002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe
Size

786KB
MD5

d6ea3809221c8012b485df702a6ce5a7
SHA1

b0aead39e6f72e76d8f3e30861e57c7c020f7c18
SHA256

002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b
SHA512

f35fd7727573d68391cc52c312a406ab5601d1346400bf78ba6f095cbd6d6780afeabcf23a4dbec3d149699794022b1d4a45134bc2afa9b479bd856decd54754
SSDEEP

24576:Wr+1wg/nxG1FaWcajTgAR3qHw4W5MyoFS:Wrg+MGXRaHG5XoFS

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Temp\svchost.exe = "C:\\Windows\\Temp\\svchost.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\drivergen.exe = "C:\\Users\\Admin\\AppData\\Roaming\\drivergen.exe:*:Enabled:Windows Messanger"	reg.exe

Executes dropped EXE 13 IoCs

Processes:

svchost.exerundll32 .exesvchost.exerundll32 .exesvchost.exerundll32 .exesvchost.exerundll32 .exesvchost.exerundll32 .exesvchost.exerundll32 .exesvchost.exe

pid	process
632	svchost.exe
1072	rundll32 .exe
2172	svchost.exe
4688	rundll32 .exe
3140	svchost.exe
2420	rundll32 .exe
2520	svchost.exe
1376	rundll32 .exe
4292	svchost.exe
3088	rundll32 .exe
4076	svchost.exe
1120	rundll32 .exe
4732	svchost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll32 .exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll32 .exe	cmd.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32 .exerundll32 .exerundll32 .exerundll32 .exe002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exerundll32 .exerundll32 .exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe"	rundll32 .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe"	rundll32 .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe"	rundll32 .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe"	rundll32 .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe"	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe"	rundll32 .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe"	rundll32 .exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exerundll32 .exerundll32 .exerundll32 .exerundll32 .exerundll32 .exerundll32 .exe

description	pid	process	target process
PID 3944 set thread context of 632	3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe	svchost.exe
PID 1072 set thread context of 2172	1072	rundll32 .exe	svchost.exe
PID 4688 set thread context of 3140	4688	rundll32 .exe	svchost.exe
PID 2420 set thread context of 2520	2420	rundll32 .exe	svchost.exe
PID 1376 set thread context of 4292	1376	rundll32 .exe	svchost.exe
PID 3088 set thread context of 4076	3088	rundll32 .exe	svchost.exe
PID 1120 set thread context of 4732	1120	rundll32 .exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

1344 reg.exe
4752 reg.exe
4520 reg.exe
1520 reg.exe
Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

4324 PING.EXE
1500 PING.EXE
2028 PING.EXE
780 PING.EXE
1972 PING.EXE
1040 PING.EXE

pid	process
1344	reg.exe
4752	reg.exe
4520	reg.exe
1520	reg.exe

pid	process
4324	PING.EXE
1500	PING.EXE
2028	PING.EXE
780	PING.EXE
1972	PING.EXE
1040	PING.EXE

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exerundll32 .exerundll32 .exerundll32 .exerundll32 .exerundll32 .exerundll32 .exe

pid	process
3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe
3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe
3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe
3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe
3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe
3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe
3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe
3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe
3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe
1072	rundll32 .exe
1072	rundll32 .exe
1072	rundll32 .exe
1072	rundll32 .exe
1072	rundll32 .exe
1072	rundll32 .exe
1072	rundll32 .exe
1072	rundll32 .exe
1072	rundll32 .exe
4688	rundll32 .exe
4688	rundll32 .exe
4688	rundll32 .exe
4688	rundll32 .exe
4688	rundll32 .exe
4688	rundll32 .exe
4688	rundll32 .exe
4688	rundll32 .exe
4688	rundll32 .exe
2420	rundll32 .exe
2420	rundll32 .exe
2420	rundll32 .exe
2420	rundll32 .exe
2420	rundll32 .exe
2420	rundll32 .exe
2420	rundll32 .exe
2420	rundll32 .exe
2420	rundll32 .exe
1376	rundll32 .exe
1376	rundll32 .exe
1376	rundll32 .exe
1376	rundll32 .exe
1376	rundll32 .exe
1376	rundll32 .exe
1376	rundll32 .exe
1376	rundll32 .exe
1376	rundll32 .exe
3088	rundll32 .exe
3088	rundll32 .exe
3088	rundll32 .exe
3088	rundll32 .exe
3088	rundll32 .exe
3088	rundll32 .exe
3088	rundll32 .exe
3088	rundll32 .exe
3088	rundll32 .exe
1120	rundll32 .exe
1120	rundll32 .exe
1120	rundll32 .exe
1120	rundll32 .exe
1120	rundll32 .exe
1120	rundll32 .exe
1120	rundll32 .exe
1120	rundll32 .exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exesvchost.exerundll32 .exerundll32 .exerundll32 .exerundll32 .exerundll32 .exerundll32 .exe

description	pid	process
Token: SeDebugPrivilege	3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe
Token: 1	632	svchost.exe
Token: SeCreateTokenPrivilege	632	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	632	svchost.exe
Token: SeLockMemoryPrivilege	632	svchost.exe
Token: SeIncreaseQuotaPrivilege	632	svchost.exe
Token: SeMachineAccountPrivilege	632	svchost.exe
Token: SeTcbPrivilege	632	svchost.exe
Token: SeSecurityPrivilege	632	svchost.exe
Token: SeTakeOwnershipPrivilege	632	svchost.exe
Token: SeLoadDriverPrivilege	632	svchost.exe
Token: SeSystemProfilePrivilege	632	svchost.exe
Token: SeSystemtimePrivilege	632	svchost.exe
Token: SeProfSingleProcessPrivilege	632	svchost.exe
Token: SeIncBasePriorityPrivilege	632	svchost.exe
Token: SeCreatePagefilePrivilege	632	svchost.exe
Token: SeCreatePermanentPrivilege	632	svchost.exe
Token: SeBackupPrivilege	632	svchost.exe
Token: SeRestorePrivilege	632	svchost.exe
Token: SeShutdownPrivilege	632	svchost.exe
Token: SeDebugPrivilege	632	svchost.exe
Token: SeAuditPrivilege	632	svchost.exe
Token: SeSystemEnvironmentPrivilege	632	svchost.exe
Token: SeChangeNotifyPrivilege	632	svchost.exe
Token: SeRemoteShutdownPrivilege	632	svchost.exe
Token: SeUndockPrivilege	632	svchost.exe
Token: SeSyncAgentPrivilege	632	svchost.exe
Token: SeEnableDelegationPrivilege	632	svchost.exe
Token: SeManageVolumePrivilege	632	svchost.exe
Token: SeImpersonatePrivilege	632	svchost.exe
Token: SeCreateGlobalPrivilege	632	svchost.exe
Token: 31	632	svchost.exe
Token: 32	632	svchost.exe
Token: 33	632	svchost.exe
Token: 34	632	svchost.exe
Token: 35	632	svchost.exe
Token: SeDebugPrivilege	1072	rundll32 .exe
Token: SeDebugPrivilege	4688	rundll32 .exe
Token: SeDebugPrivilege	2420	rundll32 .exe
Token: SeDebugPrivilege	1376	rundll32 .exe
Token: SeDebugPrivilege	3088	rundll32 .exe
Token: SeDebugPrivilege	1120	rundll32 .exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	process
632	svchost.exe
632	svchost.exe
632	svchost.exe
2172	svchost.exe
2172	svchost.exe
3140	svchost.exe
3140	svchost.exe
2520	svchost.exe
2520	svchost.exe
4292	svchost.exe
4292	svchost.exe
4076	svchost.exe
4076	svchost.exe
4732	svchost.exe
4732	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.execmd.exesvchost.exewscript.execmd.execmd.execmd.execmd.execmd.exerundll32 .exe

description	pid	process	target process
PID 3944 wrote to memory of 424	3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe	cmd.exe
PID 3944 wrote to memory of 424	3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe	cmd.exe
PID 3944 wrote to memory of 424	3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe	cmd.exe
PID 424 wrote to memory of 980	424	cmd.exe	wscript.exe
PID 424 wrote to memory of 980	424	cmd.exe	wscript.exe
PID 424 wrote to memory of 980	424	cmd.exe	wscript.exe
PID 3944 wrote to memory of 632	3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe	svchost.exe
PID 3944 wrote to memory of 632	3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe	svchost.exe
PID 3944 wrote to memory of 632	3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe	svchost.exe
PID 3944 wrote to memory of 632	3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe	svchost.exe
PID 3944 wrote to memory of 632	3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe	svchost.exe
PID 3944 wrote to memory of 632	3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe	svchost.exe
PID 3944 wrote to memory of 632	3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe	svchost.exe
PID 3944 wrote to memory of 632	3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe	svchost.exe
PID 3944 wrote to memory of 2000	3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe	svchost.exe
PID 3944 wrote to memory of 2000	3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe	svchost.exe
PID 3944 wrote to memory of 2000	3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe	svchost.exe
PID 632 wrote to memory of 1924	632	svchost.exe	cmd.exe
PID 632 wrote to memory of 1924	632	svchost.exe	cmd.exe
PID 632 wrote to memory of 1924	632	svchost.exe	cmd.exe
PID 632 wrote to memory of 844	632	svchost.exe	cmd.exe
PID 632 wrote to memory of 844	632	svchost.exe	cmd.exe
PID 632 wrote to memory of 844	632	svchost.exe	cmd.exe
PID 632 wrote to memory of 4904	632	svchost.exe	cmd.exe
PID 632 wrote to memory of 4904	632	svchost.exe	cmd.exe
PID 632 wrote to memory of 4904	632	svchost.exe	cmd.exe
PID 632 wrote to memory of 4848	632	svchost.exe	cmd.exe
PID 632 wrote to memory of 4848	632	svchost.exe	cmd.exe
PID 632 wrote to memory of 4848	632	svchost.exe	cmd.exe
PID 980 wrote to memory of 4800	980	wscript.exe	cmd.exe
PID 980 wrote to memory of 4800	980	wscript.exe	cmd.exe
PID 980 wrote to memory of 4800	980	wscript.exe	cmd.exe
PID 1924 wrote to memory of 1520	1924	cmd.exe	reg.exe
PID 1924 wrote to memory of 1520	1924	cmd.exe	reg.exe
PID 1924 wrote to memory of 1520	1924	cmd.exe	reg.exe
PID 4848 wrote to memory of 1344	4848	cmd.exe	reg.exe
PID 4848 wrote to memory of 1344	4848	cmd.exe	reg.exe
PID 4848 wrote to memory of 1344	4848	cmd.exe	reg.exe
PID 4904 wrote to memory of 4520	4904	cmd.exe	reg.exe
PID 844 wrote to memory of 4752	844	cmd.exe	reg.exe
PID 4904 wrote to memory of 4520	4904	cmd.exe	reg.exe
PID 4904 wrote to memory of 4520	4904	cmd.exe	reg.exe
PID 844 wrote to memory of 4752	844	cmd.exe	reg.exe
PID 844 wrote to memory of 4752	844	cmd.exe	reg.exe
PID 3944 wrote to memory of 212	3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe	cmd.exe
PID 3944 wrote to memory of 212	3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe	cmd.exe
PID 3944 wrote to memory of 212	3944	002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe	cmd.exe
PID 212 wrote to memory of 1972	212	cmd.exe	PING.EXE
PID 212 wrote to memory of 1972	212	cmd.exe	PING.EXE
PID 212 wrote to memory of 1972	212	cmd.exe	PING.EXE
PID 212 wrote to memory of 1072	212	cmd.exe	rundll32 .exe
PID 212 wrote to memory of 1072	212	cmd.exe	rundll32 .exe
PID 212 wrote to memory of 1072	212	cmd.exe	rundll32 .exe
PID 1072 wrote to memory of 2172	1072	rundll32 .exe	svchost.exe
PID 1072 wrote to memory of 2172	1072	rundll32 .exe	svchost.exe
PID 1072 wrote to memory of 2172	1072	rundll32 .exe	svchost.exe
PID 1072 wrote to memory of 2172	1072	rundll32 .exe	svchost.exe
PID 1072 wrote to memory of 2172	1072	rundll32 .exe	svchost.exe
PID 1072 wrote to memory of 2172	1072	rundll32 .exe	svchost.exe
PID 1072 wrote to memory of 2172	1072	rundll32 .exe	svchost.exe
PID 1072 wrote to memory of 2172	1072	rundll32 .exe	svchost.exe
PID 1072 wrote to memory of 4188	1072	rundll32 .exe	svchost.exe
PID 1072 wrote to memory of 4188	1072	rundll32 .exe	svchost.exe
PID 1072 wrote to memory of 4188	1072	rundll32 .exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe
"C:\Users\Admin\AppData\Local\Temp\002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caca.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:424

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\caca2.bat
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caca2.bat" "
4⤵
- Drops startup file
PID:4800

C:\Windows\Temp\svchost.exe
C:\Windows\Temp\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1520

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\svchost.exe" /t REG_SZ /d "C:\Windows\Temp\svchost.exe:*:Enabled:Windows Messanger" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\svchost.exe" /t REG_SZ /d "C:\Windows\Temp\svchost.exe:*:Enabled:Windows Messanger" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:4752

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:4520

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\drivergen.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\drivergen.exe:*:Enabled:Windows Messanger" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\drivergen.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\drivergen.exe:*:Enabled:Windows Messanger" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1344

C:\Windows\Temp\svchost.exe
C:\Windows\Temp\svchost.exe
2⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\per.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:1972

C:\Users\Admin\AppData\Local\Temp\rundll32 .exe
"C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\Temp\svchost.exe
C:\Windows\Temp\svchost.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2172

C:\Windows\Temp\svchost.exe
C:\Windows\Temp\svchost.exe
4⤵
PID:4188

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:1040

C:\Users\Admin\AppData\Local\Temp\rundll32 .exe
"C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\Temp\svchost.exe
C:\Windows\Temp\svchost.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3140

C:\Windows\Temp\svchost.exe
C:\Windows\Temp\svchost.exe
4⤵
PID:1592

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:4324

C:\Users\Admin\AppData\Local\Temp\rundll32 .exe
"C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\Temp\svchost.exe
C:\Windows\Temp\svchost.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2520

C:\Windows\Temp\svchost.exe
C:\Windows\Temp\svchost.exe
4⤵
PID:1088

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:1500

C:\Users\Admin\AppData\Local\Temp\rundll32 .exe
"C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\Temp\svchost.exe
C:\Windows\Temp\svchost.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4292

C:\Windows\Temp\svchost.exe
C:\Windows\Temp\svchost.exe
4⤵
PID:484

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:2028

C:\Users\Admin\AppData\Local\Temp\rundll32 .exe
"C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Windows\Temp\svchost.exe
C:\Windows\Temp\svchost.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4076

C:\Windows\Temp\svchost.exe
C:\Windows\Temp\svchost.exe
4⤵
PID:4344

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:780

C:\Users\Admin\AppData\Local\Temp\rundll32 .exe
"C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\Temp\svchost.exe
C:\Windows\Temp\svchost.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4732

C:\Windows\Temp\svchost.exe
C:\Windows\Temp\svchost.exe
4⤵
PID:456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\rundll32 .exe.log

Filesize
588B

MD5
bbc3cfe1a58732a0477f72ea3d36c7bf

SHA1
fb801263330aa243f63270138ab467a627dffc2e

SHA256
9269d4383b8effa928b7b4a7b38ffa07587b23851f9430fbfe8e7284f845e722

SHA512
5bfdc6520a7a0884e3ccdf26ab0fe536327c9f3330f7f78bed2ed4c89fc31b04ad0c4b4bd6f8f1bca08ef04e46b833b798726dca7f40ccc27c871847ec041be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\caca.bat

Filesize
47B

MD5
58ccb87aa1da4939df403810f1e68b6b

SHA1
dc8551f41682e5cb1dd25af3f11a789b1d37b295

SHA256
eccc9f27214ff49689c1f597c0d3d3a3e45391064fd0baa9b5e0e03931b7822b

SHA512
17ad698f496a445c5cbd0972df9fe966081a3cbee33fb7d7e003890ae946c65687b85b9b16990a872338d00d798b82dee06e86bd2d38b01ad292048134688fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\caca2.bat

Filesize
151B

MD5
ed28c618f7d8306e3736432b58bb5d27

SHA1
441e6dab70e31d9c599fcd9e2d32009038781b42

SHA256
d9aa03911260779b1f8a9b046a7ecf7aa87b0f13c762491fe8e06c482bac09a3

SHA512
4257d8839e881a9ab6de6230a9df1e81456cb796eb9ee2361789fa5fe4c81b297ed1c472f91d97bb0b2ebdb6acadb924617e6ffd32fc96d8ddcebf8fee4a7880

Download Submit
C:\Users\Admin\AppData\Local\Temp\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\per.bat

Filesize
111B

MD5
851c0e754a2e3663cbfdc09777323516

SHA1
e9f67ac8c5d22c5c47b71d2a51b6aa5076b9287a

SHA256
b97c58636ccaa18444a0e317e5a8b8112147e5c5a53777085f035779648c7eeb

SHA512
2efde32aad3b7278f6ea2bd8a688fe30ce75b2914b59dba87b2999dc199ae4a63c0dc08f476096807e2ecd96d4f860ebf988b420c68536accc038b22a7e738d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32 .exe

Filesize
786KB

MD5
d6ea3809221c8012b485df702a6ce5a7

SHA1
b0aead39e6f72e76d8f3e30861e57c7c020f7c18

SHA256
002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b

SHA512
f35fd7727573d68391cc52c312a406ab5601d1346400bf78ba6f095cbd6d6780afeabcf23a4dbec3d149699794022b1d4a45134bc2afa9b479bd856decd54754

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32 .exe

Filesize
786KB

MD5
d6ea3809221c8012b485df702a6ce5a7

SHA1
b0aead39e6f72e76d8f3e30861e57c7c020f7c18

SHA256
002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b

SHA512
f35fd7727573d68391cc52c312a406ab5601d1346400bf78ba6f095cbd6d6780afeabcf23a4dbec3d149699794022b1d4a45134bc2afa9b479bd856decd54754

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32 .exe

Filesize
786KB

MD5
d6ea3809221c8012b485df702a6ce5a7

SHA1
b0aead39e6f72e76d8f3e30861e57c7c020f7c18

SHA256
002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b

SHA512
f35fd7727573d68391cc52c312a406ab5601d1346400bf78ba6f095cbd6d6780afeabcf23a4dbec3d149699794022b1d4a45134bc2afa9b479bd856decd54754

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32 .exe

Filesize
786KB

MD5
d6ea3809221c8012b485df702a6ce5a7

SHA1
b0aead39e6f72e76d8f3e30861e57c7c020f7c18

SHA256
002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b

SHA512
f35fd7727573d68391cc52c312a406ab5601d1346400bf78ba6f095cbd6d6780afeabcf23a4dbec3d149699794022b1d4a45134bc2afa9b479bd856decd54754

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32 .exe

Filesize
786KB

MD5
d6ea3809221c8012b485df702a6ce5a7

SHA1
b0aead39e6f72e76d8f3e30861e57c7c020f7c18

SHA256
002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b

SHA512
f35fd7727573d68391cc52c312a406ab5601d1346400bf78ba6f095cbd6d6780afeabcf23a4dbec3d149699794022b1d4a45134bc2afa9b479bd856decd54754

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32 .exe

Filesize
786KB

MD5
d6ea3809221c8012b485df702a6ce5a7

SHA1
b0aead39e6f72e76d8f3e30861e57c7c020f7c18

SHA256
002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b

SHA512
f35fd7727573d68391cc52c312a406ab5601d1346400bf78ba6f095cbd6d6780afeabcf23a4dbec3d149699794022b1d4a45134bc2afa9b479bd856decd54754

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32 .exe

Filesize
786KB

MD5
d6ea3809221c8012b485df702a6ce5a7

SHA1
b0aead39e6f72e76d8f3e30861e57c7c020f7c18

SHA256
002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b

SHA512
f35fd7727573d68391cc52c312a406ab5601d1346400bf78ba6f095cbd6d6780afeabcf23a4dbec3d149699794022b1d4a45134bc2afa9b479bd856decd54754

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32-.txt

Filesize
786KB

MD5
d6ea3809221c8012b485df702a6ce5a7

SHA1
b0aead39e6f72e76d8f3e30861e57c7c020f7c18

SHA256
002a6e6b9aa39fed9afd100bc430f1f1eea756cb3eefabcb678e85e31cf58c6b

SHA512
f35fd7727573d68391cc52c312a406ab5601d1346400bf78ba6f095cbd6d6780afeabcf23a4dbec3d149699794022b1d4a45134bc2afa9b479bd856decd54754

Download Submit
C:\Windows\Temp\svchost.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Windows\Temp\svchost.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Windows\Temp\svchost.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Windows\Temp\svchost.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Windows\Temp\svchost.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Windows\Temp\svchost.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Windows\Temp\svchost.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Windows\Temp\svchost.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/212-159-0x0000000000000000-mapping.dmp

Download
memory/424-133-0x0000000000000000-mapping.dmp

Download
memory/456-239-0x0000000000000000-mapping.dmp

Download
memory/484-211-0x0000000000000000-mapping.dmp

Download
memory/632-137-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/632-136-0x0000000000000000-mapping.dmp

Download
memory/780-233-0x0000000000000000-mapping.dmp

Download
memory/844-147-0x0000000000000000-mapping.dmp

Download
memory/980-135-0x0000000000000000-mapping.dmp

Download
memory/1040-176-0x0000000000000000-mapping.dmp

Download
memory/1072-174-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/1072-173-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/1072-175-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/1072-163-0x0000000000000000-mapping.dmp

Download
memory/1088-197-0x0000000000000000-mapping.dmp

Download
memory/1120-234-0x0000000000000000-mapping.dmp

Download
memory/1120-244-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/1120-245-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/1344-153-0x0000000000000000-mapping.dmp

Download
memory/1376-218-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/1376-217-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/1376-206-0x0000000000000000-mapping.dmp

Download
memory/1376-216-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/1500-205-0x0000000000000000-mapping.dmp

Download
memory/1520-152-0x0000000000000000-mapping.dmp

Download
memory/1592-184-0x0000000000000000-mapping.dmp

Download
memory/1924-146-0x0000000000000000-mapping.dmp

Download
memory/1972-162-0x0000000000000000-mapping.dmp

Download
memory/2000-139-0x0000000000000000-mapping.dmp

Download
memory/2028-219-0x0000000000000000-mapping.dmp

Download
memory/2172-165-0x0000000000000000-mapping.dmp

Download
memory/2420-200-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/2420-203-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/2420-204-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/2420-192-0x0000000000000000-mapping.dmp

Download
memory/2520-194-0x0000000000000000-mapping.dmp

Download
memory/3088-231-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/3088-220-0x0000000000000000-mapping.dmp

Download
memory/3088-227-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/3088-232-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/3140-180-0x0000000000000000-mapping.dmp

Download
memory/3944-160-0x0000000075510000-0x0000000075AC1000-memory.dmp

Filesize
5.7MB

Download
memory/3944-157-0x0000000075510000-0x0000000075AC1000-memory.dmp

Filesize
5.7MB

Download
memory/3944-132-0x0000000075510000-0x0000000075AC1000-memory.dmp

Filesize
5.7MB

Download
memory/4076-222-0x0000000000000000-mapping.dmp

Download
memory/4188-168-0x0000000000000000-mapping.dmp

Download
memory/4292-208-0x0000000000000000-mapping.dmp

Download
memory/4324-191-0x0000000000000000-mapping.dmp

Download
memory/4344-225-0x0000000000000000-mapping.dmp

Download
memory/4520-154-0x0000000000000000-mapping.dmp

Download
memory/4688-189-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/4688-186-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/4688-190-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/4688-177-0x0000000000000000-mapping.dmp

Download
memory/4732-236-0x0000000000000000-mapping.dmp

Download
memory/4752-155-0x0000000000000000-mapping.dmp

Download
memory/4800-151-0x0000000000000000-mapping.dmp

Download
memory/4848-149-0x0000000000000000-mapping.dmp

Download
memory/4904-148-0x0000000000000000-mapping.dmp

Download