999d43ee4c9a1ec38c0b00fc38abe0b29b13cc83983c6ee895cbb2768b29022d

Analysis

max time kernel
174s
max time network
178s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
07-10-2023 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Size

3.9MB
MD5

2746cf67ced0c91f1cefd3d137bd6a5c
SHA1

c42e2e0080ec2f357c7306754ea82b976bdc220c
SHA256

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff
SHA512

2cad5e01ff55204ec0c30361a9db29a38ed4bc4eb20ae76c5984aa2cfac9d5fede4aee1981168be47b0f60e1c2f0e7f7b79adce62663f9ab3706ea3a05fb6238
SSDEEP

98304:s7ZyplW12iRY7CWkdntsrBRAxQyvIYA+7THD:duLaCv0BeOyvIYA+Hj

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\11D7E630 = "0"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp = "0"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

2836 netsh.exe
2596 netsh.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1948 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

services.exeservices.exe

pid process

1944 services.exe
1996 services.exe

pid	process
2836	netsh.exe
2596	netsh.exe

pid	process
1948	cmd.exe

pid	process
1944	services.exe
1996	services.exe

Loads dropped DLL 10 IoCs

Processes:

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exeservices.exeservices.exe

pid	process
2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
1944	services.exe
1944	services.exe
1996	services.exe
1996	services.exe
1996	services.exe
1996	services.exe
1996	services.exe
1996	services.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\11D7E630 = "0"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp = "0"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services and Controller app = "C:\\Users\\Admin\\AppData\\Local\\11D7E630\\services.exe"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services and Controller app = "C:\\Users\\Admin\\AppData\\Local\\11D7E630\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services and Controller app = "C:\\Users\\Admin\\AppData\\Local\\11D7E630\\services.exe"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services and Controller app = "C:\\Users\\Admin\\AppData\\Local\\11D7E630\\services.exe"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2424 schtasks.exe

pid	process
2424	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exeservices.exeservices.exe

pid	process
2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1996	services.exe
1996	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1996	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe
1944	services.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exeservices.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Token: SeDebugPrivilege	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Token: SeDebugPrivilege	1944	services.exe
Token: SeDebugPrivilege	1944	services.exe
Token: SeBackupPrivilege	1512	vssvc.exe
Token: SeRestorePrivilege	1512	vssvc.exe
Token: SeAuditPrivilege	1512	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

services.exe

pid process

1944 services.exe

pid	process
1944	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.execmd.exeservices.exe

description	pid	process	target process
PID 2248 wrote to memory of 2860	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2860	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2860	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2860	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2632	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2632	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2632	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2632	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2528	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2528	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2528	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2528	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2596	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2596	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2596	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2596	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 1724	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 1724	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 1724	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 1724	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2500	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2500	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2500	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2500	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2836	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2836	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2836	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2836	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2856	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2856	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2856	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2856	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 1096	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 1096	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 1096	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 1096	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2028	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2028	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2028	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2028	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2424	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2424	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2424	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 2424	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2248 wrote to memory of 1944	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	services.exe
PID 2248 wrote to memory of 1944	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	services.exe
PID 2248 wrote to memory of 1944	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	services.exe
PID 2248 wrote to memory of 1944	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	services.exe
PID 2248 wrote to memory of 1948	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	cmd.exe
PID 2248 wrote to memory of 1948	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	cmd.exe
PID 2248 wrote to memory of 1948	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	cmd.exe
PID 2248 wrote to memory of 1948	2248	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	cmd.exe
PID 1948 wrote to memory of 1340	1948	cmd.exe	choice.exe
PID 1948 wrote to memory of 1340	1948	cmd.exe	choice.exe
PID 1948 wrote to memory of 1340	1948	cmd.exe	choice.exe
PID 1948 wrote to memory of 1340	1948	cmd.exe	choice.exe
PID 1944 wrote to memory of 1996	1944	services.exe	services.exe
PID 1944 wrote to memory of 1996	1944	services.exe	services.exe
PID 1944 wrote to memory of 1996	1944	services.exe	services.exe
PID 1944 wrote to memory of 1996	1944	services.exe	services.exe
PID 1944 wrote to memory of 1924	1944	services.exe	cmd.exe
PID 1944 wrote to memory of 1924	1944	services.exe	cmd.exe
PID 1944 wrote to memory of 1924	1944	services.exe	cmd.exe
PID 1944 wrote to memory of 1924	1944	services.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
"C:\Users\Admin\AppData\Local\Temp\ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2248

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
2⤵
PID:2860

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
2⤵
PID:2632

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
2⤵
PID:2528

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
2⤵
PID:2596

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
2⤵
PID:1724

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
2⤵
PID:2500

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
2⤵
PID:2836

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
2⤵
PID:2856

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
2⤵
PID:1096

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
2⤵
PID:2028

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "Services and Controller app" /sc MINUTE /mo 3 /tr "C:\Users\Admin\AppData\Local\11D7E630\services.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2424

C:\Users\Admin\AppData\Local\11D7E630\services.exe
"C:\Users\Admin\AppData\Local\11D7E630\services.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\11D7E630\tor\services.exe
"C:\Users\Admin\AppData\Local\11D7E630\tor\services.exe" -f "C:\Users\Admin\AppData\Local\11D7E630\tor\torrc"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1996

C:\Windows\SysWOW64\cmd.exe
"cmd" /c netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
3⤵
PID:1924

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
4⤵
- Modifies Windows Firewall
PID:2596

C:\Windows\SysWOW64\cmd.exe
"cmd" /c netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
3⤵
PID:2528

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
4⤵
- Modifies Windows Firewall
PID:2836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & del /Q /S "C:\Users\Admin\AppData\Local\Temp\ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:1340

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1756

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\11D7E630\services.exe
Filesize
3.9MB

MD5
2746cf67ced0c91f1cefd3d137bd6a5c

SHA1
c42e2e0080ec2f357c7306754ea82b976bdc220c

SHA256
ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff

SHA512
2cad5e01ff55204ec0c30361a9db29a38ed4bc4eb20ae76c5984aa2cfac9d5fede4aee1981168be47b0f60e1c2f0e7f7b79adce62663f9ab3706ea3a05fb6238

Download Submit
C:\Users\Admin\AppData\Local\11D7E630\services.exe
Filesize
3.9MB

MD5
2746cf67ced0c91f1cefd3d137bd6a5c

SHA1
c42e2e0080ec2f357c7306754ea82b976bdc220c

SHA256
ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff

SHA512
2cad5e01ff55204ec0c30361a9db29a38ed4bc4eb20ae76c5984aa2cfac9d5fede4aee1981168be47b0f60e1c2f0e7f7b79adce62663f9ab3706ea3a05fb6238

Download Submit
C:\Users\Admin\AppData\Local\11D7E630\services.exe
Filesize
3.9MB

MD5
2746cf67ced0c91f1cefd3d137bd6a5c

SHA1
c42e2e0080ec2f357c7306754ea82b976bdc220c

SHA256
ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff

SHA512
2cad5e01ff55204ec0c30361a9db29a38ed4bc4eb20ae76c5984aa2cfac9d5fede4aee1981168be47b0f60e1c2f0e7f7b79adce62663f9ab3706ea3a05fb6238

Download Submit
C:\Users\Admin\AppData\Local\11D7E630\tor\LIBEAY32.dll
Filesize
3.1MB

MD5
3c20802fa7f36c8839c4f942b8d86f0d

SHA1
ab351fb48b1e3bded12836d8ccdb661a426ce8d8

SHA256
8a85673f24ae7a5cfe6faa03f786268b730326d95a254e86a7e84d3bf4d902bf

SHA512
1cb9bc2749ac496f13e77e11a9c134a445b287d1ad6f42eec9662d7873f771bedf0b60ea7607b735a0a21046a43b71ce9d6433d9889e7449f413418bc6498661

Download Submit
C:\Users\Admin\AppData\Local\11D7E630\tor\SSLEAY32.dll
Filesize
696KB

MD5
8ed681b5e737350b48b151968ce186ce

SHA1
16916adbd765b95676f5fdd98f39d24a9015f424

SHA256
1bafbdf42dc31d3cc336bb39c47631dde9a5af5a6465cc45bb7ae2d0065526af

SHA512
2493b5277890e34a903ac5eac064cdb500c6acbdf467429984d79ddc2ffe3f9b7cfb9daa349931749ad5103b9d5ed2f16466108def7ab492adf11af02bf40580

Download Submit
C:\Users\Admin\AppData\Local\11D7E630\tor\libevent-2-0-5.dll
Filesize
700KB

MD5
ae522c45a309dfa8f51513724a0e92ae

SHA1
aa8091b4261b8a478d11e851679f42044146dee8

SHA256
1bfc7a5ec4deccad431e611cd91f561e6db1937a1261f1ba47f657b79ae062ab

SHA512
ae2fff4e287bca9ca42fe05807fccc2c3e357fc9420c4a5f380ccc9ba249ffdeea13a75373882d8ee393723242942c1cac814b92523bf995a7cc56b1bda861c2

Download Submit
C:\Users\Admin\AppData\Local\11D7E630\tor\libgcc_s_sjlj-1.dll
Filesize
510KB

MD5
1c67fdd5b95084be91bf6f17229c01aa

SHA1
966810b47480695146cb1095227538dc3c2b16b8

SHA256
cc7293ab50e2b1d267d0dff676bbf8e54395ec199c76b03d6d14624cfb33004f

SHA512
5806868778953222dbacd22800155d64619ed8ff0cf6eb24113e3d56eb658a2b5245ade71f53103b65ea1eca24fb3a84814c658967fac34b414ceb77577c2f71

Download Submit
C:\Users\Admin\AppData\Local\11D7E630\tor\libssp-0.dll
Filesize
90KB

MD5
762dd637e8cc3f5a36306ed48e88088a

SHA1
feb85588dbafac9b455bab51ff319fc47e1543f9

SHA256
8e09c794b8611e07a9a61b7d72d20947c42623e20838b02dce6edd8a0df85481

SHA512
5abe8c729889bab9c9c925d7e7e1989ea72d461bdf6eae31d60b195c346c54a84339787c67be1e9411873db10cd7cee5a2382a1406842a72069a6e8fe81656d4

Download Submit
C:\Users\Admin\AppData\Local\11D7E630\tor\services.exe
Filesize
3.5MB

MD5
833cb6a4a90e7b3a1caaedfa6d26a04f

SHA1
41dc9078c6cf2c5e49f507f64876b414d7318348

SHA256
fae586e75bf3c71b70a5770550823765e0a595ab64ce572743a2e3e00031c891

SHA512
60c139af6ffa46c7aef082d307639838c7baa4dbbd6bdf49635563e4867ccc0175e118b0bde783785063832755ccbbb01a433000fac1af70fd754befcf179eeb

Download Submit
C:\Users\Admin\AppData\Local\11D7E630\tor\services.exe
Filesize
3.5MB

MD5
833cb6a4a90e7b3a1caaedfa6d26a04f

SHA1
41dc9078c6cf2c5e49f507f64876b414d7318348

SHA256
fae586e75bf3c71b70a5770550823765e0a595ab64ce572743a2e3e00031c891

SHA512
60c139af6ffa46c7aef082d307639838c7baa4dbbd6bdf49635563e4867ccc0175e118b0bde783785063832755ccbbb01a433000fac1af70fd754befcf179eeb

Download Submit
C:\Users\Admin\AppData\Local\11D7E630\tor\torrc
Filesize
97B

MD5
9517feb026f109b6c8f4c50e7eb5db54

SHA1
4faf2880c781715a38031d82ac6bc5ddb0851108

SHA256
fe2b0871dd60ddabc3384bd1d8eac47f6887831d88aa290dadf020730b37a2f2

SHA512
dba30df7a3dfa4062115b2d78cf509b0b0b612f617a9b3bd95126569fe092737a550992dcf611a594a918ac29c0e9ea3c6e1920c1947da11e30d2ef44ac7df83

Download Submit
C:\Users\Admin\AppData\Local\11D7E630\tor\zlib1.dll
Filesize
105KB

MD5
76615cf23161037c359407127b3ea95f

SHA1
feb5945d87db52423bfa413fe2696c076c544ef0

SHA256
daf91e9b6190b88c39fbc92d46cac32d05eba28d0a5d1fd38f2c66f1fce96be9

SHA512
6586ceca60d661dbc4e983e6271a3d06ab9ad55a9fb24b234f1ebab22af5678f583b3b7b5d42e2808bdcfa341c472e71783e04e5ea3da26bb1738c2153e64469

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
Filesize
9.3MB

MD5
59cb912b91932788528773f040d96332

SHA1
50228105513e7f6fbc9b26c1830e0f8c4e9f0f0b

SHA256
c7a76071db21f050ec7b497123b93651504c81483d9e925922c359cb9d62a698

SHA512
53e5f2bbe417313b8b14b309a72c2f6309ae40ddc9b1a5d0482c22972b72263e7a331fdebaeb4f8f35f9abab62e6e67a1e25022e198de01112320faa5de81f8a

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\11D7E630\services.exe
Filesize
3.9MB

MD5
2746cf67ced0c91f1cefd3d137bd6a5c

SHA1
c42e2e0080ec2f357c7306754ea82b976bdc220c

SHA256
ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff

SHA512
2cad5e01ff55204ec0c30361a9db29a38ed4bc4eb20ae76c5984aa2cfac9d5fede4aee1981168be47b0f60e1c2f0e7f7b79adce62663f9ab3706ea3a05fb6238

Download Submit
\Users\Admin\AppData\Local\11D7E630\services.exe
Filesize
3.9MB

MD5
2746cf67ced0c91f1cefd3d137bd6a5c

SHA1
c42e2e0080ec2f357c7306754ea82b976bdc220c

SHA256
ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff

SHA512
2cad5e01ff55204ec0c30361a9db29a38ed4bc4eb20ae76c5984aa2cfac9d5fede4aee1981168be47b0f60e1c2f0e7f7b79adce62663f9ab3706ea3a05fb6238

Download Submit
\Users\Admin\AppData\Local\11D7E630\tor\libeay32.dll
Filesize
3.1MB

MD5
3c20802fa7f36c8839c4f942b8d86f0d

SHA1
ab351fb48b1e3bded12836d8ccdb661a426ce8d8

SHA256
8a85673f24ae7a5cfe6faa03f786268b730326d95a254e86a7e84d3bf4d902bf

SHA512
1cb9bc2749ac496f13e77e11a9c134a445b287d1ad6f42eec9662d7873f771bedf0b60ea7607b735a0a21046a43b71ce9d6433d9889e7449f413418bc6498661

Download Submit
\Users\Admin\AppData\Local\11D7E630\tor\libevent-2-0-5.dll
Filesize
700KB

MD5
ae522c45a309dfa8f51513724a0e92ae

SHA1
aa8091b4261b8a478d11e851679f42044146dee8

SHA256
1bfc7a5ec4deccad431e611cd91f561e6db1937a1261f1ba47f657b79ae062ab

SHA512
ae2fff4e287bca9ca42fe05807fccc2c3e357fc9420c4a5f380ccc9ba249ffdeea13a75373882d8ee393723242942c1cac814b92523bf995a7cc56b1bda861c2

Download Submit
\Users\Admin\AppData\Local\11D7E630\tor\libgcc_s_sjlj-1.dll
Filesize
510KB

MD5
1c67fdd5b95084be91bf6f17229c01aa

SHA1
966810b47480695146cb1095227538dc3c2b16b8

SHA256
cc7293ab50e2b1d267d0dff676bbf8e54395ec199c76b03d6d14624cfb33004f

SHA512
5806868778953222dbacd22800155d64619ed8ff0cf6eb24113e3d56eb658a2b5245ade71f53103b65ea1eca24fb3a84814c658967fac34b414ceb77577c2f71

Download Submit
\Users\Admin\AppData\Local\11D7E630\tor\libssp-0.dll
Filesize
90KB

MD5
762dd637e8cc3f5a36306ed48e88088a

SHA1
feb85588dbafac9b455bab51ff319fc47e1543f9

SHA256
8e09c794b8611e07a9a61b7d72d20947c42623e20838b02dce6edd8a0df85481

SHA512
5abe8c729889bab9c9c925d7e7e1989ea72d461bdf6eae31d60b195c346c54a84339787c67be1e9411873db10cd7cee5a2382a1406842a72069a6e8fe81656d4

Download Submit
\Users\Admin\AppData\Local\11D7E630\tor\services.exe
Filesize
3.5MB

MD5
833cb6a4a90e7b3a1caaedfa6d26a04f

SHA1
41dc9078c6cf2c5e49f507f64876b414d7318348

SHA256
fae586e75bf3c71b70a5770550823765e0a595ab64ce572743a2e3e00031c891

SHA512
60c139af6ffa46c7aef082d307639838c7baa4dbbd6bdf49635563e4867ccc0175e118b0bde783785063832755ccbbb01a433000fac1af70fd754befcf179eeb

Download Submit
\Users\Admin\AppData\Local\11D7E630\tor\services.exe
Filesize
3.5MB

MD5
833cb6a4a90e7b3a1caaedfa6d26a04f

SHA1
41dc9078c6cf2c5e49f507f64876b414d7318348

SHA256
fae586e75bf3c71b70a5770550823765e0a595ab64ce572743a2e3e00031c891

SHA512
60c139af6ffa46c7aef082d307639838c7baa4dbbd6bdf49635563e4867ccc0175e118b0bde783785063832755ccbbb01a433000fac1af70fd754befcf179eeb

Download Submit
\Users\Admin\AppData\Local\11D7E630\tor\ssleay32.dll
Filesize
696KB

MD5
8ed681b5e737350b48b151968ce186ce

SHA1
16916adbd765b95676f5fdd98f39d24a9015f424

SHA256
1bafbdf42dc31d3cc336bb39c47631dde9a5af5a6465cc45bb7ae2d0065526af

SHA512
2493b5277890e34a903ac5eac064cdb500c6acbdf467429984d79ddc2ffe3f9b7cfb9daa349931749ad5103b9d5ed2f16466108def7ab492adf11af02bf40580

Download Submit
\Users\Admin\AppData\Local\11D7E630\tor\zlib1.dll
Filesize
105KB

MD5
76615cf23161037c359407127b3ea95f

SHA1
feb5945d87db52423bfa413fe2696c076c544ef0

SHA256
daf91e9b6190b88c39fbc92d46cac32d05eba28d0a5d1fd38f2c66f1fce96be9

SHA512
6586ceca60d661dbc4e983e6271a3d06ab9ad55a9fb24b234f1ebab22af5678f583b3b7b5d42e2808bdcfa341c472e71783e04e5ea3da26bb1738c2153e64469

Download Submit
memory/1944-24-0x0000000000A50000-0x0000000000A5E000-memory.dmp

Filesize
56KB

Download
memory/1944-23-0x00000000005C0000-0x00000000005CA000-memory.dmp

Filesize
40KB

Download
memory/1944-22-0x0000000009F90000-0x000000000A8B0000-memory.dmp

Filesize
9.1MB

Download
memory/1944-21-0x0000000005050000-0x0000000005090000-memory.dmp

Filesize
256KB

Download
memory/1944-20-0x00000000741D0000-0x00000000748BE000-memory.dmp

Filesize
6.9MB

Download
memory/1944-18-0x0000000005050000-0x0000000005090000-memory.dmp

Filesize
256KB

Download
memory/1944-15-0x00000000741D0000-0x00000000748BE000-memory.dmp

Filesize
6.9MB

Download
memory/1944-16-0x0000000000AB0000-0x0000000000E90000-memory.dmp

Filesize
3.9MB

Download
memory/1996-55-0x000000006ECD0000-0x000000006ED52000-memory.dmp

Filesize
520KB

Download
memory/1996-72-0x000000006EDC0000-0x000000006EDDC000-memory.dmp

Filesize
112KB

Download
memory/1996-57-0x000000006E9A0000-0x000000006EA22000-memory.dmp

Filesize
520KB

Download
memory/1996-54-0x000000006ED60000-0x000000006ED82000-memory.dmp

Filesize
136KB

Download
memory/1996-58-0x000000006ED60000-0x000000006ED82000-memory.dmp

Filesize
136KB

Download
memory/1996-156-0x0000000000BB0000-0x0000000000F42000-memory.dmp

Filesize
3.6MB

Download
memory/1996-154-0x000000006EA30000-0x000000006EC4E000-memory.dmp

Filesize
2.1MB

Download
memory/1996-149-0x0000000000BB0000-0x0000000000F42000-memory.dmp

Filesize
3.6MB

Download
memory/1996-147-0x000000006EA30000-0x000000006EC4E000-memory.dmp

Filesize
2.1MB

Download
memory/1996-62-0x000000006E9A0000-0x000000006EA22000-memory.dmp

Filesize
520KB

Download
memory/1996-63-0x0000000000BB0000-0x0000000000F42000-memory.dmp

Filesize
3.6MB

Download
memory/1996-61-0x0000000000BB0000-0x0000000000F42000-memory.dmp

Filesize
3.6MB

Download
memory/1996-60-0x000000006EA30000-0x000000006EC4E000-memory.dmp

Filesize
2.1MB

Download
memory/1996-59-0x000000006ECD0000-0x000000006ED52000-memory.dmp

Filesize
520KB

Download
memory/1996-142-0x0000000000BB0000-0x0000000000F42000-memory.dmp

Filesize
3.6MB

Download
memory/1996-67-0x000000006ECD0000-0x000000006ED52000-memory.dmp

Filesize
520KB

Download
memory/1996-68-0x000000006EA30000-0x000000006EC4E000-memory.dmp

Filesize
2.1MB

Download
memory/1996-69-0x000000006E9A0000-0x000000006EA22000-memory.dmp

Filesize
520KB

Download
memory/1996-70-0x0000000000BB0000-0x0000000000F42000-memory.dmp

Filesize
3.6MB

Download
memory/1996-56-0x000000006EA30000-0x000000006EC4E000-memory.dmp

Filesize
2.1MB

Download
memory/1996-74-0x000000006EC50000-0x000000006ECC6000-memory.dmp

Filesize
472KB

Download
memory/1996-77-0x0000000000BB0000-0x0000000000F42000-memory.dmp

Filesize
3.6MB

Download
memory/1996-138-0x000000006EA30000-0x000000006EC4E000-memory.dmp

Filesize
2.1MB

Download
memory/1996-102-0x0000000000BB0000-0x0000000000F42000-memory.dmp

Filesize
3.6MB

Download
memory/1996-107-0x000000006EA30000-0x000000006EC4E000-memory.dmp

Filesize
2.1MB

Download
memory/1996-109-0x0000000000BB0000-0x0000000000F42000-memory.dmp

Filesize
3.6MB

Download
memory/1996-114-0x000000006EA30000-0x000000006EC4E000-memory.dmp

Filesize
2.1MB

Download
memory/1996-116-0x0000000000BB0000-0x0000000000F42000-memory.dmp

Filesize
3.6MB

Download
memory/1996-121-0x000000006EA30000-0x000000006EC4E000-memory.dmp

Filesize
2.1MB

Download
memory/1996-126-0x0000000000BB0000-0x0000000000F42000-memory.dmp

Filesize
3.6MB

Download
memory/1996-131-0x000000006EA30000-0x000000006EC4E000-memory.dmp

Filesize
2.1MB

Download
memory/1996-133-0x0000000000BB0000-0x0000000000F42000-memory.dmp

Filesize
3.6MB

Download
memory/2248-1-0x0000000000990000-0x0000000000D70000-memory.dmp

Filesize
3.9MB

Download
memory/2248-0-0x00000000741D0000-0x00000000748BE000-memory.dmp

Filesize
6.9MB

Download
memory/2248-2-0x0000000004550000-0x0000000004590000-memory.dmp

Filesize
256KB

Download
memory/2248-3-0x00000000741D0000-0x00000000748BE000-memory.dmp

Filesize
6.9MB

Download
memory/2248-4-0x0000000004550000-0x0000000004590000-memory.dmp

Filesize
256KB

Download
memory/2248-17-0x00000000741D0000-0x00000000748BE000-memory.dmp

Filesize
6.9MB

Download