5808f60c452afaac69a4de6a345209e168a79b2a0c67de5ed0c227e6c4d2cc1c

Analysis

max time kernel
151s
max time network
122s
platform
windows10_x64
resource
win10-en-20211014
submitted
21-11-2021 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MoleculeV_.bin.exe
Size

461KB
MD5

bb09e9b8daef63d4ebe21fcb2519c5d5
SHA1

9adacd3ed8963404925d72efa1acca50dd9673b8
SHA256

d47e0056a7336be404b2ddf56bdb6897046f6a6ddb0f38bb9f6674ca4c3eaf15
SHA512

18f6d6023d1922a6e81833ef294e7fba4dde436fd67727d30a5f7c9f0b564cd940dca58217222f54454d2177a2fd4303389f4d4e4cd6e2d0290309cfc85f6267

Score

10^/10

agilenet evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\READ_IT.txt

Ransom Note

What happened to your files? All your files are encrypted with RSA-4096, Read more on https://en.wikipedia.org/wiki/RSA_(cryptosystem) RSA is an algorithm used by modern computers to encrypt and decrypt the data. RSA is an asymmetric cryptographic algorithm. Asymmetric means that there are two different keys. This is also called public key cryptography, because one of the keys can be given to anyone: 1 - We encrypted your files with our Public key 2 - You can decrypt, the encrypted files with specific Private key and your private key is in our hands ( It's not possible to recover your files without our private key ) Is it possible to get back your data? Yes, We have a decrypter with the private key. We have one option to get all your data back. "Follow the instructions to get all your data back: Step 1 : You must send us 80$ worth of Bitcoin for your affected system Step 2 : After you sent us the bitcoin our system automatically decrypt all you files and our software will delete itself Our Bitcoin address is: 1AcXKNDs71c1QZgVNvFZVwQgWNBQDjvT4H Where to buy Bitcoin? The easiest way is LocalBitcoins, but you can find more websites to buy bitcoin using Google Search: buy bitcoin online MMoga.com Bitcoin gift cards is a fast way to buy bitcoins

Wallets

1AcXKNDs71c1QZgVNvFZVwQgWNBQDjvT4H

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4764 bcdedit.exe
4272 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

4148 wbadmin.exe

pid	process
4764	bcdedit.exe
4272	bcdedit.exe

pid	process
4148	wbadmin.exe

Executes dropped EXE 4 IoCs

Processes:

Molecule.exe2c818d6f-6b05-478c-8ce1-9d49a3874096.exe2c818d6f-6b05-478c-8ce1-9d49a3874096.exe2c818d6f-6b05-478c-8ce1-9d49a3874096.exe

pid	process
652	Molecule.exe
4144	2c818d6f-6b05-478c-8ce1-9d49a3874096.exe
4344	2c818d6f-6b05-478c-8ce1-9d49a3874096.exe
5040	2c818d6f-6b05-478c-8ce1-9d49a3874096.exe

Drops startup file 2 IoCs

Processes:

MoleculeV_.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows_Update.url	MoleculeV_.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows_Update.url	MoleculeV_.bin.exe

Loads dropped DLL 4 IoCs

Processes:

Molecule.exe2c818d6f-6b05-478c-8ce1-9d49a3874096.exe2c818d6f-6b05-478c-8ce1-9d49a3874096.exe2c818d6f-6b05-478c-8ce1-9d49a3874096.exe

pid	process
652	Molecule.exe
5040	2c818d6f-6b05-478c-8ce1-9d49a3874096.exe
4344	2c818d6f-6b05-478c-8ce1-9d49a3874096.exe
4144	2c818d6f-6b05-478c-8ce1-9d49a3874096.exe

Obfuscated with Agile.Net obfuscator 6 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\Molecule.exe	agile_net
C:\Users\Admin\Molecule.exe	agile_net
C:\ProgramData\Microsoft\Crypto\SystemKeys\{2c818d6f-6b05-478c-8ce1-9d49a3874096}\2c818d6f-6b05-478c-8ce1-9d49a3874096.exe	agile_net
C:\ProgramData\Microsoft\Crypto\SystemKeys\{2c818d6f-6b05-478c-8ce1-9d49a3874096}\2c818d6f-6b05-478c-8ce1-9d49a3874096.exe	agile_net
C:\ProgramData\Microsoft\Crypto\SystemKeys\{2c818d6f-6b05-478c-8ce1-9d49a3874096}\2c818d6f-6b05-478c-8ce1-9d49a3874096.exe	agile_net
C:\ProgramData\Microsoft\Crypto\SystemKeys\{2c818d6f-6b05-478c-8ce1-9d49a3874096}\2c818d6f-6b05-478c-8ce1-9d49a3874096.exe	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

MoleculeV_.bin.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.bmp"	MoleculeV_.bin.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4304 vssadmin.exe

pid	process
4304	vssadmin.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

MoleculeV_.bin.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\WallpaperStyle = "2"	MoleculeV_.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\TileWallpaper = "0"	MoleculeV_.bin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeMoleculeV_.bin.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeMolecule.exe

pid	process
3744	powershell.exe
3744	powershell.exe
3744	powershell.exe
2752	MoleculeV_.bin.exe
1184	powershell.exe
608	powershell.exe
896	powershell.exe
392	powershell.exe
676	powershell.exe
984	powershell.exe
892	powershell.exe
1368	powershell.exe
1528	powershell.exe
3132	powershell.exe
2032	powershell.exe
2976	powershell.exe
1184	powershell.exe
1184	powershell.exe
608	powershell.exe
608	powershell.exe
896	powershell.exe
896	powershell.exe
892	powershell.exe
892	powershell.exe
984	powershell.exe
984	powershell.exe
392	powershell.exe
392	powershell.exe
676	powershell.exe
676	powershell.exe
1368	powershell.exe
1368	powershell.exe
3132	powershell.exe
3132	powershell.exe
1528	powershell.exe
1528	powershell.exe
2032	powershell.exe
2032	powershell.exe
2976	powershell.exe
2976	powershell.exe
608	powershell.exe
892	powershell.exe
1184	powershell.exe
984	powershell.exe
896	powershell.exe
392	powershell.exe
676	powershell.exe
2752	MoleculeV_.bin.exe
2752	MoleculeV_.bin.exe
1368	powershell.exe
1528	powershell.exe
3132	powershell.exe
2032	powershell.exe
2976	powershell.exe
652	Molecule.exe
652	Molecule.exe
652	Molecule.exe
652	Molecule.exe
652	Molecule.exe
652	Molecule.exe
652	Molecule.exe
652	Molecule.exe
652	Molecule.exe
652	Molecule.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

MoleculeV_.bin.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2752	MoleculeV_.bin.exe
Token: SeDebugPrivilege	2752	MoleculeV_.bin.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeIncreaseQuotaPrivilege	3744	powershell.exe
Token: SeSecurityPrivilege	3744	powershell.exe
Token: SeTakeOwnershipPrivilege	3744	powershell.exe
Token: SeLoadDriverPrivilege	3744	powershell.exe
Token: SeSystemProfilePrivilege	3744	powershell.exe
Token: SeSystemtimePrivilege	3744	powershell.exe
Token: SeProfSingleProcessPrivilege	3744	powershell.exe
Token: SeIncBasePriorityPrivilege	3744	powershell.exe
Token: SeCreatePagefilePrivilege	3744	powershell.exe
Token: SeBackupPrivilege	3744	powershell.exe
Token: SeRestorePrivilege	3744	powershell.exe
Token: SeShutdownPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeSystemEnvironmentPrivilege	3744	powershell.exe
Token: SeRemoteShutdownPrivilege	3744	powershell.exe
Token: SeUndockPrivilege	3744	powershell.exe
Token: SeManageVolumePrivilege	3744	powershell.exe
Token: 33	3744	powershell.exe
Token: 34	3744	powershell.exe
Token: 35	3744	powershell.exe
Token: 36	3744	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	608	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	2752	MoleculeV_.bin.exe
Token: SeIncreaseQuotaPrivilege	608	powershell.exe
Token: SeSecurityPrivilege	608	powershell.exe
Token: SeTakeOwnershipPrivilege	608	powershell.exe
Token: SeLoadDriverPrivilege	608	powershell.exe
Token: SeSystemProfilePrivilege	608	powershell.exe
Token: SeSystemtimePrivilege	608	powershell.exe
Token: SeProfSingleProcessPrivilege	608	powershell.exe
Token: SeIncBasePriorityPrivilege	608	powershell.exe
Token: SeCreatePagefilePrivilege	608	powershell.exe
Token: SeBackupPrivilege	608	powershell.exe
Token: SeRestorePrivilege	608	powershell.exe
Token: SeShutdownPrivilege	608	powershell.exe
Token: SeDebugPrivilege	608	powershell.exe
Token: SeSystemEnvironmentPrivilege	608	powershell.exe
Token: SeRemoteShutdownPrivilege	608	powershell.exe
Token: SeUndockPrivilege	608	powershell.exe
Token: SeManageVolumePrivilege	608	powershell.exe
Token: 33	608	powershell.exe
Token: 34	608	powershell.exe
Token: 35	608	powershell.exe
Token: 36	608	powershell.exe
Token: SeBackupPrivilege	4904	vssvc.exe
Token: SeRestorePrivilege	4904	vssvc.exe
Token: SeAuditPrivilege	4904	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1184	powershell.exe
Token: SeSecurityPrivilege	1184	powershell.exe
Token: SeTakeOwnershipPrivilege	1184	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MoleculeV_.bin.execmd.execmd.execmd.exeMolecule.exe

description	pid	process	target process
PID 2752 wrote to memory of 3744	2752	MoleculeV_.bin.exe	powershell.exe
PID 2752 wrote to memory of 3744	2752	MoleculeV_.bin.exe	powershell.exe
PID 2752 wrote to memory of 1184	2752	MoleculeV_.bin.exe	powershell.exe
PID 2752 wrote to memory of 1184	2752	MoleculeV_.bin.exe	powershell.exe
PID 2752 wrote to memory of 608	2752	MoleculeV_.bin.exe	powershell.exe
PID 2752 wrote to memory of 608	2752	MoleculeV_.bin.exe	powershell.exe
PID 2752 wrote to memory of 896	2752	MoleculeV_.bin.exe	powershell.exe
PID 2752 wrote to memory of 896	2752	MoleculeV_.bin.exe	powershell.exe
PID 2752 wrote to memory of 676	2752	MoleculeV_.bin.exe	powershell.exe
PID 2752 wrote to memory of 676	2752	MoleculeV_.bin.exe	powershell.exe
PID 2752 wrote to memory of 984	2752	MoleculeV_.bin.exe	powershell.exe
PID 2752 wrote to memory of 984	2752	MoleculeV_.bin.exe	powershell.exe
PID 2752 wrote to memory of 392	2752	MoleculeV_.bin.exe	powershell.exe
PID 2752 wrote to memory of 392	2752	MoleculeV_.bin.exe	powershell.exe
PID 2752 wrote to memory of 892	2752	MoleculeV_.bin.exe	powershell.exe
PID 2752 wrote to memory of 892	2752	MoleculeV_.bin.exe	powershell.exe
PID 2752 wrote to memory of 1368	2752	MoleculeV_.bin.exe	powershell.exe
PID 2752 wrote to memory of 1368	2752	MoleculeV_.bin.exe	powershell.exe
PID 2752 wrote to memory of 2032	2752	MoleculeV_.bin.exe	powershell.exe
PID 2752 wrote to memory of 2032	2752	MoleculeV_.bin.exe	powershell.exe
PID 2752 wrote to memory of 1528	2752	MoleculeV_.bin.exe	powershell.exe
PID 2752 wrote to memory of 1528	2752	MoleculeV_.bin.exe	powershell.exe
PID 2752 wrote to memory of 3132	2752	MoleculeV_.bin.exe	powershell.exe
PID 2752 wrote to memory of 3132	2752	MoleculeV_.bin.exe	powershell.exe
PID 2752 wrote to memory of 2976	2752	MoleculeV_.bin.exe	powershell.exe
PID 2752 wrote to memory of 2976	2752	MoleculeV_.bin.exe	powershell.exe
PID 2752 wrote to memory of 3772	2752	MoleculeV_.bin.exe	cmd.exe
PID 2752 wrote to memory of 3772	2752	MoleculeV_.bin.exe	cmd.exe
PID 2752 wrote to memory of 652	2752	MoleculeV_.bin.exe	Molecule.exe
PID 2752 wrote to memory of 652	2752	MoleculeV_.bin.exe	Molecule.exe
PID 2752 wrote to memory of 652	2752	MoleculeV_.bin.exe	Molecule.exe
PID 2752 wrote to memory of 4460	2752	MoleculeV_.bin.exe	cmd.exe
PID 2752 wrote to memory of 4460	2752	MoleculeV_.bin.exe	cmd.exe
PID 2752 wrote to memory of 4492	2752	MoleculeV_.bin.exe	cmd.exe
PID 2752 wrote to memory of 4492	2752	MoleculeV_.bin.exe	cmd.exe
PID 4460 wrote to memory of 4276	4460	cmd.exe	choice.exe
PID 4460 wrote to memory of 4276	4460	cmd.exe	choice.exe
PID 3772 wrote to memory of 4304	3772	cmd.exe	vssadmin.exe
PID 3772 wrote to memory of 4304	3772	cmd.exe	vssadmin.exe
PID 4492 wrote to memory of 4408	4492	cmd.exe	choice.exe
PID 4492 wrote to memory of 4408	4492	cmd.exe	choice.exe
PID 652 wrote to memory of 4144	652	Molecule.exe	2c818d6f-6b05-478c-8ce1-9d49a3874096.exe
PID 652 wrote to memory of 4144	652	Molecule.exe	2c818d6f-6b05-478c-8ce1-9d49a3874096.exe
PID 652 wrote to memory of 4144	652	Molecule.exe	2c818d6f-6b05-478c-8ce1-9d49a3874096.exe
PID 652 wrote to memory of 4344	652	Molecule.exe	2c818d6f-6b05-478c-8ce1-9d49a3874096.exe
PID 652 wrote to memory of 4344	652	Molecule.exe	2c818d6f-6b05-478c-8ce1-9d49a3874096.exe
PID 652 wrote to memory of 4344	652	Molecule.exe	2c818d6f-6b05-478c-8ce1-9d49a3874096.exe
PID 652 wrote to memory of 5040	652	Molecule.exe	2c818d6f-6b05-478c-8ce1-9d49a3874096.exe
PID 652 wrote to memory of 5040	652	Molecule.exe	2c818d6f-6b05-478c-8ce1-9d49a3874096.exe
PID 652 wrote to memory of 5040	652	Molecule.exe	2c818d6f-6b05-478c-8ce1-9d49a3874096.exe
PID 3772 wrote to memory of 4684	3772	cmd.exe	WMIC.exe
PID 3772 wrote to memory of 4684	3772	cmd.exe	WMIC.exe
PID 3772 wrote to memory of 4956	3772	cmd.exe	wevtutil.exe
PID 3772 wrote to memory of 4956	3772	cmd.exe	wevtutil.exe
PID 3772 wrote to memory of 4608	3772	cmd.exe	wevtutil.exe
PID 3772 wrote to memory of 4608	3772	cmd.exe	wevtutil.exe
PID 3772 wrote to memory of 4692	3772	cmd.exe	wevtutil.exe
PID 3772 wrote to memory of 4692	3772	cmd.exe	wevtutil.exe
PID 3772 wrote to memory of 4764	3772	cmd.exe	bcdedit.exe
PID 3772 wrote to memory of 4764	3772	cmd.exe	bcdedit.exe
PID 3772 wrote to memory of 4272	3772	cmd.exe	bcdedit.exe
PID 3772 wrote to memory of 4272	3772	cmd.exe	bcdedit.exe
PID 3772 wrote to memory of 4148	3772	cmd.exe	wbadmin.exe
PID 3772 wrote to memory of 4148	3772	cmd.exe	wbadmin.exe

C:\Users\Admin\AppData\Local\Temp\MoleculeV_.bin.exe
"C:\Users\Admin\AppData\Local\Temp\MoleculeV_.bin.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4304

C:\Windows\System32\Wbem\WMIC.exe
WMIC shadowcopy delete
3⤵
PID:4684

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Application
3⤵
PID:4956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Security
3⤵
PID:4608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl System
3⤵
PID:4692

C:\Windows\system32\bcdedit.exe
Bcdedit.exe /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:4764

C:\Windows\system32\bcdedit.exe
Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:4272

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog
3⤵
- Deletes backup catalog
- Drops file in Windows directory
PID:4148

C:\Users\Admin\Molecule.exe
"C:\Users\Admin\Molecule.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:652

C:\ProgramData\Microsoft\Crypto\SystemKeys\{2c818d6f-6b05-478c-8ce1-9d49a3874096}\2c818d6f-6b05-478c-8ce1-9d49a3874096.exe
"C:\ProgramData\Microsoft\Crypto\SystemKeys\{2c818d6f-6b05-478c-8ce1-9d49a3874096}\2c818d6f-6b05-478c-8ce1-9d49a3874096.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4144

C:\ProgramData\Microsoft\Crypto\SystemKeys\{2c818d6f-6b05-478c-8ce1-9d49a3874096}\2c818d6f-6b05-478c-8ce1-9d49a3874096.exe
"C:\ProgramData\Microsoft\Crypto\SystemKeys\{2c818d6f-6b05-478c-8ce1-9d49a3874096}\2c818d6f-6b05-478c-8ce1-9d49a3874096.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4344

C:\ProgramData\Microsoft\Crypto\SystemKeys\{2c818d6f-6b05-478c-8ce1-9d49a3874096}\2c818d6f-6b05-478c-8ce1-9d49a3874096.exe
"C:\ProgramData\Microsoft\Crypto\SystemKeys\{2c818d6f-6b05-478c-8ce1-9d49a3874096}\2c818d6f-6b05-478c-8ce1-9d49a3874096.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MoleculeV_.bin.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:4276

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del ""
2⤵
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:4408

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:256

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1696

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Indicator Removal on Host

T1070

File Deletion

T1107

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\SystemKeys\{2c818d6f-6b05-478c-8ce1-9d49a3874096}\2c818d6f-6b05-478c-8ce1-9d49a3874096.exe
MD5
d116a8e45885f50c38bc1fa1276e5f5b

SHA1
f2b4fb67061237e515c3ba877d298bb59a16c979

SHA256
b79091c0dce8b720d046e2ec8d653d68a4c4dfeea22aefed8ccb125128fc43a0

SHA512
7ac14ae6c0abac30d89dff33a4e966fa30fe360378dd78a27646a45ad8a43551933e571540745264dd725d1f695eaf8ccf421fff8f891639ee2468c7b7db307e

Download Submit
C:\ProgramData\Microsoft\Crypto\SystemKeys\{2c818d6f-6b05-478c-8ce1-9d49a3874096}\2c818d6f-6b05-478c-8ce1-9d49a3874096.exe
MD5
d116a8e45885f50c38bc1fa1276e5f5b

SHA1
f2b4fb67061237e515c3ba877d298bb59a16c979

SHA256
b79091c0dce8b720d046e2ec8d653d68a4c4dfeea22aefed8ccb125128fc43a0

SHA512
7ac14ae6c0abac30d89dff33a4e966fa30fe360378dd78a27646a45ad8a43551933e571540745264dd725d1f695eaf8ccf421fff8f891639ee2468c7b7db307e

Download Submit
C:\ProgramData\Microsoft\Crypto\SystemKeys\{2c818d6f-6b05-478c-8ce1-9d49a3874096}\2c818d6f-6b05-478c-8ce1-9d49a3874096.exe
MD5
d116a8e45885f50c38bc1fa1276e5f5b

SHA1
f2b4fb67061237e515c3ba877d298bb59a16c979

SHA256
b79091c0dce8b720d046e2ec8d653d68a4c4dfeea22aefed8ccb125128fc43a0

SHA512
7ac14ae6c0abac30d89dff33a4e966fa30fe360378dd78a27646a45ad8a43551933e571540745264dd725d1f695eaf8ccf421fff8f891639ee2468c7b7db307e

Download Submit
C:\ProgramData\Microsoft\Crypto\SystemKeys\{2c818d6f-6b05-478c-8ce1-9d49a3874096}\2c818d6f-6b05-478c-8ce1-9d49a3874096.exe
MD5
d116a8e45885f50c38bc1fa1276e5f5b

SHA1
f2b4fb67061237e515c3ba877d298bb59a16c979

SHA256
b79091c0dce8b720d046e2ec8d653d68a4c4dfeea22aefed8ccb125128fc43a0

SHA512
7ac14ae6c0abac30d89dff33a4e966fa30fe360378dd78a27646a45ad8a43551933e571540745264dd725d1f695eaf8ccf421fff8f891639ee2468c7b7db307e

Download Submit
C:\ProgramData\Microsoft\Crypto\SystemKeys\{2c818d6f-6b05-478c-8ce1-9d49a3874096}\global_btc
MD5
d9f33b1eed9e8d3ce5ce8abda361a73a

SHA1
7473eb578943e97e5c38138051d7cf704e906b57

SHA256
a2e2f2897a9cac6a24c6723e8ea1f2ccebdf20a6f11d194928d08357e6756894

SHA512
0138033be1083219b71adda5d7f3523f3c82021d49539884ab281eb72ab0295e7a87ded58c3072424d0af50f1c3d1bf4bf96cd1336ad09963a62a78a934feafa

Download Submit
C:\ProgramData\Microsoft\Crypto\SystemKeys\{2c818d6f-6b05-478c-8ce1-9d49a3874096}\global_tt
MD5
67b24b2e06404d2183824663e59ab6b1

SHA1
52a9ac374a589f4b7d4dfe8eff8b5714988c9f36

SHA256
de9dbe008e251ac7b72f0d02bc35e28601cdd5981bde68ea5b075b76858c7af3

SHA512
a8f8a7de2f5fdd4ec215623d6b7d6af779c760a3c32361a93046320348852d72de49887aa83d03e09545e734c92e6315a213d3cee083e87b08c1551706ae0646

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1be6e3bcdc688dda5d3b4fc71d9f6166

SHA1
9de60299318ae29fd3d915e0cff95ff895dbda14

SHA256
2521245091cab8c80576ac4309808a4d0daebb2f9c1f2d99489c5085c0ba55e5

SHA512
8e75f5cf28b0f53344423c8abd97b339ab8e1b3a2727132845576b27d373ac61cc6c58d0072c4426ba296bc08f06027cdc67c689c7e72eb8ba08ffc7d24f747e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c08229efbfe0d62098273299ef5ab46e

SHA1
bc135d013e99b4d82201441b58a597a76dc156de

SHA256
d6f00d777f5d307ddaa182a233b096c013673b17e6ce62f749e7f203b6ec152d

SHA512
3c620edcf76d7566ccefd6986250486e050c6013d1a315d57fa6792a78acef723a8d7ec00c6e78ec5b03cc427a77b165495bf319841dd263662a8d9aa5bf0616

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c08229efbfe0d62098273299ef5ab46e

SHA1
bc135d013e99b4d82201441b58a597a76dc156de

SHA256
d6f00d777f5d307ddaa182a233b096c013673b17e6ce62f749e7f203b6ec152d

SHA512
3c620edcf76d7566ccefd6986250486e050c6013d1a315d57fa6792a78acef723a8d7ec00c6e78ec5b03cc427a77b165495bf319841dd263662a8d9aa5bf0616

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
97935b78d2cc23ba00dd757c4102cde0

SHA1
09168c7f77eb13244d946266022ae52ddbce4798

SHA256
ad3d6a353a36d05d3039ee297ec9cf876d29dca5b7d93098010d9f74e7239c51

SHA512
129ffd12dfaacc90d208a287b13aa223a94529ecb91f4f24833232ebd5af45fe6a34aedc42c675a5e428c01c131eafa473c60d59e3153a6e94829982387270eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5414260fad2186b22437474a3ca6bfb3

SHA1
45a5d946b558e2f8604a98e9da853ea27bf3664a

SHA256
654f28bf56279e1d888e9fa05feecf2613e9f59bf845862309330ed8a9feb8b5

SHA512
6d7a894032d0b3c6c6b851ea1639cd4f5fd46c3a20b6a50338e9542ca951848ef9d4530f9361c2a81519a38c33ca5963feb4bf1eedd538c49b8bcad40fc2441f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5414260fad2186b22437474a3ca6bfb3

SHA1
45a5d946b558e2f8604a98e9da853ea27bf3664a

SHA256
654f28bf56279e1d888e9fa05feecf2613e9f59bf845862309330ed8a9feb8b5

SHA512
6d7a894032d0b3c6c6b851ea1639cd4f5fd46c3a20b6a50338e9542ca951848ef9d4530f9361c2a81519a38c33ca5963feb4bf1eedd538c49b8bcad40fc2441f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c9cdb866d8ceb72f8f8967350ece5dc4

SHA1
61ab0d72dfc089963e1a63650e1d367e4ffc3ae9

SHA256
38cd6520c5335df4617ec0eb6559062c248b7441ea801cf265db7a865112633d

SHA512
198e1228c77f2a452676ee79543f1389f5a4a3f310868958e3b4eca603acb7152eb5a37ce24e8cd26894172a7d50e65134df11b29204044122fea614f1a6d89e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
15214ca28ccf753b7b63c756dfa482e9

SHA1
651146fd2076e25a75d4ffe1bab2b9fd82d32b74

SHA256
2d9637767148628d28ee6689cee4b3a2f84d6eafa20ce3b8f0dc4a3283bcf38b

SHA512
ffbe0bdb25bd6da9428261b18f3e5a08a3f3587a3a445e9bf0224c300830b16fa13fcbd7a67e815fbb8623e1f4091776377930f3a208175ebea68eb2bc04d684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8da901ef855e63c65b1410f9c0d7a645

SHA1
4dd80049cc7a7cc328dc57ed649f99b423e79b69

SHA256
5d70c498e6e11250da64c6ffbeb3b881b8398fc0e94d35ac177047cc1509c6a3

SHA512
ba09637755f8b502f2f5899fc35edef12d1fae68a629787e2a8c8b32408e053473a7d2854b7ed1624b2284f14b031585d3ebad2ce74786edb85627ec42bd805d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8da901ef855e63c65b1410f9c0d7a645

SHA1
4dd80049cc7a7cc328dc57ed649f99b423e79b69

SHA256
5d70c498e6e11250da64c6ffbeb3b881b8398fc0e94d35ac177047cc1509c6a3

SHA512
ba09637755f8b502f2f5899fc35edef12d1fae68a629787e2a8c8b32408e053473a7d2854b7ed1624b2284f14b031585d3ebad2ce74786edb85627ec42bd805d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1061f7b4d14de800d7b5c8d7078171e8

SHA1
0699a53b2e31e4154cca56e94e977c2cafc4dac5

SHA256
55f5d271ae369d9cd3ee218f6663283608c1e4ec9190a5967d33c0ecce2c2719

SHA512
cc6247f8517bdc302e738739666cdbb7e7cd7792d5ab04d7925da75d56dfc47b9be7aafcde311277b5c1f80f23cdd28cae300071c66a9e5bb8f40cd758186782

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e7e1bef0c01a4cf915b87fba94d7d0b2

SHA1
4e372a636134b4a9915d5a86dbfdb087136e6412

SHA256
2013da0b258bf5c52f9c6bf94621a538217f8db531d57a3c63c4a05339a27291

SHA512
14acfef18700b814f06dbe1c33dc1860634338f77e7e7feb5d11ec38da99b93936ac906db7396b41355d364668b259d7a112bcdee8916edee7ce1f0a08359f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\712065b9-17a2-401a-81bb-2489055e183b\AgileDotNetRT.dll
MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
C:\Users\Admin\Molecule.exe
MD5
d116a8e45885f50c38bc1fa1276e5f5b

SHA1
f2b4fb67061237e515c3ba877d298bb59a16c979

SHA256
b79091c0dce8b720d046e2ec8d653d68a4c4dfeea22aefed8ccb125128fc43a0

SHA512
7ac14ae6c0abac30d89dff33a4e966fa30fe360378dd78a27646a45ad8a43551933e571540745264dd725d1f695eaf8ccf421fff8f891639ee2468c7b7db307e

Download Submit
C:\Users\Admin\Molecule.exe
MD5
d116a8e45885f50c38bc1fa1276e5f5b

SHA1
f2b4fb67061237e515c3ba877d298bb59a16c979

SHA256
b79091c0dce8b720d046e2ec8d653d68a4c4dfeea22aefed8ccb125128fc43a0

SHA512
7ac14ae6c0abac30d89dff33a4e966fa30fe360378dd78a27646a45ad8a43551933e571540745264dd725d1f695eaf8ccf421fff8f891639ee2468c7b7db307e

Download Submit
\Users\Admin\AppData\Local\Temp\712065b9-17a2-401a-81bb-2489055e183b\AgileDotNetRT.dll
MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
\Users\Admin\AppData\Local\Temp\712065b9-17a2-401a-81bb-2489055e183b\AgileDotNetRT.dll
MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
\Users\Admin\AppData\Local\Temp\712065b9-17a2-401a-81bb-2489055e183b\AgileDotNetRT.dll
MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
\Users\Admin\AppData\Local\Temp\712065b9-17a2-401a-81bb-2489055e183b\AgileDotNetRT.dll
MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
memory/392-209-0x0000011B473C3000-0x0000011B473C5000-memory.dmp

Filesize
8KB

Download
memory/392-185-0x0000011B2D2E0000-0x0000011B2D2E2000-memory.dmp

Filesize
8KB

Download
memory/392-188-0x0000011B2D2E0000-0x0000011B2D2E2000-memory.dmp

Filesize
8KB

Download
memory/392-201-0x0000011B2D2E0000-0x0000011B2D2E2000-memory.dmp

Filesize
8KB

Download
memory/392-355-0x0000011B473C6000-0x0000011B473C8000-memory.dmp

Filesize
8KB

Download
memory/392-161-0x0000000000000000-mapping.dmp

Download
memory/392-650-0x0000011B473C8000-0x0000011B473C9000-memory.dmp

Filesize
4KB

Download
memory/392-194-0x0000011B2D2E0000-0x0000011B2D2E2000-memory.dmp

Filesize
8KB

Download
memory/392-206-0x0000011B473C0000-0x0000011B473C2000-memory.dmp

Filesize
8KB

Download
memory/608-173-0x000001E8FECF0000-0x000001E8FECF2000-memory.dmp

Filesize
8KB

Download
memory/608-157-0x0000000000000000-mapping.dmp

Download
memory/608-179-0x000001E8FECF0000-0x000001E8FECF2000-memory.dmp

Filesize
8KB

Download
memory/608-631-0x000001E8FF858000-0x000001E8FF859000-memory.dmp

Filesize
4KB

Download
memory/608-339-0x000001E8FF856000-0x000001E8FF858000-memory.dmp

Filesize
8KB

Download
memory/608-168-0x000001E8FECF0000-0x000001E8FECF2000-memory.dmp

Filesize
8KB

Download
memory/608-189-0x000001E8FF850000-0x000001E8FF852000-memory.dmp

Filesize
8KB

Download
memory/608-190-0x000001E8FF853000-0x000001E8FF855000-memory.dmp

Filesize
8KB

Download
memory/608-171-0x000001E8FECF0000-0x000001E8FECF2000-memory.dmp

Filesize
8KB

Download
memory/652-359-0x0000000001460000-0x0000000001461000-memory.dmp

Filesize
4KB

Download
memory/652-268-0x0000000000000000-mapping.dmp

Download
memory/652-492-0x0000000001463000-0x0000000001465000-memory.dmp

Filesize
8KB

Download
memory/676-364-0x0000020981576000-0x0000020981578000-memory.dmp

Filesize
8KB

Download
memory/676-239-0x0000020981573000-0x0000020981575000-memory.dmp

Filesize
8KB

Download
memory/676-202-0x0000020981450000-0x0000020981452000-memory.dmp

Filesize
8KB

Download
memory/676-238-0x0000020981570000-0x0000020981572000-memory.dmp

Filesize
8KB

Download
memory/676-651-0x0000020981578000-0x0000020981579000-memory.dmp

Filesize
4KB

Download
memory/676-159-0x0000000000000000-mapping.dmp

Download
memory/676-183-0x0000020981450000-0x0000020981452000-memory.dmp

Filesize
8KB

Download
memory/676-187-0x0000020981450000-0x0000020981452000-memory.dmp

Filesize
8KB

Download
memory/676-193-0x0000020981450000-0x0000020981452000-memory.dmp

Filesize
8KB

Download
memory/892-214-0x000001FB1A3C0000-0x000001FB1A3C2000-memory.dmp

Filesize
8KB

Download
memory/892-345-0x000001FB1A3C6000-0x000001FB1A3C8000-memory.dmp

Filesize
8KB

Download
memory/892-191-0x000001FB1A270000-0x000001FB1A272000-memory.dmp

Filesize
8KB

Download
memory/892-203-0x000001FB1A270000-0x000001FB1A272000-memory.dmp

Filesize
8KB

Download
memory/892-162-0x0000000000000000-mapping.dmp

Download
memory/892-648-0x000001FB1A3C8000-0x000001FB1A3C9000-memory.dmp

Filesize
4KB

Download
memory/892-196-0x000001FB1A270000-0x000001FB1A272000-memory.dmp

Filesize
8KB

Download
memory/892-218-0x000001FB1A3C3000-0x000001FB1A3C5000-memory.dmp

Filesize
8KB

Download
memory/896-192-0x000002755EAB0000-0x000002755EAB2000-memory.dmp

Filesize
8KB

Download
memory/896-178-0x000002755EAB0000-0x000002755EAB2000-memory.dmp

Filesize
8KB

Download
memory/896-186-0x000002755EAB0000-0x000002755EAB2000-memory.dmp

Filesize
8KB

Download
memory/896-652-0x00000275788A8000-0x00000275788A9000-memory.dmp

Filesize
4KB

Download
memory/896-373-0x00000275788A6000-0x00000275788A8000-memory.dmp

Filesize
8KB

Download
memory/896-158-0x0000000000000000-mapping.dmp

Download
memory/896-195-0x00000275788A0000-0x00000275788A2000-memory.dmp

Filesize
8KB

Download
memory/896-176-0x000002755EAB0000-0x000002755EAB2000-memory.dmp

Filesize
8KB

Download
memory/896-198-0x00000275788A3000-0x00000275788A5000-memory.dmp

Filesize
8KB

Download
memory/984-242-0x0000019DBBDF3000-0x0000019DBBDF5000-memory.dmp

Filesize
8KB

Download
memory/984-368-0x0000019DBBDF6000-0x0000019DBBDF8000-memory.dmp

Filesize
8KB

Download
memory/984-160-0x0000000000000000-mapping.dmp

Download
memory/984-182-0x0000019DBA410000-0x0000019DBA412000-memory.dmp

Filesize
8KB

Download
memory/984-181-0x0000019DBA410000-0x0000019DBA412000-memory.dmp

Filesize
8KB

Download
memory/984-649-0x0000019DBBDF8000-0x0000019DBBDF9000-memory.dmp

Filesize
4KB

Download
memory/984-197-0x0000019DBA410000-0x0000019DBA412000-memory.dmp

Filesize
8KB

Download
memory/984-240-0x0000019DBBDF0000-0x0000019DBBDF2000-memory.dmp

Filesize
8KB

Download
memory/1184-184-0x000002B49B903000-0x000002B49B905000-memory.dmp

Filesize
8KB

Download
memory/1184-169-0x000002B499DF0000-0x000002B499DF2000-memory.dmp

Filesize
8KB

Download
memory/1184-164-0x000002B499DF0000-0x000002B499DF2000-memory.dmp

Filesize
8KB

Download
memory/1184-180-0x000002B49B900000-0x000002B49B902000-memory.dmp

Filesize
8KB

Download
memory/1184-175-0x000002B499DF0000-0x000002B499DF2000-memory.dmp

Filesize
8KB

Download
memory/1184-647-0x000002B49B908000-0x000002B49B909000-memory.dmp

Filesize
4KB

Download
memory/1184-156-0x0000000000000000-mapping.dmp

Download
memory/1184-166-0x000002B499DF0000-0x000002B499DF2000-memory.dmp

Filesize
8KB

Download
memory/1184-350-0x000002B49B906000-0x000002B49B908000-memory.dmp

Filesize
8KB

Download
memory/1368-199-0x000001FC62060000-0x000001FC62062000-memory.dmp

Filesize
8KB

Download
memory/1368-379-0x000001FC7A7A6000-0x000001FC7A7A8000-memory.dmp

Filesize
8KB

Download
memory/1368-221-0x000001FC7A7A0000-0x000001FC7A7A2000-memory.dmp

Filesize
8KB

Download
memory/1368-236-0x000001FC7A7A3000-0x000001FC7A7A5000-memory.dmp

Filesize
8KB

Download
memory/1368-165-0x0000000000000000-mapping.dmp

Download
memory/1368-653-0x000001FC7A7A8000-0x000001FC7A7A9000-memory.dmp

Filesize
4KB

Download
memory/1528-508-0x00000192C41C6000-0x00000192C41C8000-memory.dmp

Filesize
8KB

Download
memory/1528-225-0x00000192C41C0000-0x00000192C41C2000-memory.dmp

Filesize
8KB

Download
memory/1528-170-0x0000000000000000-mapping.dmp

Download
memory/1528-244-0x00000192C41C3000-0x00000192C41C5000-memory.dmp

Filesize
8KB

Download
memory/1528-666-0x00000192C41C8000-0x00000192C41C9000-memory.dmp

Filesize
4KB

Download
memory/2032-200-0x000001F9EBF30000-0x000001F9EBF32000-memory.dmp

Filesize
8KB

Download
memory/2032-668-0x000001F9EDD48000-0x000001F9EDD49000-memory.dmp

Filesize
4KB

Download
memory/2032-167-0x0000000000000000-mapping.dmp

Download
memory/2032-512-0x000001F9EDD46000-0x000001F9EDD48000-memory.dmp

Filesize
8KB

Download
memory/2032-228-0x000001F9EDD40000-0x000001F9EDD42000-memory.dmp

Filesize
8KB

Download
memory/2032-247-0x000001F9EDD43000-0x000001F9EDD45000-memory.dmp

Filesize
8KB

Download
memory/2752-118-0x000000001B470000-0x000000001B4AC000-memory.dmp

Filesize
240KB

Download
memory/2752-117-0x000000001B460000-0x000000001B462000-memory.dmp

Filesize
8KB

Download
memory/2752-115-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/2752-252-0x000000001B464000-0x000000001B465000-memory.dmp

Filesize
4KB

Download
memory/2976-174-0x0000000000000000-mapping.dmp

Download
memory/2976-521-0x000001EC1FE16000-0x000001EC1FE18000-memory.dmp

Filesize
8KB

Download
memory/2976-256-0x000001EC1FE13000-0x000001EC1FE15000-memory.dmp

Filesize
8KB

Download
memory/2976-669-0x000001EC1FE18000-0x000001EC1FE19000-memory.dmp

Filesize
4KB

Download
memory/2976-232-0x000001EC1FE10000-0x000001EC1FE12000-memory.dmp

Filesize
8KB

Download
memory/3132-254-0x000001D631CD3000-0x000001D631CD5000-memory.dmp

Filesize
8KB

Download
memory/3132-516-0x000001D631CD6000-0x000001D631CD8000-memory.dmp

Filesize
8KB

Download
memory/3132-667-0x000001D631CD8000-0x000001D631CD9000-memory.dmp

Filesize
4KB

Download
memory/3132-230-0x000001D631CD0000-0x000001D631CD2000-memory.dmp

Filesize
8KB

Download
memory/3132-172-0x0000000000000000-mapping.dmp

Download
memory/3744-131-0x000001F064B40000-0x000001F064B42000-memory.dmp

Filesize
8KB

Download
memory/3744-127-0x000001F04AAA0000-0x000001F04AAA2000-memory.dmp

Filesize
8KB

Download
memory/3744-119-0x0000000000000000-mapping.dmp

Download
memory/3744-120-0x000001F04AAA0000-0x000001F04AAA2000-memory.dmp

Filesize
8KB

Download
memory/3744-121-0x000001F04AAA0000-0x000001F04AAA2000-memory.dmp

Filesize
8KB

Download
memory/3744-122-0x000001F04AAA0000-0x000001F04AAA2000-memory.dmp

Filesize
8KB

Download
memory/3744-133-0x000001F04AAA0000-0x000001F04AAA2000-memory.dmp

Filesize
8KB

Download
memory/3744-123-0x000001F04AAA0000-0x000001F04AAA2000-memory.dmp

Filesize
8KB

Download
memory/3744-125-0x000001F065530000-0x000001F065531000-memory.dmp

Filesize
4KB

Download
memory/3744-124-0x000001F04AAA0000-0x000001F04AAA2000-memory.dmp

Filesize
8KB

Download
memory/3744-132-0x000001F064B43000-0x000001F064B45000-memory.dmp

Filesize
8KB

Download
memory/3744-154-0x000001F064B46000-0x000001F064B48000-memory.dmp

Filesize
8KB

Download
memory/3744-155-0x000001F04AAA0000-0x000001F04AAA2000-memory.dmp

Filesize
8KB

Download
memory/3744-126-0x000001F04AAA0000-0x000001F04AAA2000-memory.dmp

Filesize
8KB

Download
memory/3744-129-0x000001F04AAA0000-0x000001F04AAA2000-memory.dmp

Filesize
8KB

Download
memory/3744-128-0x000001F065660000-0x000001F065661000-memory.dmp

Filesize
4KB

Download
memory/3744-134-0x000001F04AAA0000-0x000001F04AAA2000-memory.dmp

Filesize
8KB

Download
memory/3772-177-0x0000000000000000-mapping.dmp

Download
memory/4144-597-0x0000000000000000-mapping.dmp

Download
memory/4144-644-0x0000000005113000-0x0000000005115000-memory.dmp

Filesize
8KB

Download
memory/4144-640-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/4148-686-0x0000000000000000-mapping.dmp

Download
memory/4272-685-0x0000000000000000-mapping.dmp

Download
memory/4276-429-0x0000000000000000-mapping.dmp

Download
memory/4304-430-0x0000000000000000-mapping.dmp

Download
memory/4344-638-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/4344-598-0x0000000000000000-mapping.dmp

Download
memory/4344-643-0x0000000004E43000-0x0000000004E45000-memory.dmp

Filesize
8KB

Download
memory/4408-445-0x0000000000000000-mapping.dmp

Download
memory/4460-310-0x0000000000000000-mapping.dmp

Download
memory/4492-314-0x0000000000000000-mapping.dmp

Download
memory/4608-670-0x0000000000000000-mapping.dmp

Download
memory/4684-641-0x0000000000000000-mapping.dmp

Download
memory/4692-683-0x0000000000000000-mapping.dmp

Download
memory/4764-684-0x0000000000000000-mapping.dmp

Download
memory/4956-655-0x0000000000000000-mapping.dmp

Download
memory/5040-634-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/5040-599-0x0000000000000000-mapping.dmp

Download
memory/5040-645-0x0000000005513000-0x0000000005515000-memory.dmp

Filesize
8KB

Download