

Filesize
64KB

Download
memory/1984-133-0x000002807B270000-0x000002807B34C000-memory.dmp

Filesize
880KB

Download
memory/1984-215-0x000002807BD10000-0x000002807BD32000-memory.dmp

Filesize
136KB

Download
memory/1984-118-0x0000028078E40000-0x0000028078E50000-memory.dmp

Filesize
64KB

Download
memory/1984-195-0x000002807BC20000-0x000002807BC2A000-memory.dmp

Filesize
40KB

Download
memory/1984-107-0x0000028078E10000-0x0000028078E24000-memory.dmp

Filesize
80KB

Download
memory/1984-198-0x000002807BC40000-0x000002807BC76000-memory.dmp

Filesize
216KB

Download
memory/1984-213-0x000002807BFA0000-0x000002807C036000-memory.dmp

Filesize
600KB

Download
memory/1984-109-0x00007FFDA92A0000-0x00007FFDA9D61000-memory.dmp

Filesize
10.8MB

Download
memory/1984-199-0x000002807BC80000-0x000002807BC90000-memory.dmp

Filesize
64KB

Download
memory/4584-120-0x00007FF7876B0000-0x00007FF78AEAF000-memory.dmp

Filesize
56.0MB

Download
memory/4584-157-0x00007FF7876B0000-0x00007FF78AEAF000-memory.dmp

Filesize
56.0MB

Download
memory/4584-110-0x00007FF7876B0000-0x00007FF78AEAF000-memory.dmp

Filesize
56.0MB

Download
memory/4584-117-0x00007FF7876B0000-0x00007FF78AEAF000-memory.dmp

Filesize
56.0MB

Download
memory/4584-119-0x00007FF7876B0000-0x00007FF78AEAF000-memory.dmp

Filesize
56.0MB

Download
memory/4584-227-0x00007FF7876B0000-0x00007FF78AEAF000-memory.dmp

Filesize
56.0MB

Download
memory/4584-34-0x00007FF7876B0000-0x00007FF78AEAF000-memory.dmp

Filesize
56.0MB

Download
memory/4584-4-0x00007FF7876B0000-0x00007FF78AEAF000-memory.dmp

Filesize
56.0MB

Download
memory/4584-68-0x00007FF7876B0000-0x00007FF78AEAF000-memory.dmp

Filesize
56.0MB

Download
memory/4584-235-0x00007FF7876B0000-0x00007FF78AEAF000-memory.dmp

Filesize
56.0MB

Download
memory/4584-12-0x00007FF7876B0000-0x00007FF78AEAF000-memory.dmp

Filesize
56.0MB

Download
memory/4584-11-0x00007FF7876B0000-0x00007FF78AEAF000-memory.dmp

Filesize
56.0MB

Download
memory/4584-13-0x00007FF7876B0000-0x00007FF78AEAF000-memory.dmp

Filesize
56.0MB

Download
memory/4584-35-0x00007FF7876B0000-0x00007FF78AEAF000-memory.dmp

Filesize
56.0MB

Download