makop | c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
25-06-2024 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

moloch.exe
Size

262KB
MD5

53e7b9e873404afdd22cdeba41b4e1c9
SHA1

18b1a19f826e9d48d5776f6e3c279547f3ff517d
SHA256

c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec
SHA512

ccc0af85ea847c45d11e213030e6b3224503c22fe70519049095b1d84cbf61e50c72ab370a03e456338127b52d462826248a6413706ab900afac16adf1deb9dd
SSDEEP

3072:Bf1BDZ0kVB67Duw9AMc+7SCbnri3yYavcXri3tXpgI:B9X0G0S8W3Zavc7i3tXpJ

Score

10^/10

makop defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\readme-warning.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "moloch" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] or [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

[email protected]

Signatures

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (8239) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1668	wbadmin.exe

Loads dropped DLL 5 IoCs

pid	Process
2784	moloch.exe
2520	moloch.exe
2196	moloch.exe
968	moloch.exe
980	moloch.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\moloch.exe\""	moloch.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	moloch.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	iplogger.org
5	iplogger.org

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2784 set thread context of 2572	2784	moloch.exe	28
PID 2520 set thread context of 1916	2520	moloch.exe	42
PID 2196 set thread context of 1196	2196	moloch.exe	48
PID 968 set thread context of 1656	968	moloch.exe	50
PID 980 set thread context of 1680	980	moloch.exe	53

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_zh_4.4.0.v20140623020002.jar	moloch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\localizedStrings.js	moloch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301050.WMF	moloch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SIGNS.ICO	moloch.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	moloch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif	moloch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\TAB_OFF.GIF	moloch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\INDOMAIN.ICO	moloch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\settings.css	moloch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar	moloch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml	moloch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227419.JPG	moloch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MP00021_.WMF	moloch.exe
File created	C:\Program Files\7-Zip\Lang\readme-warning.txt	moloch.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Month_Calendar.emf	moloch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\settings.html	moloch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp.[B50C9273].[[email protected]].moloch	moloch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginLetter.Dotx	moloch.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Juan	moloch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous_partly-cloudy.png	moloch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf.[B50C9273].[[email protected]].moloch	moloch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp.[B50C9273].[[email protected]].moloch	moloch.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\CONCRETE.INF	moloch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00485_.WMF	moloch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21480_.GIF	moloch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLSTS.ICO	moloch.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Warsaw	moloch.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\wmpnssui.dll.mui	moloch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_On.png	moloch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-ui.jar	moloch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT	moloch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01130_.WMF	moloch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL103.XML	moloch.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\MSTTSLoc.dll.mui	moloch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_ja.jar	moloch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21328_.GIF	moloch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\BUTTON.GIF	moloch.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\WinMail.exe.mui	moloch.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png	moloch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287018.WMF	moloch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hardware Tracker.fdt	moloch.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui	moloch.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw120.jpg	moloch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\weather.html	moloch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chuuk	moloch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_ja.jar	moloch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00077_.WMF	moloch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BREAK.JPG	moloch.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\WMM2CLIP.dll.mui	moloch.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\full.png	moloch.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_ButtonGraphic.png	moloch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png	moloch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml	moloch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar	moloch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\localizedStrings.js	moloch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00361_.WMF	moloch.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png	moloch.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\pushplaysubpicture.png	moloch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195254.WMF	moloch.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\WMPMediaSharing.dll.mui	moloch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_pressed.png	moloch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mouseout.png	moloch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mspub.exe.manifest	moloch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Brisbane	moloch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2636	vssadmin.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	moloch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	moloch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	moloch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	moloch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	moloch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	moloch.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2572	moloch.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2784	moloch.exe
2520	moloch.exe
2196	moloch.exe
968	moloch.exe
980	moloch.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeBackupPrivilege	1720	vssvc.exe
Token: SeRestorePrivilege	1720	vssvc.exe
Token: SeAuditPrivilege	1720	vssvc.exe
Token: SeBackupPrivilege	2668	wbengine.exe
Token: SeRestorePrivilege	2668	wbengine.exe
Token: SeSecurityPrivilege	2668	wbengine.exe
Token: SeIncreaseQuotaPrivilege	2288	WMIC.exe
Token: SeSecurityPrivilege	2288	WMIC.exe
Token: SeTakeOwnershipPrivilege	2288	WMIC.exe
Token: SeLoadDriverPrivilege	2288	WMIC.exe
Token: SeSystemProfilePrivilege	2288	WMIC.exe
Token: SeSystemtimePrivilege	2288	WMIC.exe
Token: SeProfSingleProcessPrivilege	2288	WMIC.exe
Token: SeIncBasePriorityPrivilege	2288	WMIC.exe
Token: SeCreatePagefilePrivilege	2288	WMIC.exe
Token: SeBackupPrivilege	2288	WMIC.exe
Token: SeRestorePrivilege	2288	WMIC.exe
Token: SeShutdownPrivilege	2288	WMIC.exe
Token: SeDebugPrivilege	2288	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2288	WMIC.exe
Token: SeRemoteShutdownPrivilege	2288	WMIC.exe
Token: SeUndockPrivilege	2288	WMIC.exe
Token: SeManageVolumePrivilege	2288	WMIC.exe
Token: 33	2288	WMIC.exe
Token: 34	2288	WMIC.exe
Token: 35	2288	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2288	WMIC.exe
Token: SeSecurityPrivilege	2288	WMIC.exe
Token: SeTakeOwnershipPrivilege	2288	WMIC.exe
Token: SeLoadDriverPrivilege	2288	WMIC.exe
Token: SeSystemProfilePrivilege	2288	WMIC.exe
Token: SeSystemtimePrivilege	2288	WMIC.exe
Token: SeProfSingleProcessPrivilege	2288	WMIC.exe
Token: SeIncBasePriorityPrivilege	2288	WMIC.exe
Token: SeCreatePagefilePrivilege	2288	WMIC.exe
Token: SeBackupPrivilege	2288	WMIC.exe
Token: SeRestorePrivilege	2288	WMIC.exe
Token: SeShutdownPrivilege	2288	WMIC.exe
Token: SeDebugPrivilege	2288	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2288	WMIC.exe
Token: SeRemoteShutdownPrivilege	2288	WMIC.exe
Token: SeUndockPrivilege	2288	WMIC.exe
Token: SeManageVolumePrivilege	2288	WMIC.exe
Token: 33	2288	WMIC.exe
Token: 34	2288	WMIC.exe
Token: 35	2288	WMIC.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2572	2784	moloch.exe	28
PID 2784 wrote to memory of 2572	2784	moloch.exe	28
PID 2784 wrote to memory of 2572	2784	moloch.exe	28
PID 2784 wrote to memory of 2572	2784	moloch.exe	28
PID 2784 wrote to memory of 2572	2784	moloch.exe	28
PID 2572 wrote to memory of 2508	2572	moloch.exe	30
PID 2572 wrote to memory of 2508	2572	moloch.exe	30
PID 2572 wrote to memory of 2508	2572	moloch.exe	30
PID 2572 wrote to memory of 2508	2572	moloch.exe	30
PID 2508 wrote to memory of 2636	2508	cmd.exe	32
PID 2508 wrote to memory of 2636	2508	cmd.exe	32
PID 2508 wrote to memory of 2636	2508	cmd.exe	32
PID 2508 wrote to memory of 1668	2508	cmd.exe	35
PID 2508 wrote to memory of 1668	2508	cmd.exe	35
PID 2508 wrote to memory of 1668	2508	cmd.exe	35
PID 2508 wrote to memory of 2288	2508	cmd.exe	39
PID 2508 wrote to memory of 2288	2508	cmd.exe	39
PID 2508 wrote to memory of 2288	2508	cmd.exe	39
PID 2520 wrote to memory of 1916	2520	moloch.exe	42
PID 2520 wrote to memory of 1916	2520	moloch.exe	42
PID 2520 wrote to memory of 1916	2520	moloch.exe	42
PID 2520 wrote to memory of 1916	2520	moloch.exe	42
PID 2520 wrote to memory of 1916	2520	moloch.exe	42
PID 2196 wrote to memory of 1196	2196	moloch.exe	48
PID 2196 wrote to memory of 1196	2196	moloch.exe	48
PID 2196 wrote to memory of 1196	2196	moloch.exe	48
PID 2196 wrote to memory of 1196	2196	moloch.exe	48
PID 2196 wrote to memory of 1196	2196	moloch.exe	48
PID 968 wrote to memory of 1656	968	moloch.exe	50
PID 968 wrote to memory of 1656	968	moloch.exe	50
PID 968 wrote to memory of 1656	968	moloch.exe	50
PID 968 wrote to memory of 1656	968	moloch.exe	50
PID 968 wrote to memory of 1656	968	moloch.exe	50
PID 980 wrote to memory of 1680	980	moloch.exe	53
PID 980 wrote to memory of 1680	980	moloch.exe	53
PID 980 wrote to memory of 1680	980	moloch.exe	53
PID 980 wrote to memory of 1680	980	moloch.exe	53
PID 980 wrote to memory of 1680	980	moloch.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\moloch.exe
"C:\Users\Admin\AppData\Local\Temp\moloch.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Local\Temp\moloch.exe
  "C:\Users\Admin\AppData\Local\Temp\moloch.exe"
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\moloch.exe
    "C:\Users\Admin\AppData\Local\Temp\moloch.exe" n2572
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\moloch.exe
      "C:\Users\Admin\AppData\Local\Temp\moloch.exe" n2572
      4⤵
      PID:1916
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2636
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:1668
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2288
- - C:\Users\Admin\AppData\Local\Temp\moloch.exe
    "C:\Users\Admin\AppData\Local\Temp\moloch.exe" n2572
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\moloch.exe
      "C:\Users\Admin\AppData\Local\Temp\moloch.exe" n2572
      4⤵
      PID:1196
- - C:\Users\Admin\AppData\Local\Temp\moloch.exe
    "C:\Users\Admin\AppData\Local\Temp\moloch.exe" n2572
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\moloch.exe
      "C:\Users\Admin\AppData\Local\Temp\moloch.exe" n2572
      4⤵
      PID:1656
- - C:\Users\Admin\AppData\Local\Temp\moloch.exe
    "C:\Users\Admin\AppData\Local\Temp\moloch.exe" n2572
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Users\Admin\AppData\Local\Temp\moloch.exe
      "C:\Users\Admin\AppData\Local\Temp\moloch.exe" n2572
      4⤵
      PID:1680
- - C:\Users\Admin\AppData\Local\Temp\moloch.exe
    "C:\Users\Admin\AppData\Local\Temp\moloch.exe" n2572
    3⤵
    PID:2272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2456

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4cf77f03f3b9a3e914927777a2863ab

SHA1
7a2b55cc322edee7ae36f9c4b24ad4ff4fb10d35

SHA256
144740babd5aacbacc7875307fc1d7c6f6a2cf0d92ff53e5383ebb5afb90f987

SHA512
23689dc6aa4f075a279ad46f13fb1712b21c05cdeff786486347ef02b5f833a177d1b270860e4366e5a9e5b8e8e02e42aedba258f161f2cff4db389dd8b82662

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7C91.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7DB1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt

Filesize
1KB

MD5
6b6bdda0b9ce4a9ee6bef7af0d910204

SHA1
5c5db80f0b4597d15ec016d02ac4d8c06af79a15

SHA256
0d7e86892a083dd154d7855c587a5425eb01b1af23dc399c1f08659694712e62

SHA512
8c6f5f1be7f926ff60773b8227b41221f5d4a3a376543c15e12c297f59bd9eb56256cb01fe9140036baad5e7874f94ce62aba51347295afd725caf8235172deb

Download Submit
C:\Users\Admin\AppData\Roaming\827763568

Filesize
59KB

MD5
bc251d6a9f3408d4a2ff3add1d27ad3d

SHA1
99091c8e7a4ce7df879e157ddfba12d60095b1a9

SHA256
6e74f04c654aac5a0660ec5db3bfc2fa1ac1dc8a5f3fe683f36bcf8b049abd31

SHA512
23b91b23223432e345b38ceb5bcb0396f166cb079992491df275df1904dfa2c9e2f359a4c6bfba11de01d8df1ff777d0f9ed6921ada99ae44e38cb739747a995

Download Submit
C:\Users\Admin\AppData\Roaming\827763568

Filesize
59KB

MD5
7f75d27f43fb0dcef2096b6af22f2471

SHA1
08ee426272028e5a7546e0b4a4f9636e09c212c8

SHA256
db70ab6a58e62fa6b9ee2d0b2b4fc25597c9463aee319c19bf364e2eeacf03bb

SHA512
8bfdba71d10cfa96dd961a36209d22591f90f4c9c9ce2a57ad33ee96040e0bf15d0ed498c77d0c026b709ff62698745efd84c68e8657765d44cad351a35b1b5b

Download Submit
C:\Users\Admin\AppData\Roaming\827763568

Filesize
59KB

MD5
c1adbb3e0fdc8d22f7b186b89885bd07

SHA1
e453afb74124943b6c23d116a91f801cbb387e7d

SHA256
e2e28d98d90c326a6cc253a62da70646b373b8d194b11182ab14084624109d9f

SHA512
dbd1b12683d87007c10923c5d06db8c6b4fadc3b658c19de6473785fe9f81444f786a3fe6d5dbbcfc28d26075653bf4e627eefe15085483e95aabb5a1fdd48ca

Download Submit
C:\Users\Admin\AppData\Roaming\827763568

Filesize
31KB

MD5
98010eeae5e657bb4d51b67d886318f8

SHA1
0dbd04eb38635fa17158fcfb972c7169f264a3e5

SHA256
ffa73b855a4f5157560daabcfeac884fbfb1de6df5b7a328360930dc1faa6bdd

SHA512
9ffac3918976bb25da581f4d71b2dd6426f294ec7c87d6d51b5817ad6a4c73e3b03767a6b1faa4489a1fa18fbb4e33781d984c679ba8c945484eb5ebed850c5f

Download Submit
C:\Users\Admin\AppData\Roaming\827763568

Filesize
59KB

MD5
1e198272942edfb4bc571d620ad2872c

SHA1
264a4fa54cc743e903ffba856d1e1b3b9c17cff9

SHA256
02abe063b664e12ac4f4f086e5730b5e7bf081c9ed153870ace6bb7eb364a3be

SHA512
16ff14d9eb72f1842b8ada268fc091da95fd38c2de7f22e3dda6e2c23bc48759a87f07e52970aeb5375231e545fa4d652e7c9add0cdcb2fe21b98e97cf7faeae

Download Submit
\Users\Admin\AppData\Local\Temp\nsi12A7.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/1196-17564-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1196-17563-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1196-17562-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1656-17623-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1656-17622-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1656-17621-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1916-6829-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1916-5483-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1916-6832-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2572-10-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2572-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2572-9-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2572-93-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2572-17431-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2572-8889-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2572-7-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download