Analysis Overview
SHA256
bd2983e3549c1a8a9a065579a17f371c7833ed660575be87ef55a274c2c9f2be
Threat Level: Known bad
The file UnivMenu_1.16.rar was found to be: Known bad.
Malicious Activity Summary
xmrig
Lumma Stealer
XMRig Miner payload
Command and Scripting Interpreter: PowerShell
Stops running service(s)
Creates new service(s)
Loads dropped DLL
Executes dropped EXE
UPX packed file
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Power Settings
Suspicious use of SetThreadContext
Drops file in System32 directory
Launches sc.exe
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Unsigned PE
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-10 15:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-10 15:34
Reported
2024-07-10 15:37
Platform
win7-20240708-en
Max time kernel
21s
Max time network
22s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\ProgramData\WindowsManager\update.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\WmiPrvSE.exe\" " | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\WindowsManager\update.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1228 set thread context of 2924 | N/A | C:\ProgramData\WindowsManager\update.exe | C:\Windows\system32\conhost.exe |
| PID 1228 set thread context of 2032 | N/A | C:\ProgramData\WindowsManager\update.exe | C:\Windows\system32\dwm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\wusa.lock | C:\Windows\system32\wusa.exe | N/A |
| File created | C:\Windows\wusa.lock | C:\Windows\system32\wusa.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 3034e80bdfd2da01 | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates | C:\Windows\system32\dwm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Roaming\1.exe
C:\Users\Admin\AppData\Roaming\1.exe
C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\3.exe
C:\Users\Admin\AppData\Roaming\3.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 112
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WindowsManager"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WindowsManager" binpath= "C:\ProgramData\WindowsManager\update.exe" start= "auto"
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WindowsManager"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\1.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\ProgramData\WindowsManager\update.exe
C:\ProgramData\WindowsManager\update.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\dwm.exe
dwm.exe
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 163.172.154.142:10343 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 194.87.73.161:80 | 194.87.73.161 | tcp |
Files
\Users\Admin\AppData\Roaming\2.exe
| MD5 | 22b3cd9c18de6057ef9c9882ab18837b |
| SHA1 | e4dffcd1eb7ce1065bbe9e0e8802647f34ac853a |
| SHA256 | e36edb5a7e9cec46757fdf05ea0e69bf1c1f080f27d53c34cae662a1efc8a15f |
| SHA512 | 1013f8a8a16a1c58816f0d004691f781da71365cddb506f9403266d7e2abc4894cd187aecb39fdadcbe0db2ff45fb4c5a189ba7fa512775b946c307504893724 |
memory/2012-40-0x0000000140000000-0x000000014058E000-memory.dmp
memory/2172-39-0x0000000140000000-0x000000014097A000-memory.dmp
memory/2012-35-0x0000000140000000-0x000000014058E000-memory.dmp
memory/2012-34-0x00000000775E0000-0x00000000775E2000-memory.dmp
memory/2172-27-0x0000000140000000-0x000000014097A000-memory.dmp
memory/2172-28-0x000000014028D000-0x0000000140459000-memory.dmp
memory/2172-26-0x00000000775E0000-0x00000000775E2000-memory.dmp
memory/2172-24-0x00000000775E0000-0x00000000775E2000-memory.dmp
memory/2172-22-0x00000000775E0000-0x00000000775E2000-memory.dmp
C:\Users\Admin\AppData\Roaming\3.exe
| MD5 | 7138b23f9c4f249d2f8871076284f025 |
| SHA1 | 1dc590e64c745fe90969a033d3bb84574b45214b |
| SHA256 | 0880b5457c06058bdc6ba4b2541c6b1a41c73773b5043e82718c12646db7e67e |
| SHA512 | 5e416631062aefa5c492f3639c964ef587c61ed03a6d3c10957156aa4503d4ae902893be6148e59462f4e5341cf38c4355984f39dfb795111d6b7f9a67d28737 |
memory/2692-18-0x0000000000020000-0x0000000000021000-memory.dmp
C:\Users\Admin\AppData\Roaming\1.exe
| MD5 | 6d68e8a60621e3a3c1e1d0812cd82fa4 |
| SHA1 | bea153c573c4cdcbd6cb76f77cb1ca60d2e25b0c |
| SHA256 | 1b4c920a0652196fbb5f67d781c1b914f4fbee08ef1c5e278c4b6935d710f007 |
| SHA512 | a588b2b980581f54a14868c6c5f509618f11f4537168e435b4152c1cbbee5d01cf19e5f2057fbe853e07e0bc957c6e3ed8b720961661336f8e182bd928fe633e |
memory/2640-46-0x000000001B5F0000-0x000000001B8D2000-memory.dmp
memory/2640-47-0x0000000001F80000-0x0000000001F88000-memory.dmp
memory/2172-54-0x000000014028D000-0x0000000140459000-memory.dmp
memory/2172-53-0x0000000140000000-0x000000014097A000-memory.dmp
memory/1228-60-0x0000000140000000-0x000000014097A000-memory.dmp
memory/2892-62-0x0000000019DF0000-0x000000001A0D2000-memory.dmp
memory/2892-63-0x00000000011D0000-0x00000000011D8000-memory.dmp
memory/2924-71-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2924-68-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2924-67-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2924-66-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2924-65-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2032-78-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2032-77-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2924-64-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2032-79-0x00000000001F0000-0x0000000000210000-memory.dmp
memory/2032-76-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2032-75-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2032-74-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2032-73-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2032-72-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2032-84-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2032-83-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2032-82-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2032-81-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2032-80-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2032-85-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2032-86-0x0000000140000000-0x0000000140848000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-10 15:34
Reported
2024-07-10 15:39
Platform
win10v2004-20240709-en
Max time kernel
155s
Max time network
152s
Command Line
Signatures
Lumma Stealer
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsManager\update.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\WmiPrvSE.exe\" " | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\WindowsManager\update.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4920 set thread context of 2584 | N/A | C:\Users\Admin\AppData\Roaming\2.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1348 set thread context of 3708 | N/A | C:\ProgramData\WindowsManager\update.exe | C:\Windows\system32\conhost.exe |
| PID 1348 set thread context of 1460 | N/A | C:\ProgramData\WindowsManager\update.exe | C:\Windows\system32\dwm.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Roaming\1.exe
C:\Users\Admin\AppData\Roaming\1.exe
C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\3.exe
C:\Users\Admin\AppData\Roaming\3.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WindowsManager"
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WindowsManager" binpath= "C:\ProgramData\WindowsManager\update.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WindowsManager"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\1.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\ProgramData\WindowsManager\update.exe
C:\ProgramData\WindowsManager\update.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\dwm.exe
dwm.exe
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | extorteauhhwigw.shop | udp |
| US | 172.67.189.174:443 | extorteauhhwigw.shop | tcp |
| US | 8.8.8.8:53 | bouncedgowp.shop | udp |
| US | 104.21.93.198:443 | bouncedgowp.shop | tcp |
| US | 8.8.8.8:53 | bannngwko.shop | udp |
| US | 172.67.146.61:443 | bannngwko.shop | tcp |
| US | 8.8.8.8:53 | bargainnykwo.shop | udp |
| US | 172.67.146.97:443 | bargainnykwo.shop | tcp |
| US | 8.8.8.8:53 | affecthorsedpo.shop | udp |
| US | 8.8.8.8:53 | 174.189.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.146.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.93.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.146.67.172.in-addr.arpa | udp |
| US | 104.21.6.254:443 | affecthorsedpo.shop | tcp |
| US | 8.8.8.8:53 | radiationnopp.shop | udp |
| US | 104.21.68.158:443 | radiationnopp.shop | tcp |
| US | 8.8.8.8:53 | answerrsdo.shop | udp |
| US | 172.67.203.63:443 | answerrsdo.shop | tcp |
| US | 8.8.8.8:53 | 254.6.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.68.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | publicitttyps.shop | udp |
| US | 172.67.134.88:443 | publicitttyps.shop | tcp |
| US | 8.8.8.8:53 | benchillppwo.shop | udp |
| US | 8.8.8.8:53 | 63.203.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.134.67.172.in-addr.arpa | udp |
| US | 172.67.160.230:443 | benchillppwo.shop | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | reinforcedirectorywd.shop | udp |
| US | 172.67.214.98:443 | reinforcedirectorywd.shop | tcp |
| US | 8.8.8.8:53 | 230.160.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.214.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 146.59.154.106:10343 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 106.154.59.146.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 194.87.73.161:80 | 194.87.73.161 | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.73.87.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| DE | 194.87.73.161:80 | 194.87.73.161 | tcp |
| PL | 54.37.137.114:10343 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 194.87.73.161:80 | 194.87.73.161 | tcp |
Files
C:\Users\Admin\AppData\Roaming\1.exe
| MD5 | 6d68e8a60621e3a3c1e1d0812cd82fa4 |
| SHA1 | bea153c573c4cdcbd6cb76f77cb1ca60d2e25b0c |
| SHA256 | 1b4c920a0652196fbb5f67d781c1b914f4fbee08ef1c5e278c4b6935d710f007 |
| SHA512 | a588b2b980581f54a14868c6c5f509618f11f4537168e435b4152c1cbbee5d01cf19e5f2057fbe853e07e0bc957c6e3ed8b720961661336f8e182bd928fe633e |
C:\Users\Admin\AppData\Roaming\2.exe
| MD5 | 22b3cd9c18de6057ef9c9882ab18837b |
| SHA1 | e4dffcd1eb7ce1065bbe9e0e8802647f34ac853a |
| SHA256 | e36edb5a7e9cec46757fdf05ea0e69bf1c1f080f27d53c34cae662a1efc8a15f |
| SHA512 | 1013f8a8a16a1c58816f0d004691f781da71365cddb506f9403266d7e2abc4894cd187aecb39fdadcbe0db2ff45fb4c5a189ba7fa512775b946c307504893724 |
C:\Users\Admin\AppData\Roaming\3.exe
| MD5 | 7138b23f9c4f249d2f8871076284f025 |
| SHA1 | 1dc590e64c745fe90969a033d3bb84574b45214b |
| SHA256 | 0880b5457c06058bdc6ba4b2541c6b1a41c73773b5043e82718c12646db7e67e |
| SHA512 | 5e416631062aefa5c492f3639c964ef587c61ed03a6d3c10957156aa4503d4ae902893be6148e59462f4e5341cf38c4355984f39dfb795111d6b7f9a67d28737 |
memory/1044-15-0x000000014028D000-0x0000000140459000-memory.dmp
memory/1044-16-0x0000000140000000-0x000000014097A000-memory.dmp
memory/1044-13-0x0000000140000000-0x000000014097A000-memory.dmp
memory/1044-12-0x00007FFBE2C30000-0x00007FFBE2C32000-memory.dmp
memory/1044-22-0x0000000140000000-0x000000014097A000-memory.dmp
memory/2584-23-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2584-25-0x0000000000400000-0x0000000000452000-memory.dmp
memory/3152-18-0x0000000140000000-0x000000014058E000-memory.dmp
memory/3152-17-0x00007FFBE2C30000-0x00007FFBE2C32000-memory.dmp
memory/3152-26-0x0000000140000000-0x000000014058E000-memory.dmp
memory/2584-27-0x0000000000400000-0x0000000000452000-memory.dmp
memory/4876-28-0x00000242C75C0000-0x00000242C75E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vu2wm4ht.twj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1044-41-0x000000014028D000-0x0000000140459000-memory.dmp
memory/1044-42-0x0000000140000000-0x000000014097A000-memory.dmp
memory/1348-46-0x0000000140000000-0x000000014097A000-memory.dmp
memory/1916-66-0x000001795BE60000-0x000001795BE7C000-memory.dmp
memory/1916-67-0x000001795E300000-0x000001795E3B5000-memory.dmp
memory/1916-68-0x000001795E3C0000-0x000001795E3CA000-memory.dmp
memory/1916-69-0x000001795E530000-0x000001795E54C000-memory.dmp
memory/1916-70-0x000001795E510000-0x000001795E51A000-memory.dmp
memory/1916-71-0x000001795E570000-0x000001795E58A000-memory.dmp
memory/1916-72-0x000001795E520000-0x000001795E528000-memory.dmp
memory/1916-73-0x000001795E550000-0x000001795E556000-memory.dmp
memory/1916-74-0x000001795E560000-0x000001795E56A000-memory.dmp
memory/3708-81-0x0000000140000000-0x000000014000E000-memory.dmp
memory/3708-80-0x0000000140000000-0x000000014000E000-memory.dmp
memory/3708-79-0x0000000140000000-0x000000014000E000-memory.dmp
memory/3708-78-0x0000000140000000-0x000000014000E000-memory.dmp
memory/3708-77-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1460-86-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1460-90-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1460-92-0x000002A9E87A0000-0x000002A9E87C0000-memory.dmp
memory/1460-91-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1460-89-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1460-97-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1460-96-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1460-94-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1460-95-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1460-93-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1460-87-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1460-85-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1460-88-0x0000000140000000-0x0000000140848000-memory.dmp
memory/3708-84-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1460-98-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1460-99-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1460-100-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1460-101-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1460-102-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1460-103-0x0000000140000000-0x0000000140848000-memory.dmp