blacknet | b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae

Analysis

max time kernel
67s
max time network
122s
platform
windows10_x64
resource
win10v20210410
submitted
01-08-2021 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
Size

117KB
MD5

b72d429d1d690165c7b0de4a074c4a58
SHA1

f0704d227482a80f2f90dab79ed4acd9770fe565
SHA256

b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae
SHA512

f3b565e67d5a15d5305982701bd5f0d37eec0bfe2d152556584fa1d01faf1def6e616d0addea91e0663be084450b49f99e2108cc06a9b50c9e1482f9290b6c5c

Score

10^/10

blacknet bot persistence trojan

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

Bot

http://furyx.de/panel

Mutex

BN[c1916af6f3a468e5b6f5c7f6b9c78982]

Attributes

antivm
false
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
e162b1333458a713bc6916cc8ac4110c
startup
false
usb_spread
true

aes.plain

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET Payload 2 IoCs

Processes:

resource	yara_rule
C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	family_blacknet
C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	family_blacknet

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	disable_win_def
C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	disable_win_def

Executes dropped EXE 1 IoCs

Processes:

WindowsUpdate.exe

pid process

5788 WindowsUpdate.exe

pid	process
5788	WindowsUpdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Windows\\Microsoft\\MyClient\\WindowsUpdate.exe"	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe

Drops file in Windows directory 3 IoCs

Processes:

b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exeWindowsUpdate.exe

description	ioc	process
File created	C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
File opened for modification	C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
File created	C:\Windows\Microsoft\MyClient\svchosts.exe	WindowsUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3828 5788 WerFault.exe WindowsUpdate.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5816 schtasks.exe
4868 schtasks.exe

pid	pid_target	process	target process
3828	5788	WerFault.exe	WindowsUpdate.exe

pid	process
5816	schtasks.exe
4868	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
2852	powershell.exe
2852	powershell.exe
2852	powershell.exe
3224	powershell.exe
3224	powershell.exe
3972	powershell.exe
3972	powershell.exe
3868	powershell.exe
3868	powershell.exe
3224	powershell.exe
3152	powershell.exe
3152	powershell.exe
4128	powershell.exe
4128	powershell.exe
4164	powershell.exe
4164	powershell.exe
4240	powershell.exe
4240	powershell.exe
4308	powershell.exe
4308	powershell.exe
4436	powershell.exe
4436	powershell.exe
4380	powershell.exe
4380	powershell.exe
4556	powershell.exe
4556	powershell.exe
4656	powershell.exe
4656	powershell.exe
3224	powershell.exe
3972	powershell.exe
3868	powershell.exe
3152	powershell.exe
4164	powershell.exe
4128	powershell.exe
4240	powershell.exe
4308	powershell.exe
4436	powershell.exe
4380	powershell.exe
4556	powershell.exe
4656	powershell.exe
3972	powershell.exe
3972	powershell.exe
3868	powershell.exe
3868	powershell.exe
3152	powershell.exe
3152	powershell.exe
4164	powershell.exe
4128	powershell.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeIncreaseQuotaPrivilege	2852	powershell.exe
Token: SeSecurityPrivilege	2852	powershell.exe
Token: SeTakeOwnershipPrivilege	2852	powershell.exe
Token: SeLoadDriverPrivilege	2852	powershell.exe
Token: SeSystemProfilePrivilege	2852	powershell.exe
Token: SeSystemtimePrivilege	2852	powershell.exe
Token: SeProfSingleProcessPrivilege	2852	powershell.exe
Token: SeIncBasePriorityPrivilege	2852	powershell.exe
Token: SeCreatePagefilePrivilege	2852	powershell.exe
Token: SeBackupPrivilege	2852	powershell.exe
Token: SeRestorePrivilege	2852	powershell.exe
Token: SeShutdownPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeSystemEnvironmentPrivilege	2852	powershell.exe
Token: SeRemoteShutdownPrivilege	2852	powershell.exe
Token: SeUndockPrivilege	2852	powershell.exe
Token: SeManageVolumePrivilege	2852	powershell.exe
Token: 33	2852	powershell.exe
Token: 34	2852	powershell.exe
Token: 35	2852	powershell.exe
Token: 36	2852	powershell.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	3868	powershell.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	4164	powershell.exe
Token: SeDebugPrivilege	4240	powershell.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	5788	WindowsUpdate.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeIncreaseQuotaPrivilege	3224	powershell.exe
Token: SeSecurityPrivilege	3224	powershell.exe
Token: SeTakeOwnershipPrivilege	3224	powershell.exe
Token: SeLoadDriverPrivilege	3224	powershell.exe
Token: SeSystemProfilePrivilege	3224	powershell.exe
Token: SeSystemtimePrivilege	3224	powershell.exe
Token: SeProfSingleProcessPrivilege	3224	powershell.exe
Token: SeIncBasePriorityPrivilege	3224	powershell.exe
Token: SeCreatePagefilePrivilege	3224	powershell.exe
Token: SeBackupPrivilege	3224	powershell.exe
Token: SeRestorePrivilege	3224	powershell.exe
Token: SeShutdownPrivilege	3224	powershell.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeSystemEnvironmentPrivilege	3224	powershell.exe
Token: SeRemoteShutdownPrivilege	3224	powershell.exe
Token: SeUndockPrivilege	3224	powershell.exe
Token: SeManageVolumePrivilege	3224	powershell.exe
Token: 33	3224	powershell.exe
Token: 34	3224	powershell.exe
Token: 35	3224	powershell.exe
Token: 36	3224	powershell.exe
Token: SeIncreaseQuotaPrivilege	3972	powershell.exe
Token: SeSecurityPrivilege	3972	powershell.exe
Token: SeTakeOwnershipPrivilege	3972	powershell.exe
Token: SeLoadDriverPrivilege	3972	powershell.exe
Token: SeSystemProfilePrivilege	3972	powershell.exe
Token: SeSystemtimePrivilege	3972	powershell.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exeWindowsUpdate.exe

pid	process
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
5788	WindowsUpdate.exe
5788	WindowsUpdate.exe
5788	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exeWindowsUpdate.exe

description	pid	process	target process
PID 3172 wrote to memory of 2852	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	powershell.exe
PID 3172 wrote to memory of 2852	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	powershell.exe
PID 3172 wrote to memory of 3224	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	powershell.exe
PID 3172 wrote to memory of 3224	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	powershell.exe
PID 3172 wrote to memory of 3972	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	powershell.exe
PID 3172 wrote to memory of 3972	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	powershell.exe
PID 3172 wrote to memory of 3868	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	powershell.exe
PID 3172 wrote to memory of 3868	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	powershell.exe
PID 3172 wrote to memory of 3152	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	powershell.exe
PID 3172 wrote to memory of 3152	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	powershell.exe
PID 3172 wrote to memory of 4128	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	powershell.exe
PID 3172 wrote to memory of 4128	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	powershell.exe
PID 3172 wrote to memory of 4164	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	powershell.exe
PID 3172 wrote to memory of 4164	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	powershell.exe
PID 3172 wrote to memory of 4240	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	powershell.exe
PID 3172 wrote to memory of 4240	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	powershell.exe
PID 3172 wrote to memory of 4308	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	powershell.exe
PID 3172 wrote to memory of 4308	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	powershell.exe
PID 3172 wrote to memory of 4380	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	powershell.exe
PID 3172 wrote to memory of 4380	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	powershell.exe
PID 3172 wrote to memory of 4436	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	powershell.exe
PID 3172 wrote to memory of 4436	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	powershell.exe
PID 3172 wrote to memory of 4556	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	powershell.exe
PID 3172 wrote to memory of 4556	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	powershell.exe
PID 3172 wrote to memory of 4656	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	powershell.exe
PID 3172 wrote to memory of 4656	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	powershell.exe
PID 3172 wrote to memory of 4800	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	schtasks.exe
PID 3172 wrote to memory of 4800	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	schtasks.exe
PID 3172 wrote to memory of 5788	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	WindowsUpdate.exe
PID 3172 wrote to memory of 5788	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	WindowsUpdate.exe
PID 3172 wrote to memory of 5816	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	schtasks.exe
PID 3172 wrote to memory of 5816	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	schtasks.exe
PID 5788 wrote to memory of 4668	5788	WindowsUpdate.exe	powershell.exe
PID 5788 wrote to memory of 4668	5788	WindowsUpdate.exe	powershell.exe
PID 5788 wrote to memory of 2548	5788	WindowsUpdate.exe	powershell.exe
PID 5788 wrote to memory of 2548	5788	WindowsUpdate.exe	powershell.exe
PID 5788 wrote to memory of 5212	5788	WindowsUpdate.exe	powershell.exe
PID 5788 wrote to memory of 5212	5788	WindowsUpdate.exe	powershell.exe
PID 5788 wrote to memory of 5320	5788	WindowsUpdate.exe	powershell.exe
PID 5788 wrote to memory of 5320	5788	WindowsUpdate.exe	powershell.exe
PID 5788 wrote to memory of 5148	5788	WindowsUpdate.exe	powershell.exe
PID 5788 wrote to memory of 5148	5788	WindowsUpdate.exe	powershell.exe
PID 5788 wrote to memory of 5132	5788	WindowsUpdate.exe	schtasks.exe
PID 5788 wrote to memory of 5132	5788	WindowsUpdate.exe	schtasks.exe
PID 5788 wrote to memory of 5504	5788	WindowsUpdate.exe	powershell.exe
PID 5788 wrote to memory of 5504	5788	WindowsUpdate.exe	powershell.exe
PID 5788 wrote to memory of 5684	5788	WindowsUpdate.exe	powershell.exe
PID 5788 wrote to memory of 5684	5788	WindowsUpdate.exe	powershell.exe
PID 5788 wrote to memory of 5828	5788	WindowsUpdate.exe	powershell.exe
PID 5788 wrote to memory of 5828	5788	WindowsUpdate.exe	powershell.exe
PID 5788 wrote to memory of 5948	5788	WindowsUpdate.exe	powershell.exe
PID 5788 wrote to memory of 5948	5788	WindowsUpdate.exe	powershell.exe
PID 5788 wrote to memory of 4664	5788	WindowsUpdate.exe	powershell.exe
PID 5788 wrote to memory of 4664	5788	WindowsUpdate.exe	powershell.exe
PID 5788 wrote to memory of 5612	5788	WindowsUpdate.exe	powershell.exe
PID 5788 wrote to memory of 5612	5788	WindowsUpdate.exe	powershell.exe
PID 5788 wrote to memory of 4532	5788	WindowsUpdate.exe	powershell.exe
PID 5788 wrote to memory of 4532	5788	WindowsUpdate.exe	powershell.exe
PID 5788 wrote to memory of 6060	5788	WindowsUpdate.exe	powershell.exe
PID 5788 wrote to memory of 6060	5788	WindowsUpdate.exe	powershell.exe
PID 5788 wrote to memory of 4868	5788	WindowsUpdate.exe	schtasks.exe
PID 5788 wrote to memory of 4868	5788	WindowsUpdate.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
"C:\Users\Admin\AppData\Local\Temp\b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4656
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /delete /tn "WindowsUpdate.exe" /f
  2⤵
  PID:4800
- C:\Windows\Microsoft\MyClient\WindowsUpdate.exe
  "C:\Windows\Microsoft\MyClient\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
    3⤵
    PID:2548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
    3⤵
    PID:5212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
    3⤵
    PID:5320
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /delete /tn "WindowsUpdate.exe" /f
    3⤵
    PID:5132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
    3⤵
    PID:5148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
    3⤵
    PID:5504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
    3⤵
    PID:5684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
    3⤵
    PID:5828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
    3⤵
    PID:5948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
    3⤵
    PID:4664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
    3⤵
    PID:5612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
    3⤵
    PID:4532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    PID:6060
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "WindowsUpdate.exe" /sc ONLOGON /tr "C:\Windows\WindowsUpdate.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4868
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 5788 -s 1700
    3⤵
    - Program crash
    PID:3828
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "WindowsUpdate.exe" /sc ONLOGON /tr "C:\Windows\WindowsUpdate.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:5816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
e82cedf0daff0bc6fdbe80d57268f6fe

SHA1
6e883c18c6e4c9697805f5f60be3a87322b72352

SHA256
0975360c9c5dcecdc76d9b737f3fc2b0ea134ae8d02ff9d0ee17568e7c39315c

SHA512
0a8ad1e847d5be673d3988523365f448ed6501215d41f5a15147b5349ec5412a16381fa120fa73d2b81fcca55358bfc1390830e1e28679d5f8c9a4a8ab55fcc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
b9487075b905adbc5fc1047a93d86701

SHA1
be0f8a8f15a51e08c2c01e338b6d371171541bfe

SHA256
45b67c2a64c57fa93015442933b495337324c1757d1ab0092905678f807bc6d7

SHA512
f16e321599d37bf1c6848bd4e7bdee307e90c7d543dd6d096eadf50fdb1b696f6b56bdda43d1cbeb1b1e007c27e425415f9a8a875d19a33b8309eb53b7ab959e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
e6ba49680d30eafb57d96f55423ec211

SHA1
5c2783efcea1762d963e01d9ed40b28ddaa8e1fb

SHA256
5490dd0176c06a99228b821a8b2c47017f2624f6315002d47ec80765db92dc9a

SHA512
e4af6fd97b5b8b94e1092c6328e7dbaa0830b7a60a02bbd97c0278e439965666f55c81b22291495a510a283bc9d79a546efad985035c13f4ab28d065eb57778c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
afe0ab3096b42a0dd8913b136131e9ca

SHA1
1819c59e9bd713c9e13683c2bcc178651f6ba805

SHA256
1145d2ef28dbb39bfba21b2262b7df7058d1091f3ca50cc457731ce330b3fa2c

SHA512
5c1bacb440f7b6c001ddc2d5bbc4076ee3a66b148c89e5e108f2e0f0af388bfdbf7ba384191600b1581836107ab5aabdbda0a64d411e880c35e3b9021a700e7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
c80eb807a75524eac1dd0472f4c7b018

SHA1
ec5a021dcf1c33e4f0e486b09077b8b8c80fdbe6

SHA256
ecf6cfc4d633bf954481bdacd7dcf19a6c425a720406dae88facfd90fe34f42d

SHA512
0659bca05e89d664b32c7b35f1f8ee70305e70ceb75b792e5ca4d0b6e83fdcd913599a8a0d42cf045a7197874c95b6bf2dc7b4115cf39cbb575094343314e012

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
eb70b385f90e291b63c870221ea91715

SHA1
315932fd5472fc512f4a25365e388e48e345e559

SHA256
bd23e56998b7617e7a8a073e6531299f1d4f94fba588be356be7802b2405b18b

SHA512
9f19964d2495a970f2ad19826276c7615a05ff00163098f2c730168dd8d3b39109815a445f927a9612adb9af5a9c3e14152d84e4dcb279aa22d88cbdaa91458f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
eb70b385f90e291b63c870221ea91715

SHA1
315932fd5472fc512f4a25365e388e48e345e559

SHA256
bd23e56998b7617e7a8a073e6531299f1d4f94fba588be356be7802b2405b18b

SHA512
9f19964d2495a970f2ad19826276c7615a05ff00163098f2c730168dd8d3b39109815a445f927a9612adb9af5a9c3e14152d84e4dcb279aa22d88cbdaa91458f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
53ba9217ade6a3f720f43714547f13e4

SHA1
12774c870649758d07469f3aeab0e4fcc15cb1d9

SHA256
eddd4ceaff79d6b564e16ce0c50c971587531376879a7a6422efd0893842f057

SHA512
e688f7c4e8119fb921f086c392052eaa7816423b69e5fc096815e0873edcb0b7b01b1b19d57ee94c4190c0385633b5f13bad808b4ac0aa5fef1098837b181de2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
fbfa468abd44024a605a681c39c471ff

SHA1
90432409ff5398356244ffb3dda2622d7de94fb2

SHA256
94c8cfacb1e2b65d86dcc6722b61f24a0fb340a24c8a1ebda90ccd576e051eab

SHA512
100149ac176c9b94a73d56a9319dc43d55a92c3a7b5f4daad384be46072188680fe31d8555758d5c2471b6d1ed48c3dc934595e1b1fcbab5e0be98a38716c09c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
fbfa468abd44024a605a681c39c471ff

SHA1
90432409ff5398356244ffb3dda2622d7de94fb2

SHA256
94c8cfacb1e2b65d86dcc6722b61f24a0fb340a24c8a1ebda90ccd576e051eab

SHA512
100149ac176c9b94a73d56a9319dc43d55a92c3a7b5f4daad384be46072188680fe31d8555758d5c2471b6d1ed48c3dc934595e1b1fcbab5e0be98a38716c09c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
10b0662a7e31e46b5985b22f01eda06f

SHA1
03ce640eaa79beba87747332b3e4bcb4ccb3fd52

SHA256
9832730bf60202a071c56b6339ab3c9cb3c1f69135e6fba2f0ff2ac61191930d

SHA512
102aa930d6c8123e022f0ffa434a227c1d87d08c0252e8f8769afdc8c588bf529d6c96c13cf969938423ec5a6f6da464a9f9d6a8aee1628e6340e68b0bad8d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
10b0662a7e31e46b5985b22f01eda06f

SHA1
03ce640eaa79beba87747332b3e4bcb4ccb3fd52

SHA256
9832730bf60202a071c56b6339ab3c9cb3c1f69135e6fba2f0ff2ac61191930d

SHA512
102aa930d6c8123e022f0ffa434a227c1d87d08c0252e8f8769afdc8c588bf529d6c96c13cf969938423ec5a6f6da464a9f9d6a8aee1628e6340e68b0bad8d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
13ff71b3d27177f71e47c02c8dd853a1

SHA1
40208339b5021caa9e9984e6a759a921a8b2dbc4

SHA256
099fa61ed87c4cec8df0349ef2552f33ef905ca04fa389f9e51655e9d260f185

SHA512
f1c462860fb9961e697f77569b38997036a7529335917284ce4766a2866dc219730ad3b2b78e2b9626e1ae7d4f3ba2b51776bb5f6384c5ac44256863cee8a481

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
59147f7bc42abef63158849e1b7ca8d5

SHA1
05192910c1892aa95927d481d37e51a58f4d1b67

SHA256
49bdf7dd1314ad5795fef8b606d17021a24ddd050331c21cfc0aa53ae52e8b6f

SHA512
93098813f672952925e74ecef2e80ea5d546e151fbea0b272bc34c8df31035d90d28cfe58f2c066c6449e3e1e4d0b759f6a90e43e7a454fcfe9d4d8f4192f23c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
009987d0ca687fba1b3bedbf18b3928a

SHA1
91c2fd32cba220700b5d8ec4b77116057e392342

SHA256
9058882fccf77697bc5a611e7450f4849a4cabee672634be3500ff93b7cf57a3

SHA512
bf65fbf0e40cf4efeabd70be379ee5ca0363de3f57ad62a16517b4caff90f611dd87653173a7bfff4bad8d0a8ae81e5472096be091a7cc071fc05cd097f46ba7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
c5327f367d5a32d38ae72511d8e22866

SHA1
3a8d62b98bc3f9cf87d8b837c1099803781cda08

SHA256
b32db3ec6d71532a9f7b516dbcd5ca8baeacdbe535088779e4ae828f72a3998e

SHA512
1a8701b33304bfa5c5cf6d508c62cb08db54257c71fef5a2a79c0c90b36f42106bd4ae6643f109814a76527d5a858a066895593284be8d2521ba1d8889d28202

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
c5327f367d5a32d38ae72511d8e22866

SHA1
3a8d62b98bc3f9cf87d8b837c1099803781cda08

SHA256
b32db3ec6d71532a9f7b516dbcd5ca8baeacdbe535088779e4ae828f72a3998e

SHA512
1a8701b33304bfa5c5cf6d508c62cb08db54257c71fef5a2a79c0c90b36f42106bd4ae6643f109814a76527d5a858a066895593284be8d2521ba1d8889d28202

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
5fc4d9351fa52be5f889bb0baf667774

SHA1
d343c52297067fc201a79d407b377c1831d6ae48

SHA256
8c1e709675a05f11d738d3a9bd14d7305a5d31e574b05c9fd9d3635bce5f8cf9

SHA512
40818928f843b3397d844464503267cc9360c0341cc210ffe0f8a861b9a5c9777977f3175ea3dd002abc7c1192983cb8b6701ff24c243c87d05012f665cc00df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
88f1687ef1b7bc1f2dd9402b94556852

SHA1
d6f42daa1cc98906c6186168bdede1ddfb152198

SHA256
ead00133d8e99d4d9b50091504bf3fa7dbf115c46ad9a4bdf7021371fbb33222

SHA512
d45512ad80328d7d62c233bf182788230455f39ac30bf5ac001d2444dd142f0408a158579de1029e1983b00fb548d7fa87533dabcf4b7cc7269aa1369406493b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
88f1687ef1b7bc1f2dd9402b94556852

SHA1
d6f42daa1cc98906c6186168bdede1ddfb152198

SHA256
ead00133d8e99d4d9b50091504bf3fa7dbf115c46ad9a4bdf7021371fbb33222

SHA512
d45512ad80328d7d62c233bf182788230455f39ac30bf5ac001d2444dd142f0408a158579de1029e1983b00fb548d7fa87533dabcf4b7cc7269aa1369406493b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
e650d040a67525c1f8177d6cb1393213

SHA1
7361752171056f25d4157c56dd3b656d13e6a541

SHA256
a0005d02a9c5d15d6c879cd690a1e443275447b199bbdba530a9128dccb72839

SHA512
c0cb3223f02836c82393d10144d722128d400d34a29d54af2b587310261177e6fdb2eee409ea44be6943922782812c202044336e4e4b16640b6665ae303873c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
e650d040a67525c1f8177d6cb1393213

SHA1
7361752171056f25d4157c56dd3b656d13e6a541

SHA256
a0005d02a9c5d15d6c879cd690a1e443275447b199bbdba530a9128dccb72839

SHA512
c0cb3223f02836c82393d10144d722128d400d34a29d54af2b587310261177e6fdb2eee409ea44be6943922782812c202044336e4e4b16640b6665ae303873c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
4076a20f9419fc859ba75db35a42c344

SHA1
c19fddb09a0e3bf880d9e37c5e596a6de3ce75d8

SHA256
c839f055291379b6a80b302066a6dac68b7fe57c5b42c8f08f98102e1667cdfe

SHA512
ac514a8f5c3403d760a4ff19a5cad829b6cd5c00bebf7fb986ee8742bb262b1ff75fa790b8ef5eb38456993cf07ddb14dc1ca76f5a3b74af170b4b2bb3c439bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
28e3b1e6053074774f365b224cf4d4a4

SHA1
af29b860f0b46746255bae80cfd18393e31c9978

SHA256
0b4b62b2e4dee62550659d984867e20b36bf3bc59aedbd6941578b8c19ae7e4c

SHA512
99030e2f6ece7e8780c9d9c1020f9b0d3820df569343439c26dc1ded55adb6f92eba9845efb74746ed66d76b0c1fbd3c520f4bb7d38380a42dd37418d5d23da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
c755f22c3a9331f7aa0982069796f016

SHA1
f5e49dcdc317c4510b9cd9c38b9726e79f5b1077

SHA256
adb5bf9d1ff22c8e0c2f159f1a527a9c7ce9adcd697d0f567d5ce7954e62b7f5

SHA512
1eb021eea89a37b5071c6d6babab89f48337b5beebdf0f5b94595fa7cc4dff4c3e273fc0e8ecbd3ce4745162b77743c428af69e3a8d7883237a0d64834497abb

Download Submit
C:\Windows\Microsoft\MyClient\WindowsUpdate.exe

MD5
b72d429d1d690165c7b0de4a074c4a58

SHA1
f0704d227482a80f2f90dab79ed4acd9770fe565

SHA256
b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae

SHA512
f3b565e67d5a15d5305982701bd5f0d37eec0bfe2d152556584fa1d01faf1def6e616d0addea91e0663be084450b49f99e2108cc06a9b50c9e1482f9290b6c5c

Download Submit
C:\Windows\Microsoft\MyClient\WindowsUpdate.exe

MD5
b72d429d1d690165c7b0de4a074c4a58

SHA1
f0704d227482a80f2f90dab79ed4acd9770fe565

SHA256
b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae

SHA512
f3b565e67d5a15d5305982701bd5f0d37eec0bfe2d152556584fa1d01faf1def6e616d0addea91e0663be084450b49f99e2108cc06a9b50c9e1482f9290b6c5c

Download Submit
memory/2548-640-0x0000000000000000-mapping.dmp

Download
memory/2852-124-0x000001D036C80000-0x000001D036C81000-memory.dmp

Filesize
4KB

Download
memory/2852-132-0x000001D036CB6000-0x000001D036CB8000-memory.dmp

Filesize
8KB

Download
memory/2852-130-0x000001D036CB0000-0x000001D036CB2000-memory.dmp

Filesize
8KB

Download
memory/2852-131-0x000001D036CB3000-0x000001D036CB5000-memory.dmp

Filesize
8KB

Download
memory/2852-127-0x000001D036E40000-0x000001D036E41000-memory.dmp

Filesize
4KB

Download
memory/2852-119-0x0000000000000000-mapping.dmp

Download
memory/3152-327-0x0000018657E46000-0x0000018657E48000-memory.dmp

Filesize
8KB

Download
memory/3152-235-0x0000018657E40000-0x0000018657E42000-memory.dmp

Filesize
8KB

Download
memory/3152-157-0x0000000000000000-mapping.dmp

Download
memory/3152-237-0x0000018657E43000-0x0000018657E45000-memory.dmp

Filesize
8KB

Download
memory/3172-117-0x000000001AEB3000-0x000000001AEB4000-memory.dmp

Filesize
4KB

Download
memory/3172-324-0x000000001F0FC000-0x000000001F101000-memory.dmp

Filesize
20KB

Download
memory/3172-328-0x000000001F0F3000-0x000000001F0F6000-memory.dmp

Filesize
12KB

Download
memory/3172-354-0x000000001F101000-0x000000001F106000-memory.dmp

Filesize
20KB

Download
memory/3172-114-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/3172-118-0x000000001AEB2000-0x000000001AEB3000-memory.dmp

Filesize
4KB

Download
memory/3172-116-0x000000001AEB0000-0x000000001AEB2000-memory.dmp

Filesize
8KB

Download
memory/3172-357-0x000000001AEB8000-0x000000001AEBE000-memory.dmp

Filesize
24KB

Download
memory/3172-325-0x000000001F0F0000-0x000000001F0F3000-memory.dmp

Filesize
12KB

Download
memory/3172-368-0x000000001AEB8000-0x000000001AEBE000-memory.dmp

Filesize
24KB

Download
memory/3172-362-0x000000001AEB8000-0x000000001AEB9000-memory.dmp

Filesize
4KB

Download
memory/3172-293-0x000000001AEB5000-0x000000001AEB7000-memory.dmp

Filesize
8KB

Download
memory/3172-316-0x000000001AEB7000-0x000000001AEB8000-memory.dmp

Filesize
4KB

Download
memory/3172-317-0x000000001F0F6000-0x000000001F0F9000-memory.dmp

Filesize
12KB

Download
memory/3172-318-0x000000001AEB8000-0x000000001AEBA000-memory.dmp

Filesize
8KB

Download
memory/3172-320-0x000000001AEBA000-0x000000001AEBF000-memory.dmp

Filesize
20KB

Download
memory/3172-322-0x000000001F0F9000-0x000000001F0FC000-memory.dmp

Filesize
12KB

Download
memory/3224-153-0x0000000000000000-mapping.dmp

Download
memory/3224-287-0x00000212FDA86000-0x00000212FDA88000-memory.dmp

Filesize
8KB

Download
memory/3224-173-0x00000212FDA83000-0x00000212FDA85000-memory.dmp

Filesize
8KB

Download
memory/3224-618-0x00000212FDA88000-0x00000212FDA89000-memory.dmp

Filesize
4KB

Download
memory/3224-169-0x00000212FDA80000-0x00000212FDA82000-memory.dmp

Filesize
8KB

Download
memory/3868-155-0x0000000000000000-mapping.dmp

Download
memory/3868-221-0x00000295F5560000-0x00000295F5562000-memory.dmp

Filesize
8KB

Download
memory/3868-628-0x00000295F5568000-0x00000295F5569000-memory.dmp

Filesize
4KB

Download
memory/3868-234-0x00000295F5563000-0x00000295F5565000-memory.dmp

Filesize
8KB

Download
memory/3868-329-0x00000295F5566000-0x00000295F5568000-memory.dmp

Filesize
8KB

Download
memory/3972-154-0x0000000000000000-mapping.dmp

Download
memory/3972-214-0x00000219A1450000-0x00000219A1452000-memory.dmp

Filesize
8KB

Download
memory/3972-619-0x00000219A1458000-0x00000219A1459000-memory.dmp

Filesize
4KB

Download
memory/3972-218-0x00000219A1453000-0x00000219A1455000-memory.dmp

Filesize
8KB

Download
memory/3972-326-0x00000219A1456000-0x00000219A1458000-memory.dmp

Filesize
8KB

Download
memory/4128-158-0x0000000000000000-mapping.dmp

Download
memory/4128-240-0x00000183788D3000-0x00000183788D5000-memory.dmp

Filesize
8KB

Download
memory/4128-239-0x00000183788D0000-0x00000183788D2000-memory.dmp

Filesize
8KB

Download
memory/4128-319-0x00000183788D6000-0x00000183788D8000-memory.dmp

Filesize
8KB

Download
memory/4164-244-0x00000204E4613000-0x00000204E4615000-memory.dmp

Filesize
8KB

Download
memory/4164-321-0x00000204E4616000-0x00000204E4618000-memory.dmp

Filesize
8KB

Download
memory/4164-159-0x0000000000000000-mapping.dmp

Download
memory/4164-242-0x00000204E4610000-0x00000204E4612000-memory.dmp

Filesize
8KB

Download
memory/4240-162-0x0000000000000000-mapping.dmp

Download
memory/4240-245-0x000002E00E130000-0x000002E00E132000-memory.dmp

Filesize
8KB

Download
memory/4240-247-0x000002E00E133000-0x000002E00E135000-memory.dmp

Filesize
8KB

Download
memory/4240-323-0x000002E00E136000-0x000002E00E138000-memory.dmp

Filesize
8KB

Download
memory/4308-410-0x0000015CA6516000-0x0000015CA6518000-memory.dmp

Filesize
8KB

Download
memory/4308-165-0x0000000000000000-mapping.dmp

Download
memory/4308-249-0x0000015CA6510000-0x0000015CA6512000-memory.dmp

Filesize
8KB

Download
memory/4308-251-0x0000015CA6513000-0x0000015CA6515000-memory.dmp

Filesize
8KB

Download
memory/4380-167-0x0000000000000000-mapping.dmp

Download
memory/4380-256-0x0000021FFE603000-0x0000021FFE605000-memory.dmp

Filesize
8KB

Download
memory/4380-255-0x0000021FFE600000-0x0000021FFE602000-memory.dmp

Filesize
8KB

Download
memory/4380-509-0x0000021FFE606000-0x0000021FFE608000-memory.dmp

Filesize
8KB

Download
memory/4436-254-0x0000018AC39D3000-0x0000018AC39D5000-memory.dmp

Filesize
8KB

Download
memory/4436-253-0x0000018AC39D0000-0x0000018AC39D2000-memory.dmp

Filesize
8KB

Download
memory/4436-461-0x0000018AC39D6000-0x0000018AC39D8000-memory.dmp

Filesize
8KB

Download
memory/4436-171-0x0000000000000000-mapping.dmp

Download
memory/4532-756-0x0000000000000000-mapping.dmp

Download
memory/4556-230-0x000001981BF93000-0x000001981BF95000-memory.dmp

Filesize
8KB

Download
memory/4556-178-0x0000000000000000-mapping.dmp

Download
memory/4556-513-0x000001981BF96000-0x000001981BF98000-memory.dmp

Filesize
8KB

Download
memory/4556-224-0x000001981BF90000-0x000001981BF92000-memory.dmp

Filesize
8KB

Download
memory/4656-227-0x000001BC58B50000-0x000001BC58B52000-memory.dmp

Filesize
8KB

Download
memory/4656-185-0x0000000000000000-mapping.dmp

Download
memory/4656-523-0x000001BC58B56000-0x000001BC58B58000-memory.dmp

Filesize
8KB

Download
memory/4656-231-0x000001BC58B53000-0x000001BC58B55000-memory.dmp

Filesize
8KB

Download
memory/4664-673-0x0000000000000000-mapping.dmp

Download
memory/4668-469-0x0000000000000000-mapping.dmp

Download
memory/4668-617-0x00000212B9786000-0x00000212B9788000-memory.dmp

Filesize
8KB

Download
memory/4668-516-0x00000212B9780000-0x00000212B9782000-memory.dmp

Filesize
8KB

Download
memory/4668-519-0x00000212B9783000-0x00000212B9785000-memory.dmp

Filesize
8KB

Download
memory/4800-259-0x0000000000000000-mapping.dmp

Download
memory/4868-815-0x0000000000000000-mapping.dmp

Download
memory/5132-644-0x0000000000000000-mapping.dmp

Download
memory/5148-643-0x0000000000000000-mapping.dmp

Download
memory/5212-641-0x0000000000000000-mapping.dmp

Download
memory/5320-642-0x0000000000000000-mapping.dmp

Download
memory/5504-652-0x0000000000000000-mapping.dmp

Download
memory/5612-737-0x0000000000000000-mapping.dmp

Download
memory/5684-661-0x0000000000000000-mapping.dmp

Download
memory/5788-465-0x000000001B012000-0x000000001B013000-memory.dmp

Filesize
4KB

Download
memory/5788-459-0x000000001B013000-0x000000001B014000-memory.dmp

Filesize
4KB

Download
memory/5788-415-0x000000001B010000-0x000000001B012000-memory.dmp

Filesize
8KB

Download
memory/5788-386-0x0000000000000000-mapping.dmp

Download
memory/5816-391-0x0000000000000000-mapping.dmp

Download
memory/5828-664-0x0000000000000000-mapping.dmp

Download
memory/5948-668-0x0000000000000000-mapping.dmp

Download
memory/6060-779-0x0000000000000000-mapping.dmp

Download