74a717027b6212236662bf641c473b8f8cd65486898b02940357bb9b3035f38a

Resubmissions

24-11-2021 13:59

211124-rahp4acghj 10

24-11-2021 09:36

211124-lk29laccgq 8

Analysis

max time kernel
110s
max time network
148s
platform
windows10_x64
resource
win10-en-20211104
submitted
24-11-2021 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

emk21h33.exe
Size

385KB
MD5

54e8989f3595120a430b8d31ca87c0cc
SHA1

30609e95e4396e7c409b21e0d96c185736cc01d2
SHA256

74a717027b6212236662bf641c473b8f8cd65486898b02940357bb9b3035f38a
SHA512

56d102a6723e79e0fd4bf5756cf5fe01c36d62a9f1c0575750c288ab9b6de119ce6675a5156c80f4ed3274962981a14095ced7c9d213f9e9216b4a655ab66206

Score

8^/10

evasion persistence ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Downloads PsExec from SysInternals website 1 IoCs
Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

Processes:

description flow ioc

HTTP URL 30 http://live.sysinternals.com/PsExec.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

description	flow	ioc
HTTP URL	30	http://live.sysinternals.com/PsExec.exe

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

emk21h33.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\BackupBlock.tiff => C:\Users\Admin\Pictures\BackupBlock.tiff.xot5ik	emk21h33.exe
File opened for modification	C:\Users\Admin\Pictures\BackupBlock.tiff.xot5ik	emk21h33.exe
File renamed	C:\Users\Admin\Pictures\RestoreShow.tif => C:\Users\Admin\Pictures\RestoreShow.tif.xot5ik	emk21h33.exe
File opened for modification	C:\Users\Admin\Pictures\RestoreShow.tif.xot5ik	emk21h33.exe
File renamed	C:\Users\Admin\Pictures\NewMove.tif => C:\Users\Admin\Pictures\NewMove.tif.xot5ik	emk21h33.exe
File opened for modification	C:\Users\Admin\Pictures\NewMove.tif.xot5ik	emk21h33.exe
File opened for modification	C:\Users\Admin\Pictures\ShowStart.tiff	emk21h33.exe
File renamed	C:\Users\Admin\Pictures\ShowStart.tiff => C:\Users\Admin\Pictures\ShowStart.tiff.xot5ik	emk21h33.exe
File opened for modification	C:\Users\Admin\Pictures\BackupBlock.tiff	emk21h33.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertToUpdate.tiff	emk21h33.exe
File renamed	C:\Users\Admin\Pictures\ConvertToUpdate.tiff => C:\Users\Admin\Pictures\ConvertToUpdate.tiff.xot5ik	emk21h33.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertToUpdate.tiff.xot5ik	emk21h33.exe
File opened for modification	C:\Users\Admin\Pictures\ShowStart.tiff.xot5ik	emk21h33.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

emk21h33.exe

description	ioc	process
File opened (read-only)	\??\G:	emk21h33.exe
File opened (read-only)	\??\H:	emk21h33.exe
File opened (read-only)	\??\Q:	emk21h33.exe
File opened (read-only)	\??\R:	emk21h33.exe
File opened (read-only)	\??\Y:	emk21h33.exe
File opened (read-only)	\??\A:	emk21h33.exe
File opened (read-only)	\??\S:	emk21h33.exe
File opened (read-only)	\??\F:	emk21h33.exe
File opened (read-only)	\??\K:	emk21h33.exe
File opened (read-only)	\??\V:	emk21h33.exe
File opened (read-only)	\??\N:	emk21h33.exe
File opened (read-only)	\??\W:	emk21h33.exe
File opened (read-only)	\??\E:	emk21h33.exe
File opened (read-only)	\??\Z:	emk21h33.exe
File opened (read-only)	\??\B:	emk21h33.exe
File opened (read-only)	\??\M:	emk21h33.exe
File opened (read-only)	\??\L:	emk21h33.exe
File opened (read-only)	\??\X:	emk21h33.exe
File opened (read-only)	\??\T:	emk21h33.exe
File opened (read-only)	\??\U:	emk21h33.exe
File opened (read-only)	\??\I:	emk21h33.exe
File opened (read-only)	\??\O:	emk21h33.exe
File opened (read-only)	\??\P:	emk21h33.exe
File opened (read-only)	\??\J:	emk21h33.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

emk21h33.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	emk21h33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание Внимание Внимание!!!"	emk21h33.exe

Drops file in Windows directory 13 IoCs

Processes:

netsh.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\1974107395\1506172464.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1301087654\4010849688.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1476457207\263943467.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2878165772\3312292840.pri	netsh.exe
File created	C:\Windows\rescache\_merged\81479705\2284120958.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4272278488\927794230.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4185669309\1880392806.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3623239459\11870838.pri	netsh.exe
File created	C:\Windows\rescache\_merged\423379043\2764571712.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2483382631\1144272743.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3418783148\4223189797.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	netsh.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 58 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1724	taskkill.exe
3800	taskkill.exe
1912	taskkill.exe
2400	taskkill.exe
1200	taskkill.exe
2904	taskkill.exe
1100	taskkill.exe
2164	taskkill.exe
2816	taskkill.exe
3144	taskkill.exe
2504	taskkill.exe
900	taskkill.exe
3168	taskkill.exe
1168	taskkill.exe
2112	taskkill.exe
432	taskkill.exe
3592	taskkill.exe
2344	taskkill.exe
1288	taskkill.exe
1608	taskkill.exe
1860	taskkill.exe
1224	taskkill.exe
1232	taskkill.exe
600	taskkill.exe
3824	taskkill.exe
4008	taskkill.exe
1460	taskkill.exe
3616	taskkill.exe
508	taskkill.exe
3604	taskkill.exe
2368	taskkill.exe
3128	taskkill.exe
1116	taskkill.exe
4032	taskkill.exe
3488	taskkill.exe
756	taskkill.exe
3316	taskkill.exe
2136	taskkill.exe
3132	taskkill.exe
3932	taskkill.exe
2428	taskkill.exe
1616	taskkill.exe
3332	taskkill.exe
3912	taskkill.exe
3496	taskkill.exe
3780	taskkill.exe
1888	taskkill.exe
2020	taskkill.exe
1032	taskkill.exe
2092	taskkill.exe
1004	taskkill.exe
2432	taskkill.exe
2172	taskkill.exe
2316	taskkill.exe
1336	taskkill.exe
2928	taskkill.exe
2020	taskkill.exe
3104	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4020 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2400 PING.EXE

pid	process
4020	reg.exe

pid	process
2400	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

emk21h33.exe

pid	process
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe
2688	emk21h33.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

Processes:

emk21h33.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2688	emk21h33.exe
Token: SeDebugPrivilege	2688	emk21h33.exe
Token: SeDebugPrivilege	3932	taskkill.exe
Token: SeDebugPrivilege	1224	taskkill.exe
Token: SeDebugPrivilege	1004	taskkill.exe
Token: SeDebugPrivilege	1116	taskkill.exe
Token: SeDebugPrivilege	2020	taskkill.exe
Token: SeDebugPrivilege	4008	taskkill.exe
Token: SeDebugPrivilege	1860	taskkill.exe
Token: SeDebugPrivilege	2164	taskkill.exe
Token: SeDebugPrivilege	3780	taskkill.exe
Token: SeDebugPrivilege	3496	taskkill.exe
Token: SeDebugPrivilege	3168	taskkill.exe
Token: SeDebugPrivilege	3592	taskkill.exe
Token: SeDebugPrivilege	4032	taskkill.exe
Token: SeDebugPrivilege	1724	taskkill.exe
Token: SeDebugPrivilege	3800	taskkill.exe
Token: SeDebugPrivilege	1032	taskkill.exe
Token: SeDebugPrivilege	2316	taskkill.exe
Token: SeDebugPrivilege	3144	taskkill.exe
Token: SeDebugPrivilege	508	taskkill.exe
Token: SeDebugPrivilege	1168	taskkill.exe
Token: SeDebugPrivilege	3488	taskkill.exe
Token: SeDebugPrivilege	1288	taskkill.exe
Token: SeDebugPrivilege	1912	taskkill.exe
Token: SeDebugPrivilege	756	taskkill.exe
Token: SeDebugPrivilege	2344	taskkill.exe
Token: SeDebugPrivilege	2112	taskkill.exe
Token: SeDebugPrivilege	2400	taskkill.exe
Token: SeDebugPrivilege	2816	taskkill.exe
Token: SeDebugPrivilege	3104	taskkill.exe
Token: SeDebugPrivilege	1336	taskkill.exe
Token: SeDebugPrivilege	3912	taskkill.exe
Token: SeDebugPrivilege	2432	taskkill.exe
Token: SeDebugPrivilege	3604	taskkill.exe
Token: SeDebugPrivilege	2368	taskkill.exe
Token: SeDebugPrivilege	2172	taskkill.exe
Token: SeDebugPrivilege	3128	taskkill.exe
Token: SeDebugPrivilege	900	taskkill.exe
Token: SeDebugPrivilege	2428	taskkill.exe
Token: SeDebugPrivilege	1460	taskkill.exe
Token: SeDebugPrivilege	3316	taskkill.exe
Token: SeDebugPrivilege	1232	taskkill.exe
Token: SeDebugPrivilege	432	taskkill.exe
Token: SeDebugPrivilege	600	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	2092	taskkill.exe
Token: SeDebugPrivilege	2904	taskkill.exe
Token: SeDebugPrivilege	2928	taskkill.exe
Token: SeDebugPrivilege	2136	taskkill.exe
Token: SeDebugPrivilege	3824	taskkill.exe
Token: SeDebugPrivilege	3332	taskkill.exe
Token: SeDebugPrivilege	2020	taskkill.exe
Token: SeDebugPrivilege	3616	taskkill.exe
Token: SeDebugPrivilege	3132	taskkill.exe
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeDebugPrivilege	1888	taskkill.exe
Token: SeDebugPrivilege	2288	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

emk21h33.exe

pid process

2688 emk21h33.exe
2688 emk21h33.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

emk21h33.exe

pid process

2688 emk21h33.exe
2688 emk21h33.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

emk21h33.exe

description	pid	process	target process
PID 2688 wrote to memory of 3932	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 3932	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 3932	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 896	2688	emk21h33.exe	reg.exe
PID 2688 wrote to memory of 896	2688	emk21h33.exe	reg.exe
PID 2688 wrote to memory of 896	2688	emk21h33.exe	reg.exe
PID 2688 wrote to memory of 4020	2688	emk21h33.exe	reg.exe
PID 2688 wrote to memory of 4020	2688	emk21h33.exe	reg.exe
PID 2688 wrote to memory of 4020	2688	emk21h33.exe	reg.exe
PID 2688 wrote to memory of 636	2688	emk21h33.exe	schtasks.exe
PID 2688 wrote to memory of 636	2688	emk21h33.exe	schtasks.exe
PID 2688 wrote to memory of 636	2688	emk21h33.exe	schtasks.exe
PID 2688 wrote to memory of 3920	2688	emk21h33.exe	sc.exe
PID 2688 wrote to memory of 3920	2688	emk21h33.exe	sc.exe
PID 2688 wrote to memory of 3920	2688	emk21h33.exe	sc.exe
PID 2688 wrote to memory of 3332	2688	emk21h33.exe	sc.exe
PID 2688 wrote to memory of 3332	2688	emk21h33.exe	sc.exe
PID 2688 wrote to memory of 3332	2688	emk21h33.exe	sc.exe
PID 2688 wrote to memory of 3712	2688	emk21h33.exe	sc.exe
PID 2688 wrote to memory of 3712	2688	emk21h33.exe	sc.exe
PID 2688 wrote to memory of 3712	2688	emk21h33.exe	sc.exe
PID 2688 wrote to memory of 2584	2688	emk21h33.exe	sc.exe
PID 2688 wrote to memory of 2584	2688	emk21h33.exe	sc.exe
PID 2688 wrote to memory of 2584	2688	emk21h33.exe	sc.exe
PID 2688 wrote to memory of 1708	2688	emk21h33.exe	sc.exe
PID 2688 wrote to memory of 1708	2688	emk21h33.exe	sc.exe
PID 2688 wrote to memory of 1708	2688	emk21h33.exe	sc.exe
PID 2688 wrote to memory of 668	2688	emk21h33.exe	sc.exe
PID 2688 wrote to memory of 668	2688	emk21h33.exe	sc.exe
PID 2688 wrote to memory of 668	2688	emk21h33.exe	sc.exe
PID 2688 wrote to memory of 400	2688	emk21h33.exe	sc.exe
PID 2688 wrote to memory of 400	2688	emk21h33.exe	sc.exe
PID 2688 wrote to memory of 400	2688	emk21h33.exe	sc.exe
PID 2688 wrote to memory of 1072	2688	emk21h33.exe	sc.exe
PID 2688 wrote to memory of 1072	2688	emk21h33.exe	sc.exe
PID 2688 wrote to memory of 1072	2688	emk21h33.exe	sc.exe
PID 2688 wrote to memory of 1224	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 1224	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 1224	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 1116	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 1116	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 1116	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 1004	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 1004	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 1004	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 4008	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 4008	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 4008	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 2020	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 2020	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 2020	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 1860	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 1860	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 1860	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 2164	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 2164	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 2164	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 3496	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 3496	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 3496	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 3780	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 3780	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 3780	2688	emk21h33.exe	taskkill.exe
PID 2688 wrote to memory of 3168	2688	emk21h33.exe	taskkill.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

emk21h33.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	emk21h33.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	emk21h33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание Внимание Внимание!!!"	emk21h33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	emk21h33.exe

C:\Users\Admin\AppData\Local\Temp\emk21h33.exe
"C:\Users\Admin\AppData\Local\Temp\emk21h33.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2688
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3932
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:896
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:4020
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:636
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:3920
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:3332
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:3712
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:2584
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:668
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1708
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:400
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:1072
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1224
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1004
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1116
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4008
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1860
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3496
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3780
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3168
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3592
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4032
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3800
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1032
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3144
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:508
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1168
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3488
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1288
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:756
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:2504
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3104
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3912
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3604
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  PID:1200
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3128
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:900
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1460
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3316
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1232
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:432
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:600
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3824
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3332
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM vmwp.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3616
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3132
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1100
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  - Drops file in Windows directory
  PID:1056
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:2720
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:1572
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:896
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:2920
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:3156
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:3916
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\Инструкция.txt
  2⤵
  PID:2012
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:1288
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:2400
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:4004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\emk21h33.exe
  2⤵
  PID:2920

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
1⤵
PID:3748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Инструкция.txt

MD5
91667ab8fa9afa94f95ce46b0b6f3068

SHA1
9e6e297d05373c201d603fa4dc3d05a65f97c4c4

SHA256
f124078f58dd9ccdaae3d6698b359a28f5499f76fe731f8c43f5c101bc99f2ca

SHA512
e786d0ce439d740a909918a8731bc69196a62611a765d7d6ede07b7a1ca0aed54fab58c66044f34ebee28e8e24bae2561512b675125234c2774db01ca5895e49

Download Submit
memory/400-133-0x0000000000000000-mapping.dmp

Download
memory/432-177-0x0000000000000000-mapping.dmp

Download
memory/508-152-0x0000000000000000-mapping.dmp

Download
memory/600-178-0x0000000000000000-mapping.dmp

Download
memory/636-124-0x0000000000000000-mapping.dmp

Download
memory/668-132-0x0000000000000000-mapping.dmp

Download
memory/756-157-0x0000000000000000-mapping.dmp

Download
memory/896-122-0x0000000000000000-mapping.dmp

Download
memory/900-172-0x0000000000000000-mapping.dmp

Download
memory/1004-137-0x0000000000000000-mapping.dmp

Download
memory/1032-149-0x0000000000000000-mapping.dmp

Download
memory/1072-134-0x0000000000000000-mapping.dmp

Download
memory/1116-136-0x0000000000000000-mapping.dmp

Download
memory/1168-153-0x0000000000000000-mapping.dmp

Download
memory/1200-170-0x0000000000000000-mapping.dmp

Download
memory/1224-135-0x0000000000000000-mapping.dmp

Download
memory/1232-176-0x0000000000000000-mapping.dmp

Download
memory/1288-155-0x0000000000000000-mapping.dmp

Download
memory/1336-164-0x0000000000000000-mapping.dmp

Download
memory/1460-174-0x0000000000000000-mapping.dmp

Download
memory/1608-180-0x0000000000000000-mapping.dmp

Download
memory/1616-179-0x0000000000000000-mapping.dmp

Download
memory/1708-131-0x0000000000000000-mapping.dmp

Download
memory/1724-147-0x0000000000000000-mapping.dmp

Download
memory/1860-140-0x0000000000000000-mapping.dmp

Download
memory/1912-156-0x0000000000000000-mapping.dmp

Download
memory/2020-139-0x0000000000000000-mapping.dmp

Download
memory/2092-181-0x0000000000000000-mapping.dmp

Download
memory/2112-160-0x0000000000000000-mapping.dmp

Download
memory/2136-183-0x0000000000000000-mapping.dmp

Download
memory/2164-141-0x0000000000000000-mapping.dmp

Download
memory/2172-168-0x0000000000000000-mapping.dmp

Download
memory/2288-200-0x0000000004490000-0x0000000004491000-memory.dmp

Filesize
4KB

Download
memory/2288-187-0x0000000004490000-0x0000000004491000-memory.dmp

Filesize
4KB

Download
memory/2288-191-0x00000000045B0000-0x00000000045B1000-memory.dmp

Filesize
4KB

Download
memory/2288-189-0x0000000004610000-0x0000000004611000-memory.dmp

Filesize
4KB

Download
memory/2288-190-0x0000000007140000-0x0000000007141000-memory.dmp

Filesize
4KB

Download
memory/2288-193-0x0000000007060000-0x0000000007061000-memory.dmp

Filesize
4KB

Download
memory/2288-211-0x00000000045B3000-0x00000000045B4000-memory.dmp

Filesize
4KB

Download
memory/2288-196-0x0000000007A00000-0x0000000007A01000-memory.dmp

Filesize
4KB

Download
memory/2288-197-0x00000000079D0000-0x00000000079D1000-memory.dmp

Filesize
4KB

Download
memory/2288-192-0x00000000045B2000-0x00000000045B3000-memory.dmp

Filesize
4KB

Download
memory/2288-198-0x0000000008340000-0x0000000008341000-memory.dmp

Filesize
4KB

Download
memory/2288-199-0x0000000008060000-0x0000000008061000-memory.dmp

Filesize
4KB

Download
memory/2288-188-0x0000000004490000-0x0000000004491000-memory.dmp

Filesize
4KB

Download
memory/2288-210-0x0000000004490000-0x0000000004491000-memory.dmp

Filesize
4KB

Download
memory/2288-212-0x00000000045B4000-0x00000000045B6000-memory.dmp

Filesize
8KB

Download
memory/2316-150-0x0000000000000000-mapping.dmp

Download
memory/2344-158-0x0000000000000000-mapping.dmp

Download
memory/2368-169-0x0000000000000000-mapping.dmp

Download
memory/2400-161-0x0000000000000000-mapping.dmp

Download
memory/2428-173-0x0000000000000000-mapping.dmp

Download
memory/2432-166-0x0000000000000000-mapping.dmp

Download
memory/2504-159-0x0000000000000000-mapping.dmp

Download
memory/2584-130-0x0000000000000000-mapping.dmp

Download
memory/2688-125-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/2688-120-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/2688-214-0x0000000006BB0000-0x0000000006BB1000-memory.dmp

Filesize
4KB

Download
memory/2688-126-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/2688-118-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2688-213-0x000000000A570000-0x000000000A571000-memory.dmp

Filesize
4KB

Download
memory/2816-162-0x0000000000000000-mapping.dmp

Download
memory/2904-182-0x0000000000000000-mapping.dmp

Download
memory/2928-184-0x0000000000000000-mapping.dmp

Download
memory/3104-163-0x0000000000000000-mapping.dmp

Download
memory/3128-171-0x0000000000000000-mapping.dmp

Download
memory/3144-151-0x0000000000000000-mapping.dmp

Download
memory/3168-144-0x0000000000000000-mapping.dmp

Download
memory/3316-175-0x0000000000000000-mapping.dmp

Download
memory/3332-128-0x0000000000000000-mapping.dmp

Download
memory/3332-186-0x0000000000000000-mapping.dmp

Download
memory/3488-154-0x0000000000000000-mapping.dmp

Download
memory/3496-142-0x0000000000000000-mapping.dmp

Download
memory/3592-145-0x0000000000000000-mapping.dmp

Download
memory/3604-167-0x0000000000000000-mapping.dmp

Download
memory/3712-129-0x0000000000000000-mapping.dmp

Download
memory/3780-143-0x0000000000000000-mapping.dmp

Download
memory/3800-148-0x0000000000000000-mapping.dmp

Download
memory/3824-185-0x0000000000000000-mapping.dmp

Download
memory/3912-165-0x0000000000000000-mapping.dmp

Download
memory/3920-127-0x0000000000000000-mapping.dmp

Download
memory/3932-121-0x0000000000000000-mapping.dmp

Download
memory/4008-138-0x0000000000000000-mapping.dmp

Download
memory/4020-123-0x0000000000000000-mapping.dmp

Download
memory/4032-146-0x0000000000000000-mapping.dmp

Download