hakbit | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

26/02/2025, 05:50

250226-gjv2nssrx3 10

26/02/2025, 02:02

25/02/2025, 23:31

25/02/2025, 23:21

25/02/2025, 23:08

25/02/2025, 22:22

Analysis

max time kernel
64s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
25/02/2025, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Size

80KB
MD5

8152a3d0d76f7e968597f4f834fdfa9d
SHA1

c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
SHA256

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
SHA512

eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
SSDEEP

1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score

10^/10

hakbit credential_access defense_evasion discovery execution ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note

To recover your data contact the email below [email protected] Key Identifier: YNSIaX9QHimBU4fkArMwCljDK1a5etdDpC7YISyYN61V9/y/CEO7mYqlheQSQ0D9O/ozpzFJcrJ1Y258++rwAGao88fEuH3dmVv2J/X66eVYCWNjuc/q7hvmoN9LNeZTf1MVxtk/a9sZ8xlXQdKynrO8+hlfkSSlppWdFwJynuqMspDl1mR8rSfXJxpVbO6TeF0XNBmld/8AZ/fKFlJ114hnKUjB4zBtqYF01JBJ61Lo9tEKmom8HqTTQ8N06Jl098GCpI7QEReimaDp1wtlJpddE4J7M3/z0/pX6sdKOS9ynur0in5oKafrUYGmh8wjFHobAeiSMcl7FxoW8wFeArPL5jz4F2Kx2chrCcMt9IV+W+5LMnuq7fbA2LoVLOAf2yRUH84x46EUruAVNoZ2IGjjRN4lySIldFI6nZHoPTrVcZt4CThz5PXXmEsmxgC6GYhTwqVkS+4sDI5Bu7TIMJzGkCHXIUUCquW4eayys4e8x0Tr4G/jOr8ZvTU0eq5ZtYQOuzPYm/fL9ISY7oxncX0qw1tOgbd7zmds/v+m6ou6L7ENv9/zYHGLksCFWkXf1PiKmMnsBxRsYNKGSZ1/TTa4M80niKuLbRtGObzGt3JzC6E5Go3Efy9hxUIzjhwskO1ymtGdBoUEwUUUSO8Qi5A7Wc+jQYnifZQNMH6Ww0g= Number of files that were processed is: 424

Emails

[email protected]

Signatures

Disables service(s) 3 TTPs
defense_evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit
Hakbit family
hakbit
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3204	sc.exe
2368	sc.exe
2836	sc.exe
3200	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
6756	PING.EXE
6252	cmd.exe

Kills process with taskkill 47 IoCs

defense_evasion

pid	Process
2924	taskkill.exe
5516	taskkill.exe
1540	taskkill.exe
5856	taskkill.exe
2212	taskkill.exe
948	taskkill.exe
3808	taskkill.exe
3104	taskkill.exe
1584	taskkill.exe
816	taskkill.exe
1472	taskkill.exe
3328	taskkill.exe
3964	taskkill.exe
2452	taskkill.exe
2240	taskkill.exe
2148	taskkill.exe
1864	taskkill.exe
3620	taskkill.exe
2152	taskkill.exe
3164	taskkill.exe
3132	taskkill.exe
444	taskkill.exe
5356	taskkill.exe
5908	taskkill.exe
132	taskkill.exe
872	taskkill.exe
5320	taskkill.exe
4060	taskkill.exe
696	taskkill.exe
2728	taskkill.exe
1332	taskkill.exe
1904	taskkill.exe
5344	taskkill.exe
3080	taskkill.exe
5788	taskkill.exe
776	taskkill.exe
724	taskkill.exe
3644	taskkill.exe
5352	taskkill.exe
1208	taskkill.exe
1504	taskkill.exe
3828	taskkill.exe
1520	taskkill.exe
1552	taskkill.exe
5548	taskkill.exe
3468	taskkill.exe
3392	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
6280	notepad.exe
3324	NOTEPAD.EXE
4544	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6756	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Token: SeDebugPrivilege	816	taskkill.exe
Token: SeDebugPrivilege	696	taskkill.exe
Token: SeDebugPrivilege	5320	taskkill.exe
Token: SeDebugPrivilege	872	taskkill.exe
Token: SeDebugPrivilege	1520	taskkill.exe
Token: SeDebugPrivilege	3468	taskkill.exe
Token: SeDebugPrivilege	1540	taskkill.exe
Token: SeDebugPrivilege	948	taskkill.exe
Token: SeDebugPrivilege	2148	taskkill.exe
Token: SeDebugPrivilege	724	taskkill.exe
Token: SeDebugPrivilege	3080	taskkill.exe
Token: SeDebugPrivilege	1332	taskkill.exe
Token: SeDebugPrivilege	1864	taskkill.exe
Token: SeDebugPrivilege	2924	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	5548	taskkill.exe
Token: SeDebugPrivilege	5908	taskkill.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	3964	taskkill.exe
Token: SeDebugPrivilege	3620	taskkill.exe
Token: SeDebugPrivilege	4060	taskkill.exe
Token: SeDebugPrivilege	3392	taskkill.exe
Token: SeDebugPrivilege	3644	taskkill.exe
Token: SeDebugPrivilege	3808	taskkill.exe
Token: SeDebugPrivilege	2212	taskkill.exe
Token: SeDebugPrivilege	5856	taskkill.exe
Token: SeDebugPrivilege	132	taskkill.exe
Token: SeDebugPrivilege	5356	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	2240	taskkill.exe
Token: SeDebugPrivilege	5516	taskkill.exe
Token: SeDebugPrivilege	1504	taskkill.exe
Token: SeDebugPrivilege	3828	taskkill.exe
Token: SeDebugPrivilege	5352	taskkill.exe
Token: SeDebugPrivilege	3132	taskkill.exe
Token: SeDebugPrivilege	3328	taskkill.exe
Token: SeDebugPrivilege	1208	taskkill.exe
Token: SeDebugPrivilege	2452	taskkill.exe
Token: SeDebugPrivilege	3164	taskkill.exe
Token: SeDebugPrivilege	1904	taskkill.exe
Token: SeDebugPrivilege	5344	taskkill.exe
Token: SeDebugPrivilege	776	taskkill.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	444	taskkill.exe
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	5788	taskkill.exe
Token: SeDebugPrivilege	1204	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1488	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 3204	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	83
PID 1776 wrote to memory of 3204	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	83
PID 1776 wrote to memory of 3200	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	84
PID 1776 wrote to memory of 3200	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	84
PID 1776 wrote to memory of 2836	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	85
PID 1776 wrote to memory of 2836	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	85
PID 1776 wrote to memory of 2368	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 1776 wrote to memory of 2368	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 1776 wrote to memory of 2148	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	87
PID 1776 wrote to memory of 2148	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	87
PID 1776 wrote to memory of 816	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 1776 wrote to memory of 816	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 1776 wrote to memory of 696	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	89
PID 1776 wrote to memory of 696	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	89
PID 1776 wrote to memory of 1552	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 1776 wrote to memory of 1552	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 1776 wrote to memory of 1520	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	91
PID 1776 wrote to memory of 1520	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	91
PID 1776 wrote to memory of 1584	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 1776 wrote to memory of 1584	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 1776 wrote to memory of 2924	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 1776 wrote to memory of 2924	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 1776 wrote to memory of 1864	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	94
PID 1776 wrote to memory of 1864	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	94
PID 1776 wrote to memory of 5356	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	104
PID 1776 wrote to memory of 5356	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	104
PID 1776 wrote to memory of 444	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	105
PID 1776 wrote to memory of 444	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	105
PID 1776 wrote to memory of 132	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	106
PID 1776 wrote to memory of 132	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	106
PID 1776 wrote to memory of 948	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	107
PID 1776 wrote to memory of 948	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	107
PID 1776 wrote to memory of 1332	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	108
PID 1776 wrote to memory of 1332	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	108
PID 1776 wrote to memory of 5908	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	109
PID 1776 wrote to memory of 5908	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	109
PID 1776 wrote to memory of 2728	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	110
PID 1776 wrote to memory of 2728	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	110
PID 1776 wrote to memory of 1780	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	111
PID 1776 wrote to memory of 1780	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	111
PID 1776 wrote to memory of 2240	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	121
PID 1776 wrote to memory of 2240	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	121
PID 1776 wrote to memory of 3828	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	122
PID 1776 wrote to memory of 3828	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	122
PID 1776 wrote to memory of 3132	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	123
PID 1776 wrote to memory of 3132	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	123
PID 1776 wrote to memory of 3644	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	124
PID 1776 wrote to memory of 3644	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	124
PID 1776 wrote to memory of 3164	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	125
PID 1776 wrote to memory of 3164	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	125
PID 1776 wrote to memory of 3104	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	126
PID 1776 wrote to memory of 3104	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	126
PID 1776 wrote to memory of 724	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	127
PID 1776 wrote to memory of 724	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	127
PID 1776 wrote to memory of 2212	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	128
PID 1776 wrote to memory of 2212	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	128
PID 1776 wrote to memory of 2452	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	129
PID 1776 wrote to memory of 2452	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	129
PID 1776 wrote to memory of 3964	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	130
PID 1776 wrote to memory of 3964	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	130
PID 1776 wrote to memory of 4060	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	131
PID 1776 wrote to memory of 4060	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	131
PID 1776 wrote to memory of 1504	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	132
PID 1776 wrote to memory of 1504	1776	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	132

C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:3204
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:3200
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:2836
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2368
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:816
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:696
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1864
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5356
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:444
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:132
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1332
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5908
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:1780
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3828
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3132
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3644
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3164
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:3104
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:724
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3964
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4060
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1504
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3392
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3468
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3080
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5548
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5856
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5320
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5344
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3328
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3808
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5516
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5788
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5352
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1904
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1204
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:6280
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6252
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:6756
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:5380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
  2⤵
  PID:6404
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:6788

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\HOW_TO_DECYPHER_FILES.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3324

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4544

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
7645be052b5b87346218e07a37c02ab5

SHA1
c571c8e4846811de1e2dae8b1cf4cd09f231ff3b

SHA256
a433d69652b3de7460c9f10b85e233b438b2734867717a12d1d8af010e136e82

SHA512
73783cd600f44c0255f6807829807072237f680bc17698aa3d7552beb3ddd065acf04c1e3b2adfe08c29c26850ea0187de6bc7782cb34bc30a4f2df1bc588ded

Download Submit
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

Filesize
28.8MB

MD5
48f07e17197825f0f1df113e540ad205

SHA1
042626078fee92647040f6413e3f02563d470716

SHA256
2d58e518c936c86b05297fbe8e1fe62b0016ceebd54426ccf14000204953f475

SHA512
0fc9ce27bd39c6458a7a23d4195cb7ed9e31de16332d53f0427563b4b0c2e45111f59b108ffdc168cf157c4aa46b654b032e3c039f667889fa87376801de82e9

Download Submit
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.energy[[email protected]]

Filesize
728KB

MD5
bfe8226deee8d5d94e145581579b75b0

SHA1
26634d6ae1207b903e91b859f2298d5233266fca

SHA256
0c45f1a1e622f7e3953cd19b720e95aad5c09b02a3f667c8fcb10c7cab02de4a

SHA512
edffa98423186fbd67fd8e2e5a24db01b1ab7e43be253d0257b5238244def6df2e228420372b7b32c74cd7964baebefaafe819865285df4b8a72dc7eb7c89efb

Download Submit
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

Filesize
25.7MB

MD5
a8e2289729f54bb6eeb07850ff2545d2

SHA1
9c62a911dbda8c832fa6053930d97571bc902862

SHA256
4d9108f52a3c96d467382d5d864b7974ab2ad14d941b34ee772f36157c6973b0

SHA512
378ea1c94a373e3ef6bc294a01f7ef1c54555172e983c8d6f051efb988f9a859dab16828f87a8073a6892bf4299328dfeebd0942eec5f1c485f6bc0eb3b80440

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]

Filesize
180KB

MD5
fa56e623fe53f33032c899a0622a9a7c

SHA1
b41782c5e5bcd745024e4d1d6fb1f4f325987c4a

SHA256
02de4abf6931c1384cd60f745b1c438089bb017b353511b0fabec07a3ff44c96

SHA512
f395eda2f869e92d6cf4d21567c2a0d1e144ce300c5b414f1a4e1b4506d672e210bd6805ba2d15f9d931300695d92ad7852be89082beee8319c973cbc4d8647e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iatqkul2.sd4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Filesize
828B

MD5
ce43195f3affc77b344c00bdcc9c8df8

SHA1
2f8f6c9165a8c5a86df9b1afd3ff604b1ec5ae36

SHA256
4306ee3da35fda528d147568ee0fd52ab8be0c63eae2eedaa0874e57ab734d14

SHA512
a20453990c117d2b2e8312735aaea06c3992622bea1922931ff7deaf1024728314d662efd658a66a48743e763720d5666a359fc903d81d9984892310b0edff24

Download Submit
memory/1204-91-0x00000182F5A30000-0x00000182F5B7F000-memory.dmp

Filesize
1.3MB

Download
memory/1204-28-0x00000182F54D0000-0x00000182F54F2000-memory.dmp

Filesize
136KB

Download
memory/1776-2-0x00007FFE12B40000-0x00007FFE13602000-memory.dmp

Filesize
10.8MB

Download
memory/1776-1-0x00000000001A0000-0x00000000001BA000-memory.dmp

Filesize
104KB

Download
memory/1776-0-0x00007FFE12B43000-0x00007FFE12B45000-memory.dmp

Filesize
8KB

Download
memory/1776-406-0x00007FFE12B43000-0x00007FFE12B45000-memory.dmp

Filesize
8KB

Download
memory/1776-437-0x00007FFE12B40000-0x00007FFE13602000-memory.dmp

Filesize
10.8MB

Download
memory/1776-564-0x00007FFE12B40000-0x00007FFE13602000-memory.dmp

Filesize
10.8MB

Download