b1bcc54ef15f91d9291357eca02862174bd6158e95813eff1ab0c16ba48ff10e

Analysis

max time kernel
15s
max time network
38s
platform
windows10_x64
resource
win10
submitted
24-07-2020 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a63e7d371dd69c5625f5b48da426c14.exe
Size

43KB
MD5

5a63e7d371dd69c5625f5b48da426c14
SHA1

63a5bd8b7ed922ad5fe498d2a15a57d1d552055a
SHA256

b1bcc54ef15f91d9291357eca02862174bd6158e95813eff1ab0c16ba48ff10e
SHA512

a228061433052e64965ee9cdd678bbe2fa18c88b214642176437504b107c97f68912b1760f15b1e56a7bc9d5ac14ddd1bb2dcfdf27958e88e1a5f0db6cfbc767

Score

9^/10

ransomware persistence

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

5a63e7d371dd69c5625f5b48da426c14.exe

pid	process
3068	5a63e7d371dd69c5625f5b48da426c14.exe
3068	5a63e7d371dd69c5625f5b48da426c14.exe
3068	5a63e7d371dd69c5625f5b48da426c14.exe
3068	5a63e7d371dd69c5625f5b48da426c14.exe
3068	5a63e7d371dd69c5625f5b48da426c14.exe
3068	5a63e7d371dd69c5625f5b48da426c14.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Kills process with taskkill 87 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1104	taskkill.exe
1508	taskkill.exe
2940	taskkill.exe
2540	taskkill.exe
488	taskkill.exe
3004	taskkill.exe
3856	taskkill.exe
488	taskkill.exe
1788	taskkill.exe
1780	taskkill.exe
840	taskkill.exe
1040	taskkill.exe
3004	taskkill.exe
3200	taskkill.exe
3908	taskkill.exe
3144	taskkill.exe
3796	taskkill.exe
1224	taskkill.exe
488	taskkill.exe
2940	taskkill.exe
2092	taskkill.exe
2684	taskkill.exe
3500	taskkill.exe
2916	taskkill.exe
3892	taskkill.exe
1496	taskkill.exe
1324	taskkill.exe
412	taskkill.exe
424	taskkill.exe
540	taskkill.exe
1324	taskkill.exe
2940	taskkill.exe
3908	taskkill.exe
3520	taskkill.exe
2684	taskkill.exe
408	taskkill.exe
840	taskkill.exe
3892	taskkill.exe
500	taskkill.exe
424	taskkill.exe
1040	taskkill.exe
2540	taskkill.exe
3088	taskkill.exe
1792	taskkill.exe
3768	taskkill.exe
1216	taskkill.exe
3892	taskkill.exe
896	taskkill.exe
2152	taskkill.exe
1156	taskkill.exe
3856	taskkill.exe
2192	taskkill.exe
3032	taskkill.exe
416	taskkill.exe
488	taskkill.exe
3872	taskkill.exe
3976	taskkill.exe
1796	taskkill.exe
1304	taskkill.exe
2192	taskkill.exe
1780	taskkill.exe
2180	taskkill.exe
3792	taskkill.exe
692	taskkill.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3768 vssadmin.exe

pid	process
3768	vssadmin.exe

NTFS ADS 5 IoCs

Processes:

5a63e7d371dd69c5625f5b48da426c14.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:yxwmizcdnycyvuyea	5a63e7d371dd69c5625f5b48da426c14.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:jrzuzotpboxvv	5a63e7d371dd69c5625f5b48da426c14.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\boot.sys:ndhvvygzw	5a63e7d371dd69c5625f5b48da426c14.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:yapcqiqpbyseursy	5a63e7d371dd69c5625f5b48da426c14.exe
File created	C:\Users\Admin\AppData\Local\Temp\boot.sys:ndhvvygzw	5a63e7d371dd69c5625f5b48da426c14.exe

Suspicious use of WriteProcessMemory 549 IoCs

Processes:

5a63e7d371dd69c5625f5b48da426c14.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3068 wrote to memory of 3312	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 3312	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 3312	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3312 wrote to memory of 3956	3312	cmd.exe	WMIC.exe
PID 3312 wrote to memory of 3956	3312	cmd.exe	WMIC.exe
PID 3312 wrote to memory of 3956	3312	cmd.exe	WMIC.exe
PID 3068 wrote to memory of 2644	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 2644	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 2644	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 3284	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 3284	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 3284	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 3940	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 3940	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 3940	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 1564	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 1564	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 1564	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 3688	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 3688	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 3688	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3688 wrote to memory of 3768	3688	cmd.exe	vssadmin.exe
PID 3688 wrote to memory of 3768	3688	cmd.exe	vssadmin.exe
PID 3688 wrote to memory of 3768	3688	cmd.exe	vssadmin.exe
PID 3068 wrote to memory of 3856	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 3856	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 3856	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 504	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 504	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 504	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 504 wrote to memory of 3520	504	cmd.exe	taskkill.exe
PID 504 wrote to memory of 3520	504	cmd.exe	taskkill.exe
PID 504 wrote to memory of 3520	504	cmd.exe	taskkill.exe
PID 3068 wrote to memory of 2916	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 2916	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 2916	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 2916 wrote to memory of 3872	2916	cmd.exe	taskkill.exe
PID 2916 wrote to memory of 3872	2916	cmd.exe	taskkill.exe
PID 2916 wrote to memory of 3872	2916	cmd.exe	taskkill.exe
PID 3068 wrote to memory of 2340	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 2340	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 2340	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 2340 wrote to memory of 3904	2340	cmd.exe	taskkill.exe
PID 2340 wrote to memory of 3904	2340	cmd.exe	taskkill.exe
PID 2340 wrote to memory of 3904	2340	cmd.exe	taskkill.exe
PID 3068 wrote to memory of 3144	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 3144	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 3144	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3144 wrote to memory of 3768	3144	cmd.exe	taskkill.exe
PID 3144 wrote to memory of 3768	3144	cmd.exe	taskkill.exe
PID 3144 wrote to memory of 3768	3144	cmd.exe	taskkill.exe
PID 3068 wrote to memory of 3844	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 3844	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 3844	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3844 wrote to memory of 416	3844	cmd.exe	taskkill.exe
PID 3844 wrote to memory of 416	3844	cmd.exe	taskkill.exe
PID 3844 wrote to memory of 416	3844	cmd.exe	taskkill.exe
PID 3068 wrote to memory of 904	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 904	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 3068 wrote to memory of 904	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe
PID 904 wrote to memory of 3892	904	cmd.exe	taskkill.exe
PID 904 wrote to memory of 3892	904	cmd.exe	taskkill.exe
PID 904 wrote to memory of 3892	904	cmd.exe	taskkill.exe
PID 3068 wrote to memory of 756	3068	5a63e7d371dd69c5625f5b48da426c14.exe	cmd.exe

Suspicious use of AdjustPrivilegeToken 129 IoCs

Processes:

WMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3956	WMIC.exe
Token: SeSecurityPrivilege	3956	WMIC.exe
Token: SeTakeOwnershipPrivilege	3956	WMIC.exe
Token: SeLoadDriverPrivilege	3956	WMIC.exe
Token: SeSystemProfilePrivilege	3956	WMIC.exe
Token: SeSystemtimePrivilege	3956	WMIC.exe
Token: SeProfSingleProcessPrivilege	3956	WMIC.exe
Token: SeIncBasePriorityPrivilege	3956	WMIC.exe
Token: SeCreatePagefilePrivilege	3956	WMIC.exe
Token: SeBackupPrivilege	3956	WMIC.exe
Token: SeRestorePrivilege	3956	WMIC.exe
Token: SeShutdownPrivilege	3956	WMIC.exe
Token: SeDebugPrivilege	3956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3956	WMIC.exe
Token: SeRemoteShutdownPrivilege	3956	WMIC.exe
Token: SeUndockPrivilege	3956	WMIC.exe
Token: SeManageVolumePrivilege	3956	WMIC.exe
Token: 33	3956	WMIC.exe
Token: 34	3956	WMIC.exe
Token: 35	3956	WMIC.exe
Token: 36	3956	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3956	WMIC.exe
Token: SeSecurityPrivilege	3956	WMIC.exe
Token: SeTakeOwnershipPrivilege	3956	WMIC.exe
Token: SeLoadDriverPrivilege	3956	WMIC.exe
Token: SeSystemProfilePrivilege	3956	WMIC.exe
Token: SeSystemtimePrivilege	3956	WMIC.exe
Token: SeProfSingleProcessPrivilege	3956	WMIC.exe
Token: SeIncBasePriorityPrivilege	3956	WMIC.exe
Token: SeCreatePagefilePrivilege	3956	WMIC.exe
Token: SeBackupPrivilege	3956	WMIC.exe
Token: SeRestorePrivilege	3956	WMIC.exe
Token: SeShutdownPrivilege	3956	WMIC.exe
Token: SeDebugPrivilege	3956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3956	WMIC.exe
Token: SeRemoteShutdownPrivilege	3956	WMIC.exe
Token: SeUndockPrivilege	3956	WMIC.exe
Token: SeManageVolumePrivilege	3956	WMIC.exe
Token: 33	3956	WMIC.exe
Token: 34	3956	WMIC.exe
Token: 35	3956	WMIC.exe
Token: 36	3956	WMIC.exe
Token: SeBackupPrivilege	1816	vssvc.exe
Token: SeRestorePrivilege	1816	vssvc.exe
Token: SeAuditPrivilege	1816	vssvc.exe
Token: SeDebugPrivilege	3520	taskkill.exe
Token: SeDebugPrivilege	3872	taskkill.exe
Token: SeDebugPrivilege	3904	taskkill.exe
Token: SeDebugPrivilege	3768	taskkill.exe
Token: SeDebugPrivilege	416	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	692	taskkill.exe
Token: SeDebugPrivilege	2916	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	3796	taskkill.exe
Token: SeDebugPrivilege	500	taskkill.exe
Token: SeDebugPrivilege	488	taskkill.exe
Token: SeDebugPrivilege	692	taskkill.exe
Token: SeDebugPrivilege	3976	taskkill.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	1224	taskkill.exe
Token: SeDebugPrivilege	1292	taskkill.exe
Token: SeDebugPrivilege	896	taskkill.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\5a63e7d371dd69c5625f5b48da426c14.exe
"C:\Users\Admin\AppData\Local\Temp\5a63e7d371dd69c5625f5b48da426c14.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\cmd.exe
cmd /C wmic.exe SHADOWCOPY DELETE /nointeractive
2⤵
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic.exe SHADOWCOPY DELETE /nointeractive
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\SysWOW64\cmd.exe
cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
2⤵
PID:2644

C:\Windows\SysWOW64\cmd.exe
cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
2⤵
PID:3284

C:\Windows\SysWOW64\cmd.exe
cmd /C bcdedit.exe /set {default} recoveryenabled No
2⤵
PID:3940

C:\Windows\SysWOW64\cmd.exe
cmd /C bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
cmd /C vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:3688

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:3768

C:\Windows\SysWOW64\cmd.exe
cmd /C C:\Windows\system32\vssvc.exe
2⤵
PID:3856

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM wxServer*
2⤵
- Suspicious use of WriteProcessMemory
PID:504

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM wxServer*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM wxServerView*
2⤵
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM wxServerView*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM sqlmangr*
2⤵
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM sqlmangr*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM RAgui*
2⤵
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM RAgui*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM supervise*
2⤵
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM supervise*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:416

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM Culture*
2⤵
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM Culture*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM Defwatch*
2⤵
PID:756

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM Defwatch*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM winword*
2⤵
PID:3104

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM winword*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM QBW32*
2⤵
PID:1168

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM QBW32*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM QBDBMgr*
2⤵
PID:2340

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM QBDBMgr*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM qbupdate*
2⤵
PID:3768

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM qbupdate*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM axlbridge*
2⤵
PID:572

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM axlbridge*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:500

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM httpd*
2⤵
PID:1512

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM httpd*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:488

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM fdlauncher*
2⤵
PID:4004

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM fdlauncher*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MsDtSrvr*
2⤵
PID:3284

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MsDtSrvr*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM java*
2⤵
PID:3104

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM java*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM 360se*
2⤵
PID:2108

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM 360se*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM 360doctor*
2⤵
PID:3760

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM 360doctor*
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM wdswfsafe*
2⤵
PID:3144

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM wdswfsafe*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM fdhost*
2⤵
PID:412

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM fdhost*
3⤵
- Kills process with taskkill
PID:540

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM GDscan*
2⤵
PID:1840

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM GDscan*
3⤵
- Kills process with taskkill
PID:424

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM ZhuDongFangYu*
2⤵
PID:3892

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM ZhuDongFangYu*
3⤵
- Kills process with taskkill
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM QBDBMgrN*
2⤵
PID:2192

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM QBDBMgrN*
3⤵
PID:692

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM mysqld*
2⤵
PID:1636

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM mysqld*
3⤵
PID:3976

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM AutodeskDesktopApp*
2⤵
PID:3640

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM AutodeskDesktopApp*
3⤵
- Kills process with taskkill
PID:1780

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM acwebbrowser*
2⤵
PID:2092

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM acwebbrowser*
3⤵
- Kills process with taskkill
PID:1216

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM Creative Cloud*
2⤵
PID:3780

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM Creative Cloud*
3⤵
- Kills process with taskkill
PID:1304

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM Adobe Desktop Service*
2⤵
PID:3760

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM Adobe Desktop Service*
3⤵
- Kills process with taskkill
PID:2684

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM CoreSync*
2⤵
PID:3812

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM CoreSync*
3⤵
- Kills process with taskkill
PID:3144

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM Adobe CEF Helper*
2⤵
PID:796

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM Adobe CEF Helper*
3⤵
- Kills process with taskkill
PID:1508

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM node*
2⤵
PID:2980

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM node*
3⤵
- Kills process with taskkill
PID:488

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM AdobeIPCBroker*
2⤵
PID:644

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM AdobeIPCBroker*
3⤵
- Kills process with taskkill
PID:2940

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM sync-taskbar*
2⤵
PID:3792

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM sync-taskbar*
3⤵
- Kills process with taskkill
PID:1040

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM sync-worker*
2⤵
PID:504

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM sync-worker*
3⤵
PID:3032

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM InputPersonalization*
2⤵
PID:1156

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM InputPersonalization*
3⤵
PID:3668

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM AdobeCollabSync*
2⤵
PID:1788

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM AdobeCollabSync*
3⤵
- Kills process with taskkill
PID:3004

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM BrCtrlCntr*
2⤵
PID:1228

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM BrCtrlCntr*
3⤵
- Kills process with taskkill
PID:2540

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM BrCcUxSys*
2⤵
PID:3732

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM BrCcUxSys*
3⤵
PID:3856

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM SimplyConnectionManager*
2⤵
PID:1432

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM SimplyConnectionManager*
3⤵
- Kills process with taskkill
PID:840

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM Simply.SystemTrayIcon*
2⤵
PID:3796

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM Simply.SystemTrayIcon*
3⤵
PID:1008

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM fbguard*
2⤵
PID:2824

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM fbguard*
3⤵
- Kills process with taskkill
PID:488

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM fbserver*
2⤵
PID:2076

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM fbserver*
3⤵
- Kills process with taskkill
PID:2940

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM ONENOTEM*
2⤵
PID:2160

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM ONENOTEM*
3⤵
- Kills process with taskkill
PID:1040

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM wrapper*
2⤵
PID:640

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM wrapper*
3⤵
- Kills process with taskkill
PID:3032

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM DefWatch*
2⤵
PID:2644

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM DefWatch*
3⤵
PID:3668

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM ccEvtMgr*
2⤵
PID:1796

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM ccEvtMgr*
3⤵
- Kills process with taskkill
PID:3004

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM ccSetMgr*
2⤵
PID:1224

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM ccSetMgr*
3⤵
- Kills process with taskkill
PID:2540

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM SavRoam*
2⤵
PID:3756

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM SavRoam*
3⤵
- Kills process with taskkill
PID:3856

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM Sqlservr*
2⤵
PID:3768

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM Sqlservr*
3⤵
PID:840

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM sqlagent*
2⤵
PID:3808

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM sqlagent*
3⤵
PID:1008

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM sqladhlp*
2⤵
PID:356

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM sqladhlp*
3⤵
- Kills process with taskkill
PID:488

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM Culserver*
2⤵
PID:2548

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM Culserver*
3⤵
- Kills process with taskkill
PID:2940

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM RTVscan*
2⤵
PID:1584

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM RTVscan*
3⤵
- Kills process with taskkill
PID:3892

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM sqlbrowser*
2⤵
PID:1052

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM sqlbrowser*
3⤵
- Kills process with taskkill
PID:2192

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM SQLADHLP*
2⤵
PID:1644

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM SQLADHLP*
3⤵
- Kills process with taskkill
PID:3908

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM QBIDPService*
2⤵
PID:1564

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM QBIDPService*
3⤵
- Kills process with taskkill
PID:1780

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM Intuit.QuickBooks.FCS*
2⤵
PID:3692

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM Intuit.QuickBooks.FCS*
3⤵
- Kills process with taskkill
PID:2092

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM QBCFMonitorService*
2⤵
PID:1888

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM QBCFMonitorService*
3⤵
PID:1332

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM sqlwriter*
2⤵
PID:2536

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM sqlwriter*
3⤵
- Kills process with taskkill
PID:2684

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM msmdsrv*
2⤵
PID:1428

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM msmdsrv*
3⤵
- Kills process with taskkill
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM tomcat6*
2⤵
PID:540

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM tomcat6*
3⤵
PID:1000

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM zhudongfangyu*
2⤵
PID:904

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM zhudongfangyu*
3⤵
- Kills process with taskkill
PID:2152

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM vmware-usbarbitator64*
2⤵
PID:2164

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM vmware-usbarbitator64*
3⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM vmware-converter*
2⤵
PID:3100

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM vmware-converter*
3⤵
PID:648

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM dbsrv12*
2⤵
PID:380

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM dbsrv12*
3⤵
- Kills process with taskkill
PID:3088

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM dbeng8*
2⤵
PID:1648

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM dbeng8*
3⤵
- Kills process with taskkill
PID:1792

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
2⤵
PID:1564

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQL$MICROSOFT##WID*
3⤵
- Kills process with taskkill
PID:3200

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$VEEAMSQL2012*
2⤵
PID:2068

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQL$VEEAMSQL2012*
3⤵
- Kills process with taskkill
PID:1324

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
2⤵
PID:1224

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM SQLAgent$VEEAMSQL2012*
3⤵
- Kills process with taskkill
PID:3500

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM SQLBrowser*
2⤵
PID:3756

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM SQLBrowser*
3⤵
- Kills process with taskkill
PID:412

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM SQLWriter*
2⤵
PID:3768

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM SQLWriter*
3⤵
- Kills process with taskkill
PID:408

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM FishbowlMySQL*
2⤵
PID:3808

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM FishbowlMySQL*
3⤵
- Kills process with taskkill
PID:2180

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##WID*
2⤵
PID:356

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQL$MICROSOFT##WID*
3⤵
- Kills process with taskkill
PID:3792

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MySQL57*
2⤵
PID:2548

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MySQL57*
3⤵
PID:504

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
2⤵
PID:1584

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQL$KAV_CS_ADMIN_KIT*
3⤵
- Kills process with taskkill
PID:1156

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQLServerADHelper100*
2⤵
PID:1052

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQLServerADHelper100*
3⤵
PID:3640

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
2⤵
PID:1644

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM SQLAgent$KAV_CS_ADMIN_KIT*
3⤵
PID:2344

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM msftesql-Exchange*
2⤵
PID:2340

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM msftesql-Exchange*
3⤵
- Kills process with taskkill
PID:3856

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
2⤵
PID:3836

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQL$MICROSOFT##SSEE*
3⤵
- Kills process with taskkill
PID:840

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$SBSMONITORING*
2⤵
PID:2604

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQL$SBSMONITORING*
3⤵
PID:1008

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQL$SHAREPOINT*
2⤵
PID:3812

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQL$SHAREPOINT*
3⤵
- Kills process with taskkill
PID:424

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
2⤵
PID:2800

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQLFDLauncher$SBSMONITORING*
3⤵
PID:2940

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
2⤵
PID:892

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM MSSQLFDLauncher$SHAREPOINT*
3⤵
- Kills process with taskkill
PID:3892

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM SQLAgent$SBSMONITORING*
2⤵
PID:2436

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM SQLAgent$SBSMONITORING*
3⤵
- Kills process with taskkill
PID:2192

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM SQLAgent$SHAREPOINT*
2⤵
PID:2624

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM SQLAgent$SHAREPOINT*
3⤵
- Kills process with taskkill
PID:3908

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM QBFCService*
2⤵
PID:3872

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM QBFCService*
3⤵
- Kills process with taskkill
PID:1788

C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /F /T /IM QBVSS*
2⤵
PID:2788

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /IM QBVSS*
3⤵
PID:2092

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

File Deletion

T1107

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/356-153-0x0000000000000000-mapping.dmp

Download
memory/356-109-0x0000000000000000-mapping.dmp

Download
memory/380-137-0x0000000000000000-mapping.dmp

Download
memory/408-150-0x0000000000000000-mapping.dmp

Download
memory/412-148-0x0000000000000000-mapping.dmp

Download
memory/412-47-0x0000000000000000-mapping.dmp

Download
memory/416-18-0x0000000000000000-mapping.dmp

Download
memory/424-170-0x0000000000000000-mapping.dmp

Download
memory/424-50-0x0000000000000000-mapping.dmp

Download
memory/488-34-0x0000000000000000-mapping.dmp

Download
memory/488-90-0x0000000000000000-mapping.dmp

Download
memory/488-110-0x0000000000000000-mapping.dmp

Download
memory/488-70-0x0000000000000000-mapping.dmp

Download
memory/500-32-0x0000000000000000-mapping.dmp

Download
memory/504-156-0x0000000000000000-mapping.dmp

Download
memory/504-9-0x0000000000000000-mapping.dmp

Download
memory/504-75-0x0000000000000000-mapping.dmp

Download
memory/540-48-0x0000000000000000-mapping.dmp

Download
memory/540-129-0x0000000000000000-mapping.dmp

Download
memory/572-31-0x0000000000000000-mapping.dmp

Download
memory/640-95-0x0000000000000000-mapping.dmp

Download
memory/644-71-0x0000000000000000-mapping.dmp

Download
memory/648-136-0x0000000000000000-mapping.dmp

Download
memory/692-22-0x0000000000000000-mapping.dmp

Download
memory/692-54-0x0000000000000000-mapping.dmp

Download
memory/692-36-0x0000000000000000-mapping.dmp

Download
memory/756-21-0x0000000000000000-mapping.dmp

Download
memory/796-67-0x0000000000000000-mapping.dmp

Download
memory/840-166-0x0000000000000000-mapping.dmp

Download
memory/840-86-0x0000000000000000-mapping.dmp

Download
memory/840-106-0x0000000000000000-mapping.dmp

Download
memory/892-173-0x0000000000000000-mapping.dmp

Download
memory/896-46-0x0000000000000000-mapping.dmp

Download
memory/904-19-0x0000000000000000-mapping.dmp

Download
memory/904-131-0x0000000000000000-mapping.dmp

Download
memory/1000-130-0x0000000000000000-mapping.dmp

Download
memory/1008-108-0x0000000000000000-mapping.dmp

Download
memory/1008-88-0x0000000000000000-mapping.dmp

Download
memory/1008-168-0x0000000000000000-mapping.dmp

Download
memory/1040-74-0x0000000000000000-mapping.dmp

Download
memory/1040-94-0x0000000000000000-mapping.dmp

Download
memory/1052-115-0x0000000000000000-mapping.dmp

Download
memory/1052-159-0x0000000000000000-mapping.dmp

Download
memory/1104-52-0x0000000000000000-mapping.dmp

Download
memory/1156-158-0x0000000000000000-mapping.dmp

Download
memory/1156-77-0x0000000000000000-mapping.dmp

Download
memory/1168-25-0x0000000000000000-mapping.dmp

Download
memory/1216-60-0x0000000000000000-mapping.dmp

Download
memory/1224-145-0x0000000000000000-mapping.dmp

Download
memory/1224-101-0x0000000000000000-mapping.dmp

Download
memory/1224-42-0x0000000000000000-mapping.dmp

Download
memory/1228-81-0x0000000000000000-mapping.dmp

Download
memory/1292-44-0x0000000000000000-mapping.dmp

Download
memory/1304-62-0x0000000000000000-mapping.dmp

Download
memory/1324-28-0x0000000000000000-mapping.dmp

Download
memory/1324-144-0x0000000000000000-mapping.dmp

Download
memory/1332-124-0x0000000000000000-mapping.dmp

Download
memory/1428-127-0x0000000000000000-mapping.dmp

Download
memory/1432-85-0x0000000000000000-mapping.dmp

Download
memory/1496-128-0x0000000000000000-mapping.dmp

Download
memory/1508-68-0x0000000000000000-mapping.dmp

Download
memory/1512-33-0x0000000000000000-mapping.dmp

Download
memory/1564-119-0x0000000000000000-mapping.dmp

Download
memory/1564-141-0x0000000000000000-mapping.dmp

Download
memory/1564-5-0x0000000000000000-mapping.dmp

Download
memory/1564-26-0x0000000000000000-mapping.dmp

Download
memory/1584-157-0x0000000000000000-mapping.dmp

Download
memory/1584-113-0x0000000000000000-mapping.dmp

Download
memory/1604-134-0x0000000000000000-mapping.dmp

Download
memory/1636-55-0x0000000000000000-mapping.dmp

Download
memory/1644-161-0x0000000000000000-mapping.dmp

Download
memory/1644-117-0x0000000000000000-mapping.dmp

Download
memory/1648-139-0x0000000000000000-mapping.dmp

Download
memory/1780-120-0x0000000000000000-mapping.dmp

Download
memory/1780-58-0x0000000000000000-mapping.dmp

Download
memory/1788-180-0x0000000000000000-mapping.dmp

Download
memory/1788-79-0x0000000000000000-mapping.dmp

Download
memory/1792-140-0x0000000000000000-mapping.dmp

Download
memory/1796-40-0x0000000000000000-mapping.dmp

Download
memory/1796-99-0x0000000000000000-mapping.dmp

Download
memory/1840-49-0x0000000000000000-mapping.dmp

Download
memory/1888-123-0x0000000000000000-mapping.dmp

Download
memory/2068-143-0x0000000000000000-mapping.dmp

Download
memory/2076-91-0x0000000000000000-mapping.dmp

Download
memory/2092-59-0x0000000000000000-mapping.dmp

Download
memory/2092-122-0x0000000000000000-mapping.dmp

Download
memory/2092-182-0x0000000000000000-mapping.dmp

Download
memory/2108-41-0x0000000000000000-mapping.dmp

Download
memory/2152-132-0x0000000000000000-mapping.dmp

Download
memory/2160-93-0x0000000000000000-mapping.dmp

Download
memory/2164-133-0x0000000000000000-mapping.dmp

Download
memory/2180-152-0x0000000000000000-mapping.dmp

Download
memory/2192-116-0x0000000000000000-mapping.dmp

Download
memory/2192-53-0x0000000000000000-mapping.dmp

Download
memory/2192-176-0x0000000000000000-mapping.dmp

Download
memory/2340-13-0x0000000000000000-mapping.dmp

Download
memory/2340-163-0x0000000000000000-mapping.dmp

Download
memory/2340-27-0x0000000000000000-mapping.dmp

Download
memory/2344-162-0x0000000000000000-mapping.dmp

Download
memory/2436-175-0x0000000000000000-mapping.dmp

Download
memory/2536-125-0x0000000000000000-mapping.dmp

Download
memory/2540-102-0x0000000000000000-mapping.dmp

Download
memory/2540-82-0x0000000000000000-mapping.dmp

Download
memory/2548-155-0x0000000000000000-mapping.dmp

Download
memory/2548-111-0x0000000000000000-mapping.dmp

Download
memory/2604-167-0x0000000000000000-mapping.dmp

Download
memory/2624-177-0x0000000000000000-mapping.dmp

Download
memory/2644-97-0x0000000000000000-mapping.dmp

Download
memory/2644-2-0x0000000000000000-mapping.dmp

Download
memory/2684-126-0x0000000000000000-mapping.dmp

Download
memory/2684-64-0x0000000000000000-mapping.dmp

Download
memory/2788-181-0x0000000000000000-mapping.dmp

Download
memory/2800-171-0x0000000000000000-mapping.dmp

Download
memory/2824-89-0x0000000000000000-mapping.dmp

Download
memory/2916-11-0x0000000000000000-mapping.dmp

Download
memory/2916-24-0x0000000000000000-mapping.dmp

Download
memory/2940-92-0x0000000000000000-mapping.dmp

Download
memory/2940-72-0x0000000000000000-mapping.dmp

Download
memory/2940-172-0x0000000000000000-mapping.dmp

Download
memory/2940-112-0x0000000000000000-mapping.dmp

Download
memory/2980-69-0x0000000000000000-mapping.dmp

Download
memory/3004-100-0x0000000000000000-mapping.dmp

Download
memory/3004-80-0x0000000000000000-mapping.dmp

Download
memory/3032-96-0x0000000000000000-mapping.dmp

Download
memory/3032-76-0x0000000000000000-mapping.dmp

Download
memory/3088-138-0x0000000000000000-mapping.dmp

Download
memory/3100-135-0x0000000000000000-mapping.dmp

Download
memory/3104-39-0x0000000000000000-mapping.dmp

Download
memory/3104-23-0x0000000000000000-mapping.dmp

Download
memory/3144-66-0x0000000000000000-mapping.dmp

Download
memory/3144-45-0x0000000000000000-mapping.dmp

Download
memory/3144-15-0x0000000000000000-mapping.dmp

Download
memory/3200-142-0x0000000000000000-mapping.dmp

Download
memory/3284-37-0x0000000000000000-mapping.dmp

Download
memory/3284-3-0x0000000000000000-mapping.dmp

Download
memory/3312-0-0x0000000000000000-mapping.dmp

Download
memory/3500-146-0x0000000000000000-mapping.dmp

Download
memory/3520-10-0x0000000000000000-mapping.dmp

Download
memory/3640-160-0x0000000000000000-mapping.dmp

Download
memory/3640-57-0x0000000000000000-mapping.dmp

Download
memory/3668-98-0x0000000000000000-mapping.dmp

Download
memory/3668-78-0x0000000000000000-mapping.dmp

Download
memory/3688-6-0x0000000000000000-mapping.dmp

Download
memory/3692-121-0x0000000000000000-mapping.dmp

Download
memory/3732-83-0x0000000000000000-mapping.dmp

Download
memory/3756-103-0x0000000000000000-mapping.dmp

Download
memory/3756-147-0x0000000000000000-mapping.dmp

Download
memory/3760-63-0x0000000000000000-mapping.dmp

Download
memory/3760-43-0x0000000000000000-mapping.dmp

Download
memory/3768-149-0x0000000000000000-mapping.dmp

Download
memory/3768-7-0x0000000000000000-mapping.dmp

Download
memory/3768-29-0x0000000000000000-mapping.dmp

Download
memory/3768-105-0x0000000000000000-mapping.dmp

Download
memory/3768-16-0x0000000000000000-mapping.dmp

Download
memory/3780-61-0x0000000000000000-mapping.dmp

Download
memory/3792-154-0x0000000000000000-mapping.dmp

Download
memory/3792-73-0x0000000000000000-mapping.dmp

Download
memory/3796-87-0x0000000000000000-mapping.dmp

Download
memory/3796-30-0x0000000000000000-mapping.dmp

Download
memory/3808-107-0x0000000000000000-mapping.dmp

Download
memory/3808-151-0x0000000000000000-mapping.dmp

Download
memory/3812-169-0x0000000000000000-mapping.dmp

Download
memory/3812-65-0x0000000000000000-mapping.dmp

Download
memory/3836-165-0x0000000000000000-mapping.dmp

Download
memory/3844-17-0x0000000000000000-mapping.dmp

Download
memory/3856-164-0x0000000000000000-mapping.dmp

Download
memory/3856-8-0x0000000000000000-mapping.dmp

Download
memory/3856-104-0x0000000000000000-mapping.dmp

Download
memory/3856-84-0x0000000000000000-mapping.dmp

Download
memory/3872-12-0x0000000000000000-mapping.dmp

Download
memory/3872-179-0x0000000000000000-mapping.dmp

Download
memory/3892-174-0x0000000000000000-mapping.dmp

Download
memory/3892-20-0x0000000000000000-mapping.dmp

Download
memory/3892-51-0x0000000000000000-mapping.dmp

Download
memory/3892-114-0x0000000000000000-mapping.dmp

Download
memory/3904-14-0x0000000000000000-mapping.dmp

Download
memory/3908-178-0x0000000000000000-mapping.dmp

Download
memory/3908-118-0x0000000000000000-mapping.dmp

Download
memory/3940-4-0x0000000000000000-mapping.dmp

Download
memory/3956-1-0x0000000000000000-mapping.dmp

Download
memory/3976-38-0x0000000000000000-mapping.dmp

Download
memory/3976-56-0x0000000000000000-mapping.dmp

Download
memory/4004-35-0x0000000000000000-mapping.dmp

Download