makop | 0ed05e4be5376f0cf391a78afc7a3114ffbfa064348fb66cd93e8ee6f6b27fe1

Analysis

max time kernel
148s
max time network
150s
platform
windows10_x64
resource
win10v20201028
submitted
23-02-2021 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
Size

467KB
MD5

1872d50febed32fe549f3c1257ede6bc
SHA1

8f5d4c4c47e3d0e1071a974d92f8bba0d9ae4b6a
SHA256

0ed05e4be5376f0cf391a78afc7a3114ffbfa064348fb66cd93e8ee6f6b27fe1
SHA512

bdcfc894b05b73af687315aa7f2ed9643462a07cbc9a7aa95d635e00fae620c5247f6863d63af4b084fd5b488a88a4eb63bf3971744b3e6319622596899e5bdb

Score

10^/10

makop evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\readme-warning.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "WKSGJ" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: toddmhickey@outlook.com or jamiepenkaty@cock.li .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

toddmhickey@outlook.com

jamiepenkaty@cock.li

Signatures

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3280 created 1664 3280 svchost.exe SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

description	pid	process	target process
PID 3280 created 1664	3280	svchost.exe	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\5bda9550-cef7-4e9a-a7f8-2883d20e6e7f\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\5bda9550-cef7-4e9a-a7f8-2883d20e6e7f\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\5bda9550-cef7-4e9a-a7f8-2883d20e6e7f\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\d344189b-9612-4083-a741-ea2c4793f059\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\d344189b-9612-4083-a741-ea2c4793f059\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\d344189b-9612-4083-a741-ea2c4793f059\AdvancedRun.exe	Nirsoft

Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3732 wbadmin.exe
Executes dropped EXE 4 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe

pid process

1988 AdvancedRun.exe
1920 AdvancedRun.exe
4312 AdvancedRun.exe
4360 AdvancedRun.exe

pid	process
3732	wbadmin.exe

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe = "0"	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exeSecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 27 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exeSecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe

pid	process
3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exeSecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe

description	pid	process	target process
PID 3636 set thread context of 1664	3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
PID 3932 set thread context of 4792	3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe

Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
3024	3636	WerFault.exe	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
4820	3932	WerFault.exe	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	vds.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3592 timeout.exe
4692 timeout.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2992 vssadmin.exe

pid	process
3592	timeout.exe
4692	timeout.exe

pid	process
2992	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeSecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exepowershell.exepowershell.exeWerFault.exeSecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exeAdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exeSecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exeWerFault.exe

pid	process
1988	AdvancedRun.exe
1988	AdvancedRun.exe
1988	AdvancedRun.exe
1988	AdvancedRun.exe
1920	AdvancedRun.exe
1920	AdvancedRun.exe
1920	AdvancedRun.exe
1920	AdvancedRun.exe
3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
1320	powershell.exe
1584	powershell.exe
1320	powershell.exe
1584	powershell.exe
3024	WerFault.exe
3024	WerFault.exe
3024	WerFault.exe
3024	WerFault.exe
3024	WerFault.exe
3024	WerFault.exe
3024	WerFault.exe
3024	WerFault.exe
3024	WerFault.exe
3024	WerFault.exe
3024	WerFault.exe
3024	WerFault.exe
3024	WerFault.exe
3024	WerFault.exe
3024	WerFault.exe
1584	powershell.exe
1320	powershell.exe
1664	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
1664	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
4312	AdvancedRun.exe
4312	AdvancedRun.exe
4312	AdvancedRun.exe
4312	AdvancedRun.exe
4360	AdvancedRun.exe
4360	AdvancedRun.exe
4360	AdvancedRun.exe
4360	AdvancedRun.exe
4392	powershell.exe
4424	powershell.exe
4392	powershell.exe
4424	powershell.exe
4392	powershell.exe
4424	powershell.exe
3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
4820	WerFault.exe
4820	WerFault.exe
4820	WerFault.exe
4820	WerFault.exe
4820	WerFault.exe
4820	WerFault.exe
4820	WerFault.exe
4820	WerFault.exe
4820	WerFault.exe
4820	WerFault.exe
4820	WerFault.exe
4820	WerFault.exe
4820	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exeAdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exesvchost.exeSecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exevssvc.exeWerFault.exewbengine.exeWMIC.exeAdvancedRun.exe

description	pid	process
Token: SeDebugPrivilege	3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
Token: SeDebugPrivilege	1988	AdvancedRun.exe
Token: SeImpersonatePrivilege	1988	AdvancedRun.exe
Token: SeDebugPrivilege	1920	AdvancedRun.exe
Token: SeImpersonatePrivilege	1920	AdvancedRun.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeTcbPrivilege	3280	svchost.exe
Token: SeTcbPrivilege	3280	svchost.exe
Token: SeDebugPrivilege	3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
Token: SeBackupPrivilege	3692	vssvc.exe
Token: SeRestorePrivilege	3692	vssvc.exe
Token: SeAuditPrivilege	3692	vssvc.exe
Token: SeRestorePrivilege	3024	WerFault.exe
Token: SeBackupPrivilege	3024	WerFault.exe
Token: SeBackupPrivilege	3024	WerFault.exe
Token: SeBackupPrivilege	2432	wbengine.exe
Token: SeRestorePrivilege	2432	wbengine.exe
Token: SeSecurityPrivilege	2432	wbengine.exe
Token: SeDebugPrivilege	3024	WerFault.exe
Token: SeIncreaseQuotaPrivilege	260	WMIC.exe
Token: SeSecurityPrivilege	260	WMIC.exe
Token: SeTakeOwnershipPrivilege	260	WMIC.exe
Token: SeLoadDriverPrivilege	260	WMIC.exe
Token: SeSystemProfilePrivilege	260	WMIC.exe
Token: SeSystemtimePrivilege	260	WMIC.exe
Token: SeProfSingleProcessPrivilege	260	WMIC.exe
Token: SeIncBasePriorityPrivilege	260	WMIC.exe
Token: SeCreatePagefilePrivilege	260	WMIC.exe
Token: SeBackupPrivilege	260	WMIC.exe
Token: SeRestorePrivilege	260	WMIC.exe
Token: SeShutdownPrivilege	260	WMIC.exe
Token: SeDebugPrivilege	260	WMIC.exe
Token: SeSystemEnvironmentPrivilege	260	WMIC.exe
Token: SeRemoteShutdownPrivilege	260	WMIC.exe
Token: SeUndockPrivilege	260	WMIC.exe
Token: SeManageVolumePrivilege	260	WMIC.exe
Token: 33	260	WMIC.exe
Token: 34	260	WMIC.exe
Token: 35	260	WMIC.exe
Token: 36	260	WMIC.exe
Token: SeIncreaseQuotaPrivilege	260	WMIC.exe
Token: SeSecurityPrivilege	260	WMIC.exe
Token: SeTakeOwnershipPrivilege	260	WMIC.exe
Token: SeLoadDriverPrivilege	260	WMIC.exe
Token: SeSystemProfilePrivilege	260	WMIC.exe
Token: SeSystemtimePrivilege	260	WMIC.exe
Token: SeProfSingleProcessPrivilege	260	WMIC.exe
Token: SeIncBasePriorityPrivilege	260	WMIC.exe
Token: SeCreatePagefilePrivilege	260	WMIC.exe
Token: SeBackupPrivilege	260	WMIC.exe
Token: SeRestorePrivilege	260	WMIC.exe
Token: SeShutdownPrivilege	260	WMIC.exe
Token: SeDebugPrivilege	260	WMIC.exe
Token: SeSystemEnvironmentPrivilege	260	WMIC.exe
Token: SeRemoteShutdownPrivilege	260	WMIC.exe
Token: SeUndockPrivilege	260	WMIC.exe
Token: SeManageVolumePrivilege	260	WMIC.exe
Token: 33	260	WMIC.exe
Token: 34	260	WMIC.exe
Token: 35	260	WMIC.exe
Token: 36	260	WMIC.exe
Token: SeDebugPrivilege	4312	AdvancedRun.exe
Token: SeImpersonatePrivilege	4312	AdvancedRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exeAdvancedRun.execmd.exesvchost.exeSecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.execmd.exeSecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exeAdvancedRun.execmd.exe

description	pid	process	target process
PID 3636 wrote to memory of 1988	3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	AdvancedRun.exe
PID 3636 wrote to memory of 1988	3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	AdvancedRun.exe
PID 3636 wrote to memory of 1988	3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	AdvancedRun.exe
PID 1988 wrote to memory of 1920	1988	AdvancedRun.exe	AdvancedRun.exe
PID 1988 wrote to memory of 1920	1988	AdvancedRun.exe	AdvancedRun.exe
PID 1988 wrote to memory of 1920	1988	AdvancedRun.exe	AdvancedRun.exe
PID 3636 wrote to memory of 1584	3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	powershell.exe
PID 3636 wrote to memory of 1584	3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	powershell.exe
PID 3636 wrote to memory of 1584	3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	powershell.exe
PID 3636 wrote to memory of 1320	3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	powershell.exe
PID 3636 wrote to memory of 1320	3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	powershell.exe
PID 3636 wrote to memory of 1320	3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	powershell.exe
PID 3636 wrote to memory of 580	3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	cmd.exe
PID 3636 wrote to memory of 580	3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	cmd.exe
PID 3636 wrote to memory of 580	3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	cmd.exe
PID 580 wrote to memory of 3592	580	cmd.exe	timeout.exe
PID 580 wrote to memory of 3592	580	cmd.exe	timeout.exe
PID 580 wrote to memory of 3592	580	cmd.exe	timeout.exe
PID 3636 wrote to memory of 1664	3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
PID 3636 wrote to memory of 1664	3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
PID 3636 wrote to memory of 1664	3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
PID 3636 wrote to memory of 1664	3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
PID 3636 wrote to memory of 1664	3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
PID 3636 wrote to memory of 1664	3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
PID 3636 wrote to memory of 1664	3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
PID 3636 wrote to memory of 1664	3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
PID 3636 wrote to memory of 1664	3636	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
PID 3280 wrote to memory of 3932	3280	svchost.exe	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
PID 3280 wrote to memory of 3932	3280	svchost.exe	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
PID 3280 wrote to memory of 3932	3280	svchost.exe	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
PID 3280 wrote to memory of 3932	3280	svchost.exe	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
PID 3280 wrote to memory of 3932	3280	svchost.exe	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
PID 3280 wrote to memory of 3932	3280	svchost.exe	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
PID 3280 wrote to memory of 3932	3280	svchost.exe	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
PID 1664 wrote to memory of 512	1664	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	cmd.exe
PID 1664 wrote to memory of 512	1664	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	cmd.exe
PID 512 wrote to memory of 2992	512	cmd.exe	vssadmin.exe
PID 512 wrote to memory of 2992	512	cmd.exe	vssadmin.exe
PID 512 wrote to memory of 3732	512	cmd.exe	wbadmin.exe
PID 512 wrote to memory of 3732	512	cmd.exe	wbadmin.exe
PID 512 wrote to memory of 260	512	cmd.exe	WMIC.exe
PID 512 wrote to memory of 260	512	cmd.exe	WMIC.exe
PID 3932 wrote to memory of 4312	3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	AdvancedRun.exe
PID 3932 wrote to memory of 4312	3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	AdvancedRun.exe
PID 3932 wrote to memory of 4312	3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	AdvancedRun.exe
PID 4312 wrote to memory of 4360	4312	AdvancedRun.exe	AdvancedRun.exe
PID 4312 wrote to memory of 4360	4312	AdvancedRun.exe	AdvancedRun.exe
PID 4312 wrote to memory of 4360	4312	AdvancedRun.exe	AdvancedRun.exe
PID 3932 wrote to memory of 4392	3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	powershell.exe
PID 3932 wrote to memory of 4392	3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	powershell.exe
PID 3932 wrote to memory of 4392	3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	powershell.exe
PID 3932 wrote to memory of 4424	3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	powershell.exe
PID 3932 wrote to memory of 4424	3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	powershell.exe
PID 3932 wrote to memory of 4424	3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	powershell.exe
PID 3932 wrote to memory of 4460	3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	cmd.exe
PID 3932 wrote to memory of 4460	3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	cmd.exe
PID 3932 wrote to memory of 4460	3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	cmd.exe
PID 4460 wrote to memory of 4692	4460	cmd.exe	timeout.exe
PID 4460 wrote to memory of 4692	4460	cmd.exe	timeout.exe
PID 4460 wrote to memory of 4692	4460	cmd.exe	timeout.exe
PID 3932 wrote to memory of 4792	3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
PID 3932 wrote to memory of 4792	3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
PID 3932 wrote to memory of 4792	3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
PID 3932 wrote to memory of 4792	3932	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exeSecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe"
1⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3636

C:\Users\Admin\AppData\Local\Temp\5bda9550-cef7-4e9a-a7f8-2883d20e6e7f\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\5bda9550-cef7-4e9a-a7f8-2883d20e6e7f\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\5bda9550-cef7-4e9a-a7f8-2883d20e6e7f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Local\Temp\5bda9550-cef7-4e9a-a7f8-2883d20e6e7f\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\5bda9550-cef7-4e9a-a7f8-2883d20e6e7f\AdvancedRun.exe" /SpecialRun 4101d8 1988
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3592

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe" n1664
3⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3932

C:\Users\Admin\AppData\Local\Temp\d344189b-9612-4083-a741-ea2c4793f059\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\d344189b-9612-4083-a741-ea2c4793f059\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\d344189b-9612-4083-a741-ea2c4793f059\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4312

C:\Users\Admin\AppData\Local\Temp\d344189b-9612-4083-a741-ea2c4793f059\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\d344189b-9612-4083-a741-ea2c4793f059\AdvancedRun.exe" /SpecialRun 4101d8 4312
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4360

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe" -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe" -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
4⤵
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\SysWOW64\timeout.exe
timeout 1
5⤵
- Delays execution with timeout.exe
PID:4692

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe"
4⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 1960
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4820

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:512

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:2992

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:3732

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 2076
2⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3280

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2440

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:1480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Bypass User Account Control

T1088

File Deletion

T1107

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a9d7ecf8976380bf0c44bbe48167bc9c

SHA1
a1c2fe715cfed2d852c77a580e896c7f42180378

SHA256
485441a425de81eb0e0fb48bc18ab19d25eb9ceae50712e5d44de95610fc6115

SHA512
f124c25e42e488039a0aac3c46f07b7960dde33e702583421542b5e3c5132ba26ed78c1579444c402d0ee99e903e350e53199c0ee895ff51e207c6a302aba8f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e7314c0bcef6158cc29aa76be1e5794a

SHA1
5b9a419f0341e15b3d784d19e55a6fad5f7486c8

SHA256
6d7f0ef54dd29fde03bb4357af9c9b52d803b6ea498f43acd491599d04679912

SHA512
ee013623af9cf5d6de7efc59623ab11fdc580030e3b12e122302caf0b40be554da787a94d609a51ac9013b50a94cd7d3cc97def0cf8232bd42714c762a0d0b7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a9d7ecf8976380bf0c44bbe48167bc9c

SHA1
a1c2fe715cfed2d852c77a580e896c7f42180378

SHA256
485441a425de81eb0e0fb48bc18ab19d25eb9ceae50712e5d44de95610fc6115

SHA512
f124c25e42e488039a0aac3c46f07b7960dde33e702583421542b5e3c5132ba26ed78c1579444c402d0ee99e903e350e53199c0ee895ff51e207c6a302aba8f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bda9550-cef7-4e9a-a7f8-2883d20e6e7f\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bda9550-cef7-4e9a-a7f8-2883d20e6e7f\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bda9550-cef7-4e9a-a7f8-2883d20e6e7f\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d344189b-9612-4083-a741-ea2c4793f059\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d344189b-9612-4083-a741-ea2c4793f059\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d344189b-9612-4083-a741-ea2c4793f059\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/260-60-0x0000000000000000-mapping.dmp

Download
memory/512-34-0x0000000000000000-mapping.dmp

Download
memory/580-18-0x0000000000000000-mapping.dmp

Download
memory/1320-24-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/1320-17-0x0000000000000000-mapping.dmp

Download
memory/1320-91-0x0000000009500000-0x0000000009501000-memory.dmp

Filesize
4KB

Download
memory/1320-20-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/1320-86-0x0000000004753000-0x0000000004754000-memory.dmp

Filesize
4KB

Download
memory/1320-21-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/1320-83-0x0000000009560000-0x0000000009561000-memory.dmp

Filesize
4KB

Download
memory/1320-82-0x000000007EE80000-0x000000007EE81000-memory.dmp

Filesize
4KB

Download
memory/1320-25-0x0000000007330000-0x0000000007331000-memory.dmp

Filesize
4KB

Download
memory/1320-26-0x0000000004752000-0x0000000004753000-memory.dmp

Filesize
4KB

Download
memory/1320-79-0x00000000093B0000-0x00000000093B1000-memory.dmp

Filesize
4KB

Download
memory/1320-77-0x0000000009240000-0x0000000009241000-memory.dmp

Filesize
4KB

Download
memory/1320-63-0x0000000009280000-0x00000000092B3000-memory.dmp

Filesize
204KB

Download
memory/1320-58-0x0000000008280000-0x0000000008281000-memory.dmp

Filesize
4KB

Download
memory/1320-56-0x0000000008450000-0x0000000008451000-memory.dmp

Filesize
4KB

Download
memory/1320-46-0x00000000079D0000-0x00000000079D1000-memory.dmp

Filesize
4KB

Download
memory/1320-36-0x0000000007120000-0x0000000007121000-memory.dmp

Filesize
4KB

Download
memory/1584-41-0x00000000078A0000-0x00000000078A1000-memory.dmp

Filesize
4KB

Download
memory/1584-54-0x0000000007E60000-0x0000000007E61000-memory.dmp

Filesize
4KB

Download
memory/1584-85-0x0000000004733000-0x0000000004734000-memory.dmp

Filesize
4KB

Download
memory/1584-81-0x000000007ED90000-0x000000007ED91000-memory.dmp

Filesize
4KB

Download
memory/1584-28-0x0000000004732000-0x0000000004733000-memory.dmp

Filesize
4KB

Download
memory/1584-50-0x0000000007AF0000-0x0000000007AF1000-memory.dmp

Filesize
4KB

Download
memory/1584-16-0x0000000000000000-mapping.dmp

Download
memory/1584-19-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/1584-88-0x00000000094E0000-0x00000000094E1000-memory.dmp

Filesize
4KB

Download
memory/1584-23-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/1664-31-0x00000000004053F0-mapping.dmp

Download
memory/1664-30-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1664-40-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1920-14-0x0000000000000000-mapping.dmp

Download
memory/1988-11-0x0000000000000000-mapping.dmp

Download
memory/2992-48-0x0000000000000000-mapping.dmp

Download
memory/3024-52-0x0000000004520000-0x0000000004521000-memory.dmp

Filesize
4KB

Download
memory/3592-29-0x0000000000000000-mapping.dmp

Download
memory/3636-10-0x0000000003230000-0x00000000032AC000-memory.dmp

Filesize
496KB

Download
memory/3636-5-0x0000000005D40000-0x0000000005D41000-memory.dmp

Filesize
4KB

Download
memory/3636-3-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/3636-2-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/3636-6-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/3636-7-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/3636-9-0x0000000005B40000-0x0000000005B41000-memory.dmp

Filesize
4KB

Download
memory/3636-8-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/3732-53-0x0000000000000000-mapping.dmp

Download
memory/3932-33-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/3932-51-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/3932-32-0x0000000000000000-mapping.dmp

Download
memory/4312-98-0x0000000000000000-mapping.dmp

Download
memory/4360-101-0x0000000000000000-mapping.dmp

Download
memory/4392-103-0x0000000000000000-mapping.dmp

Download
memory/4392-106-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/4392-160-0x0000000004473000-0x0000000004474000-memory.dmp

Filesize
4KB

Download
memory/4392-112-0x0000000004470000-0x0000000004471000-memory.dmp

Filesize
4KB

Download
memory/4392-114-0x0000000004472000-0x0000000004473000-memory.dmp

Filesize
4KB

Download
memory/4392-141-0x000000007F770000-0x000000007F771000-memory.dmp

Filesize
4KB

Download
memory/4424-104-0x0000000000000000-mapping.dmp

Download
memory/4424-116-0x0000000007212000-0x0000000007213000-memory.dmp

Filesize
4KB

Download
memory/4424-115-0x0000000007210000-0x0000000007211000-memory.dmp

Filesize
4KB

Download
memory/4424-159-0x000000007E3B0000-0x000000007E3B1000-memory.dmp

Filesize
4KB

Download
memory/4424-108-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/4424-161-0x0000000007213000-0x0000000007214000-memory.dmp

Filesize
4KB

Download
memory/4460-105-0x0000000000000000-mapping.dmp

Download
memory/4692-122-0x0000000000000000-mapping.dmp

Download
memory/4792-133-0x00000000004053F0-mapping.dmp

Download
memory/4820-134-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download