51f5b830fb0da1abe98f445889d9cf12a5d2c175c8f8b5d30df220b11113756d

Analysis

max time kernel
25s
max time network
154s
platform
windows10_x64
resource
win10-en
submitted
15-09-2021 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa8ce83b306dd68d1d7660919c9dd523.exe
Size

1.4MB
MD5

fa8ce83b306dd68d1d7660919c9dd523
SHA1

1a0c86251a0044d65915640a0042c492e19275a2
SHA256

51f5b830fb0da1abe98f445889d9cf12a5d2c175c8f8b5d30df220b11113756d
SHA512

efa77b674afcca7ea1a14574ac855252848c91252bd189f6b5de8b7c30a00790f66cc986af4f90722e0f8cb4f66099b8419c794b6fbfc43f78241770d86e64fb

Score

10^/10

evasion trojan

Malware Config

Signatures

Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\df9c5bc1-c982-49ef-a47f-9e1341e5acbe\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\df9c5bc1-c982-49ef-a47f-9e1341e5acbe\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\df9c5bc1-c982-49ef-a47f-9e1341e5acbe\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\1a2baa19-ae9f-40d2-ab9c-eda2668a65f7\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\1a2baa19-ae9f-40d2-ab9c-eda2668a65f7\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\1a2baa19-ae9f-40d2-ab9c-eda2668a65f7\AdvancedRun.exe	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeB2DAD187.exe

pid process

3296 AdvancedRun.exe
3032 AdvancedRun.exe
1552 B2DAD187.exe
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fa8ce83b306dd68d1d7660919c9dd523.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fa8ce83b306dd68d1d7660919c9dd523.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fa8ce83b306dd68d1d7660919c9dd523.exe

Drops startup file 2 IoCs

Processes:

fa8ce83b306dd68d1d7660919c9dd523.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe	fa8ce83b306dd68d1d7660919c9dd523.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe	fa8ce83b306dd68d1d7660919c9dd523.exe

Windows security modification 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

fa8ce83b306dd68d1d7660919c9dd523.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	fa8ce83b306dd68d1d7660919c9dd523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	fa8ce83b306dd68d1d7660919c9dd523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	fa8ce83b306dd68d1d7660919c9dd523.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	fa8ce83b306dd68d1d7660919c9dd523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	fa8ce83b306dd68d1d7660919c9dd523.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	fa8ce83b306dd68d1d7660919c9dd523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	fa8ce83b306dd68d1d7660919c9dd523.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	fa8ce83b306dd68d1d7660919c9dd523.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	fa8ce83b306dd68d1d7660919c9dd523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe = "0"	fa8ce83b306dd68d1d7660919c9dd523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe = "0"	fa8ce83b306dd68d1d7660919c9dd523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe = "0"	fa8ce83b306dd68d1d7660919c9dd523.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

fa8ce83b306dd68d1d7660919c9dd523.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fa8ce83b306dd68d1d7660919c9dd523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fa8ce83b306dd68d1d7660919c9dd523.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fa8ce83b306dd68d1d7660919c9dd523.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	fa8ce83b306dd68d1d7660919c9dd523.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	fa8ce83b306dd68d1d7660919c9dd523.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fa8ce83b306dd68d1d7660919c9dd523.exe

description pid process target process

PID 2248 set thread context of 3804 2248 fa8ce83b306dd68d1d7660919c9dd523.exe fa8ce83b306dd68d1d7660919c9dd523.exe
Drops file in Windows directory 1 IoCs

Processes:

fa8ce83b306dd68d1d7660919c9dd523.exe

description ioc process

File created C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe fa8ce83b306dd68d1d7660919c9dd523.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4116 2248 WerFault.exe fa8ce83b306dd68d1d7660919c9dd523.exe
4360 1552 WerFault.exe B2DAD187.exe

description	pid	process	target process
PID 2248 set thread context of 3804	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	fa8ce83b306dd68d1d7660919c9dd523.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe	fa8ce83b306dd68d1d7660919c9dd523.exe

pid	pid_target	process	target process
4116	2248	WerFault.exe	fa8ce83b306dd68d1d7660919c9dd523.exe
4360	1552	WerFault.exe	B2DAD187.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3296	AdvancedRun.exe
3296	AdvancedRun.exe
3296	AdvancedRun.exe
3296	AdvancedRun.exe
3032	AdvancedRun.exe
3032	AdvancedRun.exe
3032	AdvancedRun.exe
3032	AdvancedRun.exe
520	powershell.exe
660	powershell.exe
1344	powershell.exe
948	powershell.exe
1000	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exefa8ce83b306dd68d1d7660919c9dd523.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3296	AdvancedRun.exe
Token: SeImpersonatePrivilege	3296	AdvancedRun.exe
Token: SeDebugPrivilege	3032	AdvancedRun.exe
Token: SeImpersonatePrivilege	3032	AdvancedRun.exe
Token: SeDebugPrivilege	520	powershell.exe
Token: SeDebugPrivilege	660	powershell.exe
Token: SeDebugPrivilege	2248	fa8ce83b306dd68d1d7660919c9dd523.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

fa8ce83b306dd68d1d7660919c9dd523.exeAdvancedRun.exe

description	pid	process	target process
PID 2248 wrote to memory of 3296	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	AdvancedRun.exe
PID 2248 wrote to memory of 3296	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	AdvancedRun.exe
PID 2248 wrote to memory of 3296	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	AdvancedRun.exe
PID 3296 wrote to memory of 3032	3296	AdvancedRun.exe	AdvancedRun.exe
PID 3296 wrote to memory of 3032	3296	AdvancedRun.exe	AdvancedRun.exe
PID 3296 wrote to memory of 3032	3296	AdvancedRun.exe	AdvancedRun.exe
PID 2248 wrote to memory of 520	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 2248 wrote to memory of 520	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 2248 wrote to memory of 520	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 2248 wrote to memory of 660	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 2248 wrote to memory of 660	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 2248 wrote to memory of 660	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 2248 wrote to memory of 1000	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 2248 wrote to memory of 1000	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 2248 wrote to memory of 1000	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 2248 wrote to memory of 948	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 2248 wrote to memory of 948	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 2248 wrote to memory of 948	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 2248 wrote to memory of 1344	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 2248 wrote to memory of 1344	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 2248 wrote to memory of 1344	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 2248 wrote to memory of 1552	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	B2DAD187.exe
PID 2248 wrote to memory of 1552	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	B2DAD187.exe
PID 2248 wrote to memory of 1552	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	B2DAD187.exe
PID 2248 wrote to memory of 1996	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 2248 wrote to memory of 1996	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 2248 wrote to memory of 1996	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 2248 wrote to memory of 2360	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 2248 wrote to memory of 2360	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 2248 wrote to memory of 2360	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 2248 wrote to memory of 3080	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 2248 wrote to memory of 3080	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 2248 wrote to memory of 3080	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 2248 wrote to memory of 3804	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	fa8ce83b306dd68d1d7660919c9dd523.exe
PID 2248 wrote to memory of 3804	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	fa8ce83b306dd68d1d7660919c9dd523.exe
PID 2248 wrote to memory of 3804	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	fa8ce83b306dd68d1d7660919c9dd523.exe
PID 2248 wrote to memory of 3804	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	fa8ce83b306dd68d1d7660919c9dd523.exe
PID 2248 wrote to memory of 3804	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	fa8ce83b306dd68d1d7660919c9dd523.exe
PID 2248 wrote to memory of 3804	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	fa8ce83b306dd68d1d7660919c9dd523.exe
PID 2248 wrote to memory of 3804	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	fa8ce83b306dd68d1d7660919c9dd523.exe
PID 2248 wrote to memory of 3804	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	fa8ce83b306dd68d1d7660919c9dd523.exe
PID 2248 wrote to memory of 3804	2248	fa8ce83b306dd68d1d7660919c9dd523.exe	fa8ce83b306dd68d1d7660919c9dd523.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

fa8ce83b306dd68d1d7660919c9dd523.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fa8ce83b306dd68d1d7660919c9dd523.exe

C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe
"C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe"
1⤵
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2248

C:\Users\Admin\AppData\Local\Temp\df9c5bc1-c982-49ef-a47f-9e1341e5acbe\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\df9c5bc1-c982-49ef-a47f-9e1341e5acbe\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\df9c5bc1-c982-49ef-a47f-9e1341e5acbe\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3296

C:\Users\Admin\AppData\Local\Temp\df9c5bc1-c982-49ef-a47f-9e1341e5acbe\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\df9c5bc1-c982-49ef-a47f-9e1341e5acbe\AdvancedRun.exe" /SpecialRun 4101d8 3296
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"
2⤵
- Executes dropped EXE
PID:1552

C:\Users\Admin\AppData\Local\Temp\1a2baa19-ae9f-40d2-ab9c-eda2668a65f7\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\1a2baa19-ae9f-40d2-ab9c-eda2668a65f7\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\1a2baa19-ae9f-40d2-ab9c-eda2668a65f7\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\1a2baa19-ae9f-40d2-ab9c-eda2668a65f7\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\1a2baa19-ae9f-40d2-ab9c-eda2668a65f7\AdvancedRun.exe" /SpecialRun 4101d8 4628
4⤵
PID:5076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe" -Force
3⤵
PID:4736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe" -Force
3⤵
PID:4856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe" -Force
3⤵
PID:5064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe" -Force
3⤵
PID:2148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe" -Force
3⤵
PID:2732

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"
3⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 1980
3⤵
- Program crash
PID:4360

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe" -Force
2⤵
PID:1996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe" -Force
2⤵
PID:2360

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe" -Force
2⤵
PID:3080

C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe
"C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe"
2⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1988
2⤵
- Program crash
PID:4116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Bypass User Account Control

T1088

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
1d44f56fa05314b18e120ecf285aac3f

SHA1
f5acb98028def797d2b0689f697d0837cbbe1d6a

SHA256
c86cc65f879c3c100fe5fcc5b927fd183cf4c982f3d35569bab0fb0c399274a9

SHA512
fb05a04c10dd08f8899c9edc944cc5a04139655a5d7f1a4a9ccc6746eaa0fadee8b8bdf4bb140815fd81508eabe8d0c35e73eff0f01266d111c8e7014bcc42ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
978907ad117617c7c2023b5b94ef34a1

SHA1
e1dd366e556e546b4f63eafe80b3f29f95c16493

SHA256
bf6f1e5c92adc075d2f001ac91c743739deef7048b051fad2d2bc3c0dd5a0450

SHA512
ca24edda83930e689603dabbbe830ade3981695604f80d7f962c13a49c3e2935a133771f987fd74c24c59dd635569d7d1f7ec825b1d205f1d0af3adc8d0a0638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
978907ad117617c7c2023b5b94ef34a1

SHA1
e1dd366e556e546b4f63eafe80b3f29f95c16493

SHA256
bf6f1e5c92adc075d2f001ac91c743739deef7048b051fad2d2bc3c0dd5a0450

SHA512
ca24edda83930e689603dabbbe830ade3981695604f80d7f962c13a49c3e2935a133771f987fd74c24c59dd635569d7d1f7ec825b1d205f1d0af3adc8d0a0638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
04dcf48e42aabd6059a0c987d6a30064

SHA1
c0cdfc104291938dd603a2ba2c4d06f9d8989a44

SHA256
d1587f4ec158b1f60054693360bb7fcf9f22075b29388c8d7c8c65a7309b02b6

SHA512
d34808b704cf0bc93ee212fafe40e6ee0aa59567f508835c9d06c970ae389d53249878e73572c889ceeb5c0c8cc217ca75efa47ca34ba1fcad443761c91d6401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
04dcf48e42aabd6059a0c987d6a30064

SHA1
c0cdfc104291938dd603a2ba2c4d06f9d8989a44

SHA256
d1587f4ec158b1f60054693360bb7fcf9f22075b29388c8d7c8c65a7309b02b6

SHA512
d34808b704cf0bc93ee212fafe40e6ee0aa59567f508835c9d06c970ae389d53249878e73572c889ceeb5c0c8cc217ca75efa47ca34ba1fcad443761c91d6401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
410759018f515420c591cb1576d694ae

SHA1
89b8308867056d1878607dbb247d92be5cfe5d76

SHA256
2a71f076f5cba8e87a0a66f4669fe9f2fa884d889a196355ab12b9a93a8e41a5

SHA512
99c94f5240e3d387e2875011fe2154c057285a0b4f8b3147590ba471544d3891802c9badbd42788340c338fee23cc3464bd01a9a72757dd592f33cce8b7c060d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a2baa19-ae9f-40d2-ab9c-eda2668a65f7\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a2baa19-ae9f-40d2-ab9c-eda2668a65f7\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a2baa19-ae9f-40d2-ab9c-eda2668a65f7\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\df9c5bc1-c982-49ef-a47f-9e1341e5acbe\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\df9c5bc1-c982-49ef-a47f-9e1341e5acbe\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\df9c5bc1-c982-49ef-a47f-9e1341e5acbe\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
MD5
fa8ce83b306dd68d1d7660919c9dd523

SHA1
1a0c86251a0044d65915640a0042c492e19275a2

SHA256
51f5b830fb0da1abe98f445889d9cf12a5d2c175c8f8b5d30df220b11113756d

SHA512
efa77b674afcca7ea1a14574ac855252848c91252bd189f6b5de8b7c30a00790f66cc986af4f90722e0f8cb4f66099b8419c794b6fbfc43f78241770d86e64fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
MD5
fa8ce83b306dd68d1d7660919c9dd523

SHA1
1a0c86251a0044d65915640a0042c492e19275a2

SHA256
51f5b830fb0da1abe98f445889d9cf12a5d2c175c8f8b5d30df220b11113756d

SHA512
efa77b674afcca7ea1a14574ac855252848c91252bd189f6b5de8b7c30a00790f66cc986af4f90722e0f8cb4f66099b8419c794b6fbfc43f78241770d86e64fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
MD5
fa8ce83b306dd68d1d7660919c9dd523

SHA1
1a0c86251a0044d65915640a0042c492e19275a2

SHA256
51f5b830fb0da1abe98f445889d9cf12a5d2c175c8f8b5d30df220b11113756d

SHA512
efa77b674afcca7ea1a14574ac855252848c91252bd189f6b5de8b7c30a00790f66cc986af4f90722e0f8cb4f66099b8419c794b6fbfc43f78241770d86e64fb

Download Submit
memory/520-136-0x0000000007630000-0x0000000007631000-memory.dmp

Filesize
4KB

Download
memory/520-286-0x000000007E830000-0x000000007E831000-memory.dmp

Filesize
4KB

Download
memory/520-421-0x0000000006FF3000-0x0000000006FF4000-memory.dmp

Filesize
4KB

Download
memory/520-135-0x0000000006F40000-0x0000000006F41000-memory.dmp

Filesize
4KB

Download
memory/520-186-0x0000000007D70000-0x0000000007D71000-memory.dmp

Filesize
4KB

Download
memory/520-127-0x0000000000000000-mapping.dmp

Download
memory/520-192-0x0000000007EB0000-0x0000000007EB1000-memory.dmp

Filesize
4KB

Download
memory/520-165-0x0000000006FF2000-0x0000000006FF3000-memory.dmp

Filesize
4KB

Download
memory/520-163-0x0000000006FF0000-0x0000000006FF1000-memory.dmp

Filesize
4KB

Download
memory/520-167-0x0000000007C90000-0x0000000007C91000-memory.dmp

Filesize
4KB

Download
memory/660-172-0x0000000006872000-0x0000000006873000-memory.dmp

Filesize
4KB

Download
memory/660-395-0x0000000006873000-0x0000000006874000-memory.dmp

Filesize
4KB

Download
memory/660-128-0x0000000000000000-mapping.dmp

Download
memory/660-169-0x0000000006870000-0x0000000006871000-memory.dmp

Filesize
4KB

Download
memory/660-296-0x000000007E090000-0x000000007E091000-memory.dmp

Filesize
4KB

Download
memory/948-230-0x0000000008980000-0x0000000008981000-memory.dmp

Filesize
4KB

Download
memory/948-405-0x0000000004CB3000-0x0000000004CB4000-memory.dmp

Filesize
4KB

Download
memory/948-292-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/948-203-0x0000000004CB2000-0x0000000004CB3000-memory.dmp

Filesize
4KB

Download
memory/948-130-0x0000000000000000-mapping.dmp

Download
memory/948-227-0x0000000007DE0000-0x0000000007DE1000-memory.dmp

Filesize
4KB

Download
memory/948-195-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/1000-206-0x0000000000C92000-0x0000000000C93000-memory.dmp

Filesize
4KB

Download
memory/1000-129-0x0000000000000000-mapping.dmp

Download
memory/1000-199-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/1000-465-0x0000000000C93000-0x0000000000C94000-memory.dmp

Filesize
4KB

Download
memory/1344-133-0x0000000000000000-mapping.dmp

Download
memory/1344-193-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/1344-412-0x0000000000CD3000-0x0000000000CD4000-memory.dmp

Filesize
4KB

Download
memory/1344-201-0x0000000000CD2000-0x0000000000CD3000-memory.dmp

Filesize
4KB

Download
memory/1344-339-0x000000007EDA0000-0x000000007EDA1000-memory.dmp

Filesize
4KB

Download
memory/1552-134-0x0000000000000000-mapping.dmp

Download
memory/1552-202-0x0000000004E90000-0x000000000538E000-memory.dmp

Filesize
5.0MB

Download
memory/1996-385-0x000000007E9A0000-0x000000007E9A1000-memory.dmp

Filesize
4KB

Download
memory/1996-477-0x0000000007163000-0x0000000007164000-memory.dmp

Filesize
4KB

Download
memory/1996-140-0x0000000000000000-mapping.dmp

Download
memory/1996-180-0x0000000007160000-0x0000000007161000-memory.dmp

Filesize
4KB

Download
memory/1996-178-0x0000000007162000-0x0000000007163000-memory.dmp

Filesize
4KB

Download
memory/2148-1248-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/2148-1110-0x0000000000000000-mapping.dmp

Download
memory/2148-1275-0x00000000030D2000-0x00000000030D3000-memory.dmp

Filesize
4KB

Download
memory/2148-2411-0x000000007EAF0000-0x000000007EAF1000-memory.dmp

Filesize
4KB

Download
memory/2248-118-0x0000000004DB0000-0x00000000052AE000-memory.dmp

Filesize
5.0MB

Download
memory/2248-160-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/2248-115-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2248-121-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/2248-171-0x00000000062C0000-0x00000000062C3000-memory.dmp

Filesize
12KB

Download
memory/2248-116-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/2248-120-0x0000000004D40000-0x0000000004D96000-memory.dmp

Filesize
344KB

Download
memory/2248-119-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/2248-117-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/2360-187-0x0000000006E92000-0x0000000006E93000-memory.dmp

Filesize
4KB

Download
memory/2360-391-0x000000007F7A0000-0x000000007F7A1000-memory.dmp

Filesize
4KB

Download
memory/2360-143-0x0000000000000000-mapping.dmp

Download
memory/2360-473-0x0000000006E93000-0x0000000006E94000-memory.dmp

Filesize
4KB

Download
memory/2360-183-0x0000000006E90000-0x0000000006E91000-memory.dmp

Filesize
4KB

Download
memory/2732-1283-0x0000000006A32000-0x0000000006A33000-memory.dmp

Filesize
4KB

Download
memory/2732-1126-0x0000000000000000-mapping.dmp

Download
memory/2732-1266-0x0000000006A30000-0x0000000006A31000-memory.dmp

Filesize
4KB

Download
memory/2732-2417-0x000000007E7F0000-0x000000007E7F1000-memory.dmp

Filesize
4KB

Download
memory/3032-125-0x0000000000000000-mapping.dmp

Download
memory/3080-150-0x0000000000000000-mapping.dmp

Download
memory/3080-190-0x0000000004892000-0x0000000004893000-memory.dmp

Filesize
4KB

Download
memory/3080-191-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/3080-482-0x0000000004893000-0x0000000004894000-memory.dmp

Filesize
4KB

Download
memory/3080-400-0x000000007F3C0000-0x000000007F3C1000-memory.dmp

Filesize
4KB

Download
memory/3296-122-0x0000000000000000-mapping.dmp

Download
memory/3804-168-0x00000000004080EF-mapping.dmp

Download
memory/3804-166-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3804-174-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4296-1181-0x00000000004080EF-mapping.dmp

Download
memory/4628-916-0x0000000000000000-mapping.dmp

Download
memory/4736-1292-0x0000000004DF2000-0x0000000004DF3000-memory.dmp

Filesize
4KB

Download
memory/4736-2353-0x000000007F170000-0x000000007F171000-memory.dmp

Filesize
4KB

Download
memory/4736-1206-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/4736-1061-0x0000000000000000-mapping.dmp

Download
memory/4856-1215-0x00000000068A0000-0x00000000068A1000-memory.dmp

Filesize
4KB

Download
memory/4856-1077-0x0000000000000000-mapping.dmp

Download
memory/4856-1227-0x00000000068A2000-0x00000000068A3000-memory.dmp

Filesize
4KB

Download
memory/4856-2347-0x000000007EB10000-0x000000007EB11000-memory.dmp

Filesize
4KB

Download
memory/5064-1094-0x0000000000000000-mapping.dmp

Download
memory/5064-2422-0x000000007EAD0000-0x000000007EAD1000-memory.dmp

Filesize
4KB

Download
memory/5064-1237-0x0000000006B50000-0x0000000006B51000-memory.dmp

Filesize
4KB

Download
memory/5064-1255-0x0000000006B52000-0x0000000006B53000-memory.dmp

Filesize
4KB

Download
memory/5076-970-0x0000000000000000-mapping.dmp

Download