8ecd99368b83efde6f0d0d538e135394c5aec47faf430e86c5d9449eb0c9f770

Analysis

max time kernel
31s
max time network
140s
platform
windows10_x64
resource
win10-en-20211014
submitted
19-10-2021 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0e763139d8ae4919323f584a1750cfe.exe
Size

46KB
MD5

d0e763139d8ae4919323f584a1750cfe
SHA1

09cd2fd8de9b4968c9ea154c5f71c3273fc74087
SHA256

8ecd99368b83efde6f0d0d538e135394c5aec47faf430e86c5d9449eb0c9f770
SHA512

bc2a9c9fc703cedec5dfe087fb36f5eadd9335420c07018c7dfcf2ed45296370cc37b4e8da5afbcf12831ed94037281a64f37fa90cf75adc61bfe11506fe7700

Score

10^/10

evasion ransomware trojan

Malware Config

Extracted

Path

C:\Boot\bg-BG\Read_Me.txt

Ransom Note

Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101TVBYKBDK 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5

URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101TVBYKBDK

https://yip.su/2QstD5

Signatures

Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Nirsoft 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\4b47e2ad-1636-4d3a-acfa-9bb387e6b560\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\4b47e2ad-1636-4d3a-acfa-9bb387e6b560\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\4b47e2ad-1636-4d3a-acfa-9bb387e6b560\AdvancedRun.exe	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe

pid process

4000 AdvancedRun.exe
1400 AdvancedRun.exe

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

d0e763139d8ae4919323f584a1750cfe.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	d0e763139d8ae4919323f584a1750cfe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	d0e763139d8ae4919323f584a1750cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	d0e763139d8ae4919323f584a1750cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	d0e763139d8ae4919323f584a1750cfe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Resources\Themes\aero\Shell\㬸㬎㬬㬻㬉㬇㬹㭌㬅㬉㬉㬎㬧㬹㬶\svchost.exe = "0"	d0e763139d8ae4919323f584a1750cfe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\d0e763139d8ae4919323f584a1750cfe.exe = "0"	d0e763139d8ae4919323f584a1750cfe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	d0e763139d8ae4919323f584a1750cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	d0e763139d8ae4919323f584a1750cfe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	d0e763139d8ae4919323f584a1750cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	d0e763139d8ae4919323f584a1750cfe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	d0e763139d8ae4919323f584a1750cfe.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

d0e763139d8ae4919323f584a1750cfe.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	d0e763139d8ae4919323f584a1750cfe.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d0e763139d8ae4919323f584a1750cfe.exe

description	ioc	process
File opened (read-only)	\??\F:	d0e763139d8ae4919323f584a1750cfe.exe
File opened (read-only)	\??\H:	d0e763139d8ae4919323f584a1750cfe.exe
File opened (read-only)	\??\K:	d0e763139d8ae4919323f584a1750cfe.exe
File opened (read-only)	\??\Z:	d0e763139d8ae4919323f584a1750cfe.exe
File opened (read-only)	\??\Q:	d0e763139d8ae4919323f584a1750cfe.exe
File opened (read-only)	\??\W:	d0e763139d8ae4919323f584a1750cfe.exe
File opened (read-only)	\??\R:	d0e763139d8ae4919323f584a1750cfe.exe
File opened (read-only)	\??\S:	d0e763139d8ae4919323f584a1750cfe.exe
File opened (read-only)	\??\B:	d0e763139d8ae4919323f584a1750cfe.exe
File opened (read-only)	\??\Y:	d0e763139d8ae4919323f584a1750cfe.exe
File opened (read-only)	\??\P:	d0e763139d8ae4919323f584a1750cfe.exe
File opened (read-only)	\??\A:	d0e763139d8ae4919323f584a1750cfe.exe
File opened (read-only)	\??\J:	d0e763139d8ae4919323f584a1750cfe.exe
File opened (read-only)	\??\N:	d0e763139d8ae4919323f584a1750cfe.exe
File opened (read-only)	\??\I:	d0e763139d8ae4919323f584a1750cfe.exe
File opened (read-only)	\??\G:	d0e763139d8ae4919323f584a1750cfe.exe
File opened (read-only)	\??\L:	d0e763139d8ae4919323f584a1750cfe.exe
File opened (read-only)	\??\X:	d0e763139d8ae4919323f584a1750cfe.exe
File opened (read-only)	\??\V:	d0e763139d8ae4919323f584a1750cfe.exe
File opened (read-only)	\??\M:	d0e763139d8ae4919323f584a1750cfe.exe
File opened (read-only)	\??\E:	d0e763139d8ae4919323f584a1750cfe.exe
File opened (read-only)	\??\T:	d0e763139d8ae4919323f584a1750cfe.exe
File opened (read-only)	\??\U:	d0e763139d8ae4919323f584a1750cfe.exe
File opened (read-only)	\??\O:	d0e763139d8ae4919323f584a1750cfe.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

d0e763139d8ae4919323f584a1750cfe.exe

pid	process
392	d0e763139d8ae4919323f584a1750cfe.exe
392	d0e763139d8ae4919323f584a1750cfe.exe
392	d0e763139d8ae4919323f584a1750cfe.exe
392	d0e763139d8ae4919323f584a1750cfe.exe
392	d0e763139d8ae4919323f584a1750cfe.exe
392	d0e763139d8ae4919323f584a1750cfe.exe
392	d0e763139d8ae4919323f584a1750cfe.exe
392	d0e763139d8ae4919323f584a1750cfe.exe
392	d0e763139d8ae4919323f584a1750cfe.exe
392	d0e763139d8ae4919323f584a1750cfe.exe
392	d0e763139d8ae4919323f584a1750cfe.exe
392	d0e763139d8ae4919323f584a1750cfe.exe
392	d0e763139d8ae4919323f584a1750cfe.exe
392	d0e763139d8ae4919323f584a1750cfe.exe
392	d0e763139d8ae4919323f584a1750cfe.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d0e763139d8ae4919323f584a1750cfe.exe

description pid process target process

PID 392 set thread context of 2816 392 d0e763139d8ae4919323f584a1750cfe.exe d0e763139d8ae4919323f584a1750cfe.exe

description	pid	process	target process
PID 392 set thread context of 2816	392	d0e763139d8ae4919323f584a1750cfe.exe	d0e763139d8ae4919323f584a1750cfe.exe

Drops file in Program Files directory 64 IoCs

Processes:

d0e763139d8ae4919323f584a1750cfe.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\IPSEventLogMsg.dll.mui	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui	d0e763139d8ae4919323f584a1750cfe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\Read_Me.txt	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll	d0e763139d8ae4919323f584a1750cfe.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Read_Me.txt	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml	d0e763139d8ae4919323f584a1750cfe.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\Read_Me.txt	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\wab32res.dll.mui	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB	d0e763139d8ae4919323f584a1750cfe.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\Read_Me.txt	d0e763139d8ae4919323f584a1750cfe.exe
File created	C:\Program Files\Common Files\System\ado\en-US\Read_Me.txt	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml	d0e763139d8ae4919323f584a1750cfe.exe
File created	C:\Program Files\Internet Explorer\en-US\Read_Me.txt	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\micaut.dll	d0e763139d8ae4919323f584a1750cfe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\Read_Me.txt	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	d0e763139d8ae4919323f584a1750cfe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\Read_Me.txt	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml	d0e763139d8ae4919323f584a1750cfe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\Read_Me.txt	d0e763139d8ae4919323f584a1750cfe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\Read_Me.txt	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\correct.avi	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui	d0e763139d8ae4919323f584a1750cfe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\Read_Me.txt	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll	d0e763139d8ae4919323f584a1750cfe.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\Read_Me.txt	d0e763139d8ae4919323f584a1750cfe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\Read_Me.txt	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\SoftBlue.jpg	d0e763139d8ae4919323f584a1750cfe.exe
File created	C:\Program Files\Common Files\DESIGNER\Read_Me.txt	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	d0e763139d8ae4919323f584a1750cfe.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\Read_Me.txt	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	d0e763139d8ae4919323f584a1750cfe.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\Read_Me.txt	d0e763139d8ae4919323f584a1750cfe.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\Read_Me.txt	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrusalm.dat	d0e763139d8ae4919323f584a1750cfe.exe
File created	C:\Program Files\Internet Explorer\images\Read_Me.txt	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll	d0e763139d8ae4919323f584a1750cfe.exe

Drops file in Windows directory 3 IoCs

Processes:

d0e763139d8ae4919323f584a1750cfe.exeWerFault.exe

description	ioc	process
File created	C:\Windows\Resources\Themes\aero\Shell\㬸㬎㬬㬻㬉㬇㬹㭌㬅㬉㬉㬎㬧㬹㬶\svchost.exe	d0e763139d8ae4919323f584a1750cfe.exe
File opened for modification	C:\Windows\Resources\Themes\aero\Shell\㬸㬎㬬㬻㬉㬇㬹㭌㬅㬉㬉㬎㬧㬹㬶\svchost.exe	d0e763139d8ae4919323f584a1750cfe.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3812 392 WerFault.exe d0e763139d8ae4919323f584a1750cfe.exe

pid	pid_target	process	target process
3812	392	WerFault.exe	d0e763139d8ae4919323f584a1750cfe.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AdvancedRun.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exed0e763139d8ae4919323f584a1750cfe.exepowershell.exeWerFault.exed0e763139d8ae4919323f584a1750cfe.exe

pid	process
4000	AdvancedRun.exe
4000	AdvancedRun.exe
4000	AdvancedRun.exe
4000	AdvancedRun.exe
916	powershell.exe
3316	powershell.exe
3880	powershell.exe
1400	AdvancedRun.exe
1400	AdvancedRun.exe
1400	AdvancedRun.exe
1400	AdvancedRun.exe
3316	powershell.exe
3880	powershell.exe
916	powershell.exe
392	d0e763139d8ae4919323f584a1750cfe.exe
392	d0e763139d8ae4919323f584a1750cfe.exe
392	d0e763139d8ae4919323f584a1750cfe.exe
2104	powershell.exe
2104	powershell.exe
3880	powershell.exe
916	powershell.exe
3316	powershell.exe
2104	powershell.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
2816	d0e763139d8ae4919323f584a1750cfe.exe
2816	d0e763139d8ae4919323f584a1750cfe.exe
2816	d0e763139d8ae4919323f584a1750cfe.exe
2816	d0e763139d8ae4919323f584a1750cfe.exe
2816	d0e763139d8ae4919323f584a1750cfe.exe
2816	d0e763139d8ae4919323f584a1750cfe.exe
2816	d0e763139d8ae4919323f584a1750cfe.exe
2816	d0e763139d8ae4919323f584a1750cfe.exe
2816	d0e763139d8ae4919323f584a1750cfe.exe
2816	d0e763139d8ae4919323f584a1750cfe.exe
2816	d0e763139d8ae4919323f584a1750cfe.exe
2816	d0e763139d8ae4919323f584a1750cfe.exe
2816	d0e763139d8ae4919323f584a1750cfe.exe
2816	d0e763139d8ae4919323f584a1750cfe.exe
2816	d0e763139d8ae4919323f584a1750cfe.exe
2816	d0e763139d8ae4919323f584a1750cfe.exe
2816	d0e763139d8ae4919323f584a1750cfe.exe
2816	d0e763139d8ae4919323f584a1750cfe.exe
2816	d0e763139d8ae4919323f584a1750cfe.exe
2816	d0e763139d8ae4919323f584a1750cfe.exe
2816	d0e763139d8ae4919323f584a1750cfe.exe
2816	d0e763139d8ae4919323f584a1750cfe.exe
2816	d0e763139d8ae4919323f584a1750cfe.exe
2816	d0e763139d8ae4919323f584a1750cfe.exe
2816	d0e763139d8ae4919323f584a1750cfe.exe
2816	d0e763139d8ae4919323f584a1750cfe.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

d0e763139d8ae4919323f584a1750cfe.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exepowershell.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	392	d0e763139d8ae4919323f584a1750cfe.exe
Token: SeDebugPrivilege	4000	AdvancedRun.exe
Token: SeImpersonatePrivilege	4000	AdvancedRun.exe
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeDebugPrivilege	1400	AdvancedRun.exe
Token: SeImpersonatePrivilege	1400	AdvancedRun.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeRestorePrivilege	3812	WerFault.exe
Token: SeBackupPrivilege	3812	WerFault.exe
Token: SeBackupPrivilege	3812	WerFault.exe
Token: SeDebugPrivilege	3812	WerFault.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

d0e763139d8ae4919323f584a1750cfe.exeAdvancedRun.exe

description	pid	process	target process
PID 392 wrote to memory of 3316	392	d0e763139d8ae4919323f584a1750cfe.exe	powershell.exe
PID 392 wrote to memory of 3316	392	d0e763139d8ae4919323f584a1750cfe.exe	powershell.exe
PID 392 wrote to memory of 3316	392	d0e763139d8ae4919323f584a1750cfe.exe	powershell.exe
PID 392 wrote to memory of 3880	392	d0e763139d8ae4919323f584a1750cfe.exe	powershell.exe
PID 392 wrote to memory of 3880	392	d0e763139d8ae4919323f584a1750cfe.exe	powershell.exe
PID 392 wrote to memory of 3880	392	d0e763139d8ae4919323f584a1750cfe.exe	powershell.exe
PID 392 wrote to memory of 916	392	d0e763139d8ae4919323f584a1750cfe.exe	powershell.exe
PID 392 wrote to memory of 916	392	d0e763139d8ae4919323f584a1750cfe.exe	powershell.exe
PID 392 wrote to memory of 916	392	d0e763139d8ae4919323f584a1750cfe.exe	powershell.exe
PID 392 wrote to memory of 4000	392	d0e763139d8ae4919323f584a1750cfe.exe	AdvancedRun.exe
PID 392 wrote to memory of 4000	392	d0e763139d8ae4919323f584a1750cfe.exe	AdvancedRun.exe
PID 392 wrote to memory of 4000	392	d0e763139d8ae4919323f584a1750cfe.exe	AdvancedRun.exe
PID 4000 wrote to memory of 1400	4000	AdvancedRun.exe	AdvancedRun.exe
PID 4000 wrote to memory of 1400	4000	AdvancedRun.exe	AdvancedRun.exe
PID 4000 wrote to memory of 1400	4000	AdvancedRun.exe	AdvancedRun.exe
PID 392 wrote to memory of 2104	392	d0e763139d8ae4919323f584a1750cfe.exe	powershell.exe
PID 392 wrote to memory of 2104	392	d0e763139d8ae4919323f584a1750cfe.exe	powershell.exe
PID 392 wrote to memory of 2104	392	d0e763139d8ae4919323f584a1750cfe.exe	powershell.exe
PID 392 wrote to memory of 2816	392	d0e763139d8ae4919323f584a1750cfe.exe	d0e763139d8ae4919323f584a1750cfe.exe
PID 392 wrote to memory of 2816	392	d0e763139d8ae4919323f584a1750cfe.exe	d0e763139d8ae4919323f584a1750cfe.exe
PID 392 wrote to memory of 2816	392	d0e763139d8ae4919323f584a1750cfe.exe	d0e763139d8ae4919323f584a1750cfe.exe
PID 392 wrote to memory of 2816	392	d0e763139d8ae4919323f584a1750cfe.exe	d0e763139d8ae4919323f584a1750cfe.exe
PID 392 wrote to memory of 2816	392	d0e763139d8ae4919323f584a1750cfe.exe	d0e763139d8ae4919323f584a1750cfe.exe
PID 392 wrote to memory of 2816	392	d0e763139d8ae4919323f584a1750cfe.exe	d0e763139d8ae4919323f584a1750cfe.exe
PID 392 wrote to memory of 2816	392	d0e763139d8ae4919323f584a1750cfe.exe	d0e763139d8ae4919323f584a1750cfe.exe
PID 392 wrote to memory of 2816	392	d0e763139d8ae4919323f584a1750cfe.exe	d0e763139d8ae4919323f584a1750cfe.exe
PID 392 wrote to memory of 2816	392	d0e763139d8ae4919323f584a1750cfe.exe	d0e763139d8ae4919323f584a1750cfe.exe
PID 392 wrote to memory of 2816	392	d0e763139d8ae4919323f584a1750cfe.exe	d0e763139d8ae4919323f584a1750cfe.exe

C:\Users\Admin\AppData\Local\Temp\d0e763139d8ae4919323f584a1750cfe.exe
"C:\Users\Admin\AppData\Local\Temp\d0e763139d8ae4919323f584a1750cfe.exe"
1⤵
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\㬸㬎㬬㬻㬉㬇㬹㭌㬅㬉㬉㬎㬧㬹㬶\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d0e763139d8ae4919323f584a1750cfe.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\㬸㬎㬬㬻㬉㬇㬹㭌㬅㬉㬉㬎㬧㬹㬶\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Users\Admin\AppData\Local\Temp\4b47e2ad-1636-4d3a-acfa-9bb387e6b560\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\4b47e2ad-1636-4d3a-acfa-9bb387e6b560\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\4b47e2ad-1636-4d3a-acfa-9bb387e6b560\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000

C:\Users\Admin\AppData\Local\Temp\4b47e2ad-1636-4d3a-acfa-9bb387e6b560\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\4b47e2ad-1636-4d3a-acfa-9bb387e6b560\AdvancedRun.exe" /SpecialRun 4101d8 4000
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d0e763139d8ae4919323f584a1750cfe.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Users\Admin\AppData\Local\Temp\d0e763139d8ae4919323f584a1750cfe.exe
"C:\Users\Admin\AppData\Local\Temp\d0e763139d8ae4919323f584a1750cfe.exe"
2⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 2476
2⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3180

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2500

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:1828

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:2544

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:4744

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:1436

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:5088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
276b7468dc942f409e2f4b79e6b92fa4

SHA1
1f55deab360871b08ee535d7a79d414791b27cb0

SHA256
6fd17514ae202ffdb1d8c532cc38c8531d314d8b4d3172079aed45a197193713

SHA512
0c45e6e33512d81ae6bcbf0ed9e3b60e105d82466ffc78f2d0fd8904ccb3c7022272fd5fb0236524212f5b92e142578157e9ecc790501cd4556dc05a063a8356

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
276b7468dc942f409e2f4b79e6b92fa4

SHA1
1f55deab360871b08ee535d7a79d414791b27cb0

SHA256
6fd17514ae202ffdb1d8c532cc38c8531d314d8b4d3172079aed45a197193713

SHA512
0c45e6e33512d81ae6bcbf0ed9e3b60e105d82466ffc78f2d0fd8904ccb3c7022272fd5fb0236524212f5b92e142578157e9ecc790501cd4556dc05a063a8356

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
89e7dc9245f38459c195c094433cbee9

SHA1
71c367ff906f3e9a173ab43d24fd04fc5206b298

SHA256
4188e9c1b3147ee9296754ef5c12fbcb673ab72a20211a4faa7352000df14305

SHA512
73a1ee9f23ce246074fb549a10fbc1966be6d857f7d51b31594874b64320e60b8117c67ba6a47edfa5d6c4841ec274c0bfaf22df0150c79bbaca0bd71d4a8389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5ecc8012a831d83659aeab5f96919eeb

SHA1
53f2db72c3f0a90057fc3881b39dc16a2171f604

SHA256
3435f8a308e628615b4140016d5010eb5fa315a55bf916f61aec2a389714ce74

SHA512
43825c20fe32dead95d9add709ecd0f0dde76a96452915fe67bf1b573343e63511018497d713b7ff1fbee3426a368dfbe7e824c786b88f2f782638805066d249

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\Y3IYH23I\microsoft.windows[1].xml
MD5
1811d42735be8e7c2d199d04477ad91c

SHA1
d8bbe744d644fc7073a7e79462a917fa0916a16d

SHA256
6f1d66117c44c5751487511eff702d2950703bb7100595cd3d149c811b29a37c

SHA512
2c3d67fbfb993278b33c28d97bdc33f33781edd88e19d4b14226946218b5c912b47134ddb8945feb66182f496215cfa7bcc06bc490ff984e5ec050ea09a52377

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b47e2ad-1636-4d3a-acfa-9bb387e6b560\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b47e2ad-1636-4d3a-acfa-9bb387e6b560\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b47e2ad-1636-4d3a-acfa-9bb387e6b560\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\??\M:\$RECYCLE.BIN\S-1-5-21-941723256-3451054534-3089625102-1000\desktop.ini
MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
memory/392-117-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/392-135-0x0000000005EC0000-0x0000000005EC1000-memory.dmp

Filesize
4KB

Download
memory/392-115-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/392-118-0x0000000005D00000-0x0000000005D01000-memory.dmp

Filesize
4KB

Download
memory/392-145-0x0000000005E80000-0x0000000005E81000-memory.dmp

Filesize
4KB

Download
memory/392-121-0x0000000005C60000-0x0000000005CD3000-memory.dmp

Filesize
460KB

Download
memory/392-122-0x00000000062A0000-0x00000000062A1000-memory.dmp

Filesize
4KB

Download
memory/916-131-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/916-163-0x0000000007880000-0x0000000007881000-memory.dmp

Filesize
4KB

Download
memory/916-278-0x00000000029B3000-0x00000000029B4000-memory.dmp

Filesize
4KB

Download
memory/916-141-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/916-154-0x00000000072D0000-0x00000000072D1000-memory.dmp

Filesize
4KB

Download
memory/916-157-0x00000000073C0000-0x00000000073C1000-memory.dmp

Filesize
4KB

Download
memory/916-125-0x0000000000000000-mapping.dmp

Download
memory/916-136-0x0000000006A80000-0x0000000006A81000-memory.dmp

Filesize
4KB

Download
memory/916-166-0x0000000007C50000-0x0000000007C51000-memory.dmp

Filesize
4KB

Download
memory/916-253-0x000000007E550000-0x000000007E551000-memory.dmp

Filesize
4KB

Download
memory/916-133-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/916-142-0x00000000029B2000-0x00000000029B3000-memory.dmp

Filesize
4KB

Download
memory/916-191-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/1400-149-0x0000000000000000-mapping.dmp

Download
memory/2104-249-0x000000007EA30000-0x000000007EA31000-memory.dmp

Filesize
4KB

Download
memory/2104-184-0x00000000048F2000-0x00000000048F3000-memory.dmp

Filesize
4KB

Download
memory/2104-183-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/2104-279-0x00000000048F3000-0x00000000048F4000-memory.dmp

Filesize
4KB

Download
memory/2104-175-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/2104-173-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/2104-169-0x0000000000000000-mapping.dmp

Download
memory/2104-195-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/2816-174-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2816-185-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2816-176-0x0000000000407CA0-mapping.dmp

Download
memory/3316-144-0x0000000004E32000-0x0000000004E33000-memory.dmp

Filesize
4KB

Download
memory/3316-123-0x0000000000000000-mapping.dmp

Download
memory/3316-260-0x000000007E3B0000-0x000000007E3B1000-memory.dmp

Filesize
4KB

Download
memory/3316-277-0x0000000004E33000-0x0000000004E34000-memory.dmp

Filesize
4KB

Download
memory/3316-190-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/3316-126-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/3316-127-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/3316-160-0x0000000008210000-0x0000000008211000-memory.dmp

Filesize
4KB

Download
memory/3316-130-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/3316-139-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/3880-280-0x0000000007463000-0x0000000007464000-memory.dmp

Filesize
4KB

Download
memory/3880-143-0x0000000007462000-0x0000000007463000-memory.dmp

Filesize
4KB

Download
memory/3880-140-0x0000000007460000-0x0000000007461000-memory.dmp

Filesize
4KB

Download
memory/3880-151-0x0000000007920000-0x0000000007921000-memory.dmp

Filesize
4KB

Download
memory/3880-129-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/3880-128-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/3880-170-0x0000000008910000-0x0000000008911000-memory.dmp

Filesize
4KB

Download
memory/3880-189-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/3880-124-0x0000000000000000-mapping.dmp

Download
memory/3880-257-0x000000007E690000-0x000000007E691000-memory.dmp

Filesize
4KB

Download
memory/4000-146-0x0000000000000000-mapping.dmp

Download