hellokitty | fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7v20201028
submitted
09-02-2021 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
Size

157KB
MD5

85cd7c6931b44a14f4899dfd0039e8b4
SHA1

5822f65dec879ba585112976a632b2c4435abf90
SHA256

fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb
SHA512

9a8173eb7f08c1c9e2c9b66b2866c08a5e97bc16ceb3644a55cc9da17dec1b9941f0e30c23994952d31b3b60911d13e7cc20810ecada35cdca4bff72ccad5a15

Score

10^/10

hellokitty ransomware

Malware Config

Extracted

Path

C:\Documents and Settings\read_me_lkd.txt

Ransom Note

Hello dear user. Your files have been encrypted. -- What does it mean?! Content of your files have been modified. Without special key you can't undo that operation. -- How to get special key? If you want to get it, you must pay us some money and we will help you. We will give you special decryption program and instructions. -- Ok, how i can pay you? 1) Download TOR browser, if you don't know how to do it you can google it. 2) Open this website in tor browser: http://6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion/d87c3f9baf85b2e9ab2a824bb78868294e19992e2e26b54f248abfa73c42a7c0 3) Follow instructions in chat.

URLs

http://6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion/d87c3f9baf85b2e9ab2a824bb78868294e19992e2e26b54f248abfa73c42a7c0

Signatures

HelloKitty Ransomware
Ransomware family which has been active since late 2020, and in early 2021 a variant compromised the CDProjektRed game studio.
ransomware hellokitty

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\InitializeStep.tif => C:\Users\Admin\Pictures\InitializeStep.tif.crypted	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
File renamed	C:\Users\Admin\Pictures\RemoveStart.tiff => C:\Users\Admin\Pictures\RemoveStart.tiff.crypted	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveStart.tiff	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 38 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
980	taskkill.exe
1464	taskkill.exe
1772	taskkill.exe
1648	taskkill.exe
396	taskkill.exe
1172	taskkill.exe
1628	taskkill.exe
1628	taskkill.exe
604	taskkill.exe
1740	taskkill.exe
2512	taskkill.exe
812	taskkill.exe
2740	taskkill.exe
484	taskkill.exe
284	taskkill.exe
1900	taskkill.exe
1068	taskkill.exe
1368	taskkill.exe
1644	taskkill.exe
456	taskkill.exe
912	taskkill.exe
748	taskkill.exe
2712	taskkill.exe
2784	taskkill.exe
1548	taskkill.exe
1968	taskkill.exe
2340	taskkill.exe
324	taskkill.exe
2636	taskkill.exe
1804	taskkill.exe
2632	taskkill.exe
1992	taskkill.exe
1708	taskkill.exe
2520	taskkill.exe
1776	taskkill.exe
1116	taskkill.exe
2688	taskkill.exe
2428	taskkill.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe

pid process

1944 fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe

pid	process
1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1464	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	1772	taskkill.exe
Token: SeDebugPrivilege	484	taskkill.exe
Token: SeDebugPrivilege	604	taskkill.exe
Token: SeDebugPrivilege	1708	taskkill.exe
Token: SeDebugPrivilege	396	taskkill.exe
Token: SeDebugPrivilege	284	taskkill.exe
Token: SeDebugPrivilege	1968	taskkill.exe
Token: SeDebugPrivilege	748	taskkill.exe
Token: SeDebugPrivilege	1116	taskkill.exe
Token: SeDebugPrivilege	1368	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeDebugPrivilege	1628	taskkill.exe
Token: SeDebugPrivilege	1172	taskkill.exe
Token: SeDebugPrivilege	2340	taskkill.exe
Token: SeDebugPrivilege	456	taskkill.exe
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	2512	taskkill.exe
Token: SeDebugPrivilege	2520	taskkill.exe
Token: SeDebugPrivilege	2636	taskkill.exe
Token: SeDebugPrivilege	2712	taskkill.exe
Token: SeDebugPrivilege	324	taskkill.exe
Token: SeDebugPrivilege	1068	taskkill.exe
Token: SeDebugPrivilege	912	taskkill.exe
Token: SeDebugPrivilege	1628	taskkill.exe
Token: SeDebugPrivilege	2784	taskkill.exe
Token: SeDebugPrivilege	2632	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	2740	taskkill.exe
Token: SeDebugPrivilege	2688	taskkill.exe
Token: SeDebugPrivilege	980	taskkill.exe
Token: SeDebugPrivilege	2428	taskkill.exe
Token: SeDebugPrivilege	812	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe

description	pid	process	target process
PID 1944 wrote to memory of 1464	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1464	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1464	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1464	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1992	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1992	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1992	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1992	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1548	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1548	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1548	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1548	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1776	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1776	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1776	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1776	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1772	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1772	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1772	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1772	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1708	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1708	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1708	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1708	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 484	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 484	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 484	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 484	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 604	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 604	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 604	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 604	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1648	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1648	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1648	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1648	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 396	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 396	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 396	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 396	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 284	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 284	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 284	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 284	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1368	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1368	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1368	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1368	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1172	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1172	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1172	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1172	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1116	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1116	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1116	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1116	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 748	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 748	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 748	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 748	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1968	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1968	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1968	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 1944 wrote to memory of 1968	1944	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
"C:\Users\Admin\AppData\Local\Temp\fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe"
1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im mysql*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im dsa*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im Ntrtscan*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im ds_monitor*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im Notifier*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im TmListen*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im iVPAgent*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:484
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im CNTAoSMgr*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:604
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im IBM*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im bes10*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:396
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im black*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:284
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im robo*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im copy*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1172
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im store.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1116
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im sql*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:748
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im vee*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im wrsa*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im wrsa.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im postg*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im sage*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100
  2⤵
  PID:2424
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100
    3⤵
    PID:2684
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$ISARS
  2⤵
  PID:2672
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$ISARS
    3⤵
    PID:2780
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$MSFW
  2⤵
  PID:2696
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$MSFW
    3⤵
    PID:2800
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$ISARS
  2⤵
  PID:2728
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$ISARS
    3⤵
    PID:2836
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$MSFW
  2⤵
  PID:2808
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$MSFW
    3⤵
    PID:2920
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLBrowser
  2⤵
  PID:2860
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLBrowser
    3⤵
    PID:3064
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$ISARS
  2⤵
  PID:2884
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ReportServer$ISARS
    3⤵
    PID:2312
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeSA
  2⤵
  PID:3048
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSA
    3⤵
    PID:1708
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeIS
  2⤵
  PID:3012
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeIS
    3⤵
    PID:1768
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeFBA
  2⤵
  PID:2992
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeFBA
    3⤵
    PID:396
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeADTopology
  2⤵
  PID:2972
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeADTopology
    3⤵
    PID:2448
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop mr2kserv
  2⤵
  PID:2952
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mr2kserv
    3⤵
    PID:2392
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop WinDefend
  2⤵
  PID:2932
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop WinDefend
    3⤵
    PID:1784
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLWriter
  2⤵
  PID:2908
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLWriter
    3⤵
    PID:1976
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ShadowProtectSvc
  2⤵
  PID:552
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ShadowProtectSvc
    3⤵
    PID:2348
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPAdminV4
  2⤵
  PID:792
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPAdminV4
    3⤵
    PID:1988
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPTimerV4
  2⤵
  PID:1464
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPTimerV4
    3⤵
    PID:308
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPTraceV4
  2⤵
  PID:2328
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPTraceV4
    3⤵
    PID:1564
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPUserCodeV4
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPUserCodeV4
    3⤵
    PID:2464
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPWriterV4
  2⤵
  PID:1724
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPWriterV4
    3⤵
    PID:748
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPSearch4
  2⤵
  PID:540
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPSearch4
    3⤵
    PID:1544
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100
  2⤵
  PID:2416
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100
    3⤵
    PID:2460
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop IISADMIN
  2⤵
  PID:2520
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop IISADMIN
    3⤵
    PID:1116
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop firebirdguardiandefaultinstance
  2⤵
  PID:2660
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop firebirdguardiandefaultinstance
    3⤵
    PID:1600
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ibmiasrw
  2⤵
  PID:812
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ibmiasrw
    3⤵
    PID:2532
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QBCFMonitorService
  2⤵
  PID:1840
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService
    3⤵
    PID:1900
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QBVSS
  2⤵
  PID:1088
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBVSS
    3⤵
    PID:752
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QBPOSDBServiceV12
  2⤵
  PID:1968
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBPOSDBServiceV12
    3⤵
    PID:1796
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IBM Domino Server(CProgramFilesIBMDominodata)"
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IBM Domino Server(CProgramFilesIBMDominodata)"
    3⤵
    PID:2760
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop IISADMIN
  2⤵
  PID:2764
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop IISADMIN
    3⤵
    PID:2784
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"
  2⤵
  PID:2588
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"
    3⤵
    PID:2620
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Simply Accounting Database Connection Manager"
  2⤵
  PID:980
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"
    3⤵
    PID:2704
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB1
  2⤵
  PID:1436
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB1
    3⤵
    PID:2836
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB2
  2⤵
  PID:2584
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB2
    3⤵
    PID:2728
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB3
  2⤵
  PID:2788
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB3
    3⤵
    PID:2948
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB5
  2⤵
  PID:2672
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB5
    3⤵
    PID:2828
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB6
  2⤵
  PID:1172
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB6
    3⤵
    PID:1972
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB7
  2⤵
  PID:2816
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB7
    3⤵
    PID:1992
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB4
  2⤵
  PID:2676
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB4
    3⤵
    PID:2920
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB8
  2⤵
  PID:2796
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB8
    3⤵
    PID:2860
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB9
  2⤵
  PID:3020
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB9
    3⤵
    PID:1720
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB12
  2⤵
  PID:2668
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB12
    3⤵
    PID:1176
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB13
  2⤵
  PID:2380
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB13
    3⤵
    PID:1604
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB11
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB11
    3⤵
    PID:1988
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB15
  2⤵
  PID:2872
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB15
    3⤵
    PID:2364
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB16
  2⤵
  PID:1788
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB16
    3⤵
    PID:308
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB14
  2⤵
  PID:2848
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB14
    3⤵
    PID:1728
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB10
  2⤵
  PID:960
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB10
    3⤵
    PID:2348
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB17
  2⤵
  PID:2356
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB17
    3⤵
    PID:2372
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB19
  2⤵
  PID:1760
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB19
    3⤵
    PID:2468
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB18
  2⤵
  PID:684
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB18
    3⤵
    PID:840
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB20
  2⤵
  PID:2952
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB20
    3⤵
    PID:1184
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB21
  2⤵
  PID:2984
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB21
    3⤵
    PID:1664
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB22
  2⤵
  PID:3052
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB22
    3⤵
    PID:2456
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB23
  2⤵
  PID:2448
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB23
    3⤵
    PID:2496
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB24
  2⤵
  PID:2336
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB24
    3⤵
    PID:2684
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB25
  2⤵
  PID:340
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB25
    3⤵
    PID:2432
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1760"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1760"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1760"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:456
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2952"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:324
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2952"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2952"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2984"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2984"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:912
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2984"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:812
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3052"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3052"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3052"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2448"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2448"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2448"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2336"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2336"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2336"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "711367844653009206-847798451707022705-763835311-605063332-15400494201785207171"
1⤵
PID:1708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1724076551599426571-9954311601148413951-1640126042-1308165924-18777432451898984959"
1⤵
PID:1768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1258185840260110271-674356861-1356957713-1606880541789660798357274333-607034475"
1⤵
PID:2328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1850288271-15228094291255320023599193534-466432090-950239353-1189582448-1916388522"
1⤵
PID:1996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "50650022821399928954186173802046982252902886377-7008122129645870591769712454"
1⤵
PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/284-13-0x0000000000000000-mapping.dmp

Download
memory/308-56-0x0000000000000000-mapping.dmp

Download
memory/396-60-0x0000000000000000-mapping.dmp

Download
memory/396-12-0x0000000000000000-mapping.dmp

Download
memory/484-9-0x0000000000000000-mapping.dmp

Download
memory/540-55-0x0000000000000000-mapping.dmp

Download
memory/552-44-0x0000000000000000-mapping.dmp

Download
memory/604-10-0x0000000000000000-mapping.dmp

Download
memory/748-17-0x0000000000000000-mapping.dmp

Download
memory/792-45-0x0000000000000000-mapping.dmp

Download
memory/1116-16-0x0000000000000000-mapping.dmp

Download
memory/1172-15-0x0000000000000000-mapping.dmp

Download
memory/1368-14-0x0000000000000000-mapping.dmp

Download
memory/1464-47-0x0000000000000000-mapping.dmp

Download
memory/1464-3-0x0000000000000000-mapping.dmp

Download
memory/1544-65-0x0000000000000000-mapping.dmp

Download
memory/1548-5-0x0000000000000000-mapping.dmp

Download
memory/1564-62-0x0000000000000000-mapping.dmp

Download
memory/1628-21-0x0000000000000000-mapping.dmp

Download
memory/1644-20-0x0000000000000000-mapping.dmp

Download
memory/1648-11-0x0000000000000000-mapping.dmp

Download
memory/1708-8-0x0000000000000000-mapping.dmp

Download
memory/1708-54-0x0000000000000000-mapping.dmp

Download
memory/1724-53-0x0000000000000000-mapping.dmp

Download
memory/1732-49-0x0000000000000000-mapping.dmp

Download
memory/1768-59-0x0000000000000000-mapping.dmp

Download
memory/1772-7-0x0000000000000000-mapping.dmp

Download
memory/1776-6-0x0000000000000000-mapping.dmp

Download
memory/1784-50-0x0000000000000000-mapping.dmp

Download
memory/1900-19-0x0000000000000000-mapping.dmp

Download
memory/1944-2-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1968-18-0x0000000000000000-mapping.dmp

Download
memory/1976-46-0x0000000000000000-mapping.dmp

Download
memory/1988-52-0x0000000000000000-mapping.dmp

Download
memory/1992-4-0x0000000000000000-mapping.dmp

Download
memory/2312-43-0x0000000000000000-mapping.dmp

Download
memory/2328-48-0x0000000000000000-mapping.dmp

Download
memory/2340-22-0x0000000000000000-mapping.dmp

Download
memory/2348-51-0x0000000000000000-mapping.dmp

Download
memory/2392-58-0x0000000000000000-mapping.dmp

Download
memory/2416-61-0x0000000000000000-mapping.dmp

Download
memory/2424-23-0x0000000000000000-mapping.dmp

Download
memory/2448-57-0x0000000000000000-mapping.dmp

Download
memory/2464-63-0x0000000000000000-mapping.dmp

Download
memory/2520-64-0x0000000000000000-mapping.dmp

Download
memory/2660-66-0x0000000000000000-mapping.dmp

Download
memory/2672-24-0x0000000000000000-mapping.dmp

Download
memory/2684-25-0x0000000000000000-mapping.dmp

Download
memory/2696-26-0x0000000000000000-mapping.dmp

Download
memory/2728-27-0x0000000000000000-mapping.dmp

Download
memory/2780-28-0x0000000000000000-mapping.dmp

Download
memory/2800-29-0x0000000000000000-mapping.dmp

Download
memory/2808-30-0x0000000000000000-mapping.dmp

Download
memory/2836-31-0x0000000000000000-mapping.dmp

Download
memory/2860-32-0x0000000000000000-mapping.dmp

Download
memory/2884-33-0x0000000000000000-mapping.dmp

Download
memory/2908-34-0x0000000000000000-mapping.dmp

Download
memory/2920-35-0x0000000000000000-mapping.dmp

Download
memory/2932-36-0x0000000000000000-mapping.dmp

Download
memory/2952-37-0x0000000000000000-mapping.dmp

Download
memory/2972-38-0x0000000000000000-mapping.dmp

Download
memory/2992-39-0x0000000000000000-mapping.dmp

Download
memory/3012-40-0x0000000000000000-mapping.dmp

Download
memory/3048-41-0x0000000000000000-mapping.dmp

Download
memory/3064-42-0x0000000000000000-mapping.dmp

Download