b1901d597bcd062f8314c9983ebe8d973e923a0970967f845e58f37280857874

Resubmissions

07/08/2024, 22:37

240807-2jy4jsygqg 8

Analysis

max time kernel
141s
max time network
125s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
07/08/2024, 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mercurial-Grabber-installer.exe
Size

6.1MB
MD5

9b17390bdb82604feaadd518f0443481
SHA1

ff4b3f4c183ee785417ab5ae152c4790202561d9
SHA256

c1d39052767f29065a5cccd0b9e30dc3bec392fcb08771433be65da55b365d69
SHA512

7259a51d4dc220074673c451050f59aa2e17df6ea920bf72f840ef046b42fd6c71ce5552598d78c9fd93766ee2528207752677e3acf62b05b5d9730382abaace
SSDEEP

98304:51U0tZ0YSL6M7CEzZ5W3CJ6YWhoq+VUnuuMkHOVgwSt5CJVtSnXmM7gj49B+DoId:vsL6M7rnW3vKqNn1KFSH6knXmBjcZPW

Score

8^/10

agilenet defense_evasion discovery evasion execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1576	powershell.exe
2260	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

pid	Process
4044	Winhlp64.exe
4852	Mercurial.exe
1072	Winhlp64.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe

Obfuscated with Agile.Net obfuscator 11 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/4852-47-0x0000000005DA0000-0x0000000005DBC000-memory.dmp	agile_net
behavioral1/memory/4852-49-0x0000000005EF0000-0x0000000005F10000-memory.dmp	agile_net
behavioral1/memory/4852-52-0x0000000005F40000-0x0000000005FAE000-memory.dmp	agile_net
behavioral1/memory/4852-56-0x0000000006060000-0x000000000606E000-memory.dmp	agile_net
behavioral1/memory/4852-57-0x00000000069D0000-0x0000000006B1A000-memory.dmp	agile_net
behavioral1/memory/4852-55-0x0000000006040000-0x000000000604E000-memory.dmp	agile_net
behavioral1/memory/4852-54-0x0000000006000000-0x0000000006036000-memory.dmp	agile_net
behavioral1/memory/4852-53-0x0000000005FC0000-0x0000000005FDE000-memory.dmp	agile_net
behavioral1/memory/4852-51-0x0000000005F30000-0x0000000005F44000-memory.dmp	agile_net
behavioral1/memory/4852-50-0x0000000005F20000-0x0000000005F30000-memory.dmp	agile_net
behavioral1/memory/4852-48-0x0000000005DC0000-0x0000000005DE0000-memory.dmp	agile_net

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	Winhlp64.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\MRT.exe	Winhlp64.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4044 set thread context of 3848	4044	Winhlp64.exe	85
PID 1072 set thread context of 1344	1072	Winhlp64.exe	103
PID 1072 set thread context of 3056	1072	Winhlp64.exe	105
PID 1072 set thread context of 5056	1072	Winhlp64.exe	106

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2368	sc.exe
2324	sc.exe
3484	sc.exe
1408	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mercurial.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Modifies data under HKEY_USERS 60 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1723070365"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Wed, 07 Aug 2024 22:39:25 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={9547E558-8DED-4933-8519-4EAAF33D0192}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4940	powershell.exe
4940	powershell.exe
4852	Mercurial.exe
4852	Mercurial.exe
4852	Mercurial.exe
4852	Mercurial.exe
4852	Mercurial.exe
4852	Mercurial.exe
4852	Mercurial.exe
4852	Mercurial.exe
4044	Winhlp64.exe
2260	powershell.exe
2260	powershell.exe
4044	Winhlp64.exe
4044	Winhlp64.exe
4044	Winhlp64.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe
4044	Winhlp64.exe
4044	Winhlp64.exe
4044	Winhlp64.exe
4044	Winhlp64.exe
1072	Winhlp64.exe
1576	powershell.exe
1576	powershell.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe
1576	powershell.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe
1576	powershell.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe
1576	powershell.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe
3848	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	4852	Mercurial.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	4044	Winhlp64.exe
Token: SeDebugPrivilege	3848	dialer.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	1072	Winhlp64.exe
Token: SeDebugPrivilege	1344	dialer.exe
Token: SeLockMemoryPrivilege	5056	dialer.exe
Token: SeAssignPrimaryTokenPrivilege	2708	svchost.exe
Token: SeIncreaseQuotaPrivilege	2708	svchost.exe
Token: SeSecurityPrivilege	2708	svchost.exe
Token: SeTakeOwnershipPrivilege	2708	svchost.exe
Token: SeLoadDriverPrivilege	2708	svchost.exe
Token: SeSystemtimePrivilege	2708	svchost.exe
Token: SeBackupPrivilege	2708	svchost.exe
Token: SeRestorePrivilege	2708	svchost.exe
Token: SeShutdownPrivilege	2708	svchost.exe
Token: SeSystemEnvironmentPrivilege	2708	svchost.exe
Token: SeUndockPrivilege	2708	svchost.exe
Token: SeManageVolumePrivilege	2708	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2708	svchost.exe
Token: SeIncreaseQuotaPrivilege	2708	svchost.exe
Token: SeSecurityPrivilege	2708	svchost.exe
Token: SeTakeOwnershipPrivilege	2708	svchost.exe
Token: SeLoadDriverPrivilege	2708	svchost.exe
Token: SeSystemtimePrivilege	2708	svchost.exe
Token: SeBackupPrivilege	2708	svchost.exe
Token: SeRestorePrivilege	2708	svchost.exe
Token: SeShutdownPrivilege	2708	svchost.exe
Token: SeSystemEnvironmentPrivilege	2708	svchost.exe
Token: SeUndockPrivilege	2708	svchost.exe
Token: SeManageVolumePrivilege	2708	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2708	svchost.exe
Token: SeIncreaseQuotaPrivilege	2708	svchost.exe
Token: SeSecurityPrivilege	2708	svchost.exe
Token: SeTakeOwnershipPrivilege	2708	svchost.exe
Token: SeLoadDriverPrivilege	2708	svchost.exe
Token: SeSystemtimePrivilege	2708	svchost.exe
Token: SeBackupPrivilege	2708	svchost.exe
Token: SeRestorePrivilege	2708	svchost.exe
Token: SeShutdownPrivilege	2708	svchost.exe
Token: SeSystemEnvironmentPrivilege	2708	svchost.exe
Token: SeUndockPrivilege	2708	svchost.exe
Token: SeManageVolumePrivilege	2708	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2708	svchost.exe
Token: SeIncreaseQuotaPrivilege	2708	svchost.exe
Token: SeSecurityPrivilege	2708	svchost.exe
Token: SeTakeOwnershipPrivilege	2708	svchost.exe
Token: SeLoadDriverPrivilege	2708	svchost.exe
Token: SeSystemtimePrivilege	2708	svchost.exe
Token: SeBackupPrivilege	2708	svchost.exe
Token: SeRestorePrivilege	2708	svchost.exe
Token: SeShutdownPrivilege	2708	svchost.exe
Token: SeSystemEnvironmentPrivilege	2708	svchost.exe
Token: SeUndockPrivilege	2708	svchost.exe
Token: SeManageVolumePrivilege	2708	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2708	svchost.exe
Token: SeIncreaseQuotaPrivilege	2708	svchost.exe
Token: SeSecurityPrivilege	2708	svchost.exe
Token: SeTakeOwnershipPrivilege	2708	svchost.exe
Token: SeLoadDriverPrivilege	2708	svchost.exe
Token: SeSystemtimePrivilege	2708	svchost.exe
Token: SeBackupPrivilege	2708	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 4940	2632	Mercurial-Grabber-installer.exe	78
PID 2632 wrote to memory of 4940	2632	Mercurial-Grabber-installer.exe	78
PID 2632 wrote to memory of 4044	2632	Mercurial-Grabber-installer.exe	80
PID 2632 wrote to memory of 4044	2632	Mercurial-Grabber-installer.exe	80
PID 2632 wrote to memory of 4852	2632	Mercurial-Grabber-installer.exe	81
PID 2632 wrote to memory of 4852	2632	Mercurial-Grabber-installer.exe	81
PID 2632 wrote to memory of 4852	2632	Mercurial-Grabber-installer.exe	81
PID 4044 wrote to memory of 3848	4044	Winhlp64.exe	85
PID 4044 wrote to memory of 3848	4044	Winhlp64.exe	85
PID 4044 wrote to memory of 3848	4044	Winhlp64.exe	85
PID 4044 wrote to memory of 3848	4044	Winhlp64.exe	85
PID 4044 wrote to memory of 3848	4044	Winhlp64.exe	85
PID 4044 wrote to memory of 3848	4044	Winhlp64.exe	85
PID 4044 wrote to memory of 3848	4044	Winhlp64.exe	85
PID 3848 wrote to memory of 640	3848	dialer.exe	5
PID 3848 wrote to memory of 696	3848	dialer.exe	7
PID 3848 wrote to memory of 988	3848	dialer.exe	12
PID 3848 wrote to memory of 480	3848	dialer.exe	13
PID 3848 wrote to memory of 424	3848	dialer.exe	14
PID 3848 wrote to memory of 1032	3848	dialer.exe	15
PID 3848 wrote to memory of 1044	3848	dialer.exe	16
PID 3848 wrote to memory of 1052	3848	dialer.exe	17
PID 696 wrote to memory of 2668	696	lsass.exe	45
PID 696 wrote to memory of 2668	696	lsass.exe	45
PID 1316 wrote to memory of 1364	1316	cmd.exe	91
PID 1316 wrote to memory of 1364	1316	cmd.exe	91
PID 696 wrote to memory of 2668	696	lsass.exe	45
PID 3848 wrote to memory of 1176	3848	dialer.exe	19
PID 3848 wrote to memory of 1216	3848	dialer.exe	20
PID 3848 wrote to memory of 1252	3848	dialer.exe	21
PID 3848 wrote to memory of 1328	3848	dialer.exe	22
PID 3848 wrote to memory of 1384	3848	dialer.exe	23
PID 3848 wrote to memory of 1396	3848	dialer.exe	24
PID 696 wrote to memory of 2668	696	lsass.exe	45
PID 696 wrote to memory of 2668	696	lsass.exe	45
PID 696 wrote to memory of 2668	696	lsass.exe	45
PID 696 wrote to memory of 2668	696	lsass.exe	45
PID 696 wrote to memory of 2668	696	lsass.exe	45
PID 696 wrote to memory of 2668	696	lsass.exe	45
PID 3848 wrote to memory of 1444	3848	dialer.exe	25
PID 3848 wrote to memory of 1456	3848	dialer.exe	26
PID 3848 wrote to memory of 1484	3848	dialer.exe	27
PID 3848 wrote to memory of 1688	3848	dialer.exe	28
PID 3848 wrote to memory of 1748	3848	dialer.exe	29
PID 3848 wrote to memory of 1760	3848	dialer.exe	30
PID 3848 wrote to memory of 1836	3848	dialer.exe	31
PID 3848 wrote to memory of 1876	3848	dialer.exe	32
PID 3848 wrote to memory of 1916	3848	dialer.exe	33
PID 3848 wrote to memory of 1924	3848	dialer.exe	34
PID 3848 wrote to memory of 2032	3848	dialer.exe	35
PID 3848 wrote to memory of 1896	3848	dialer.exe	36
PID 3848 wrote to memory of 2120	3848	dialer.exe	37
PID 3848 wrote to memory of 2236	3848	dialer.exe	39
PID 3848 wrote to memory of 2384	3848	dialer.exe	40
PID 3848 wrote to memory of 2532	3848	dialer.exe	41
PID 3848 wrote to memory of 2540	3848	dialer.exe	42
PID 3848 wrote to memory of 2572	3848	dialer.exe	43
PID 3848 wrote to memory of 2656	3848	dialer.exe	44
PID 3848 wrote to memory of 2668	3848	dialer.exe	45
PID 3848 wrote to memory of 2700	3848	dialer.exe	46
PID 3848 wrote to memory of 2708	3848	dialer.exe	47
PID 3848 wrote to memory of 2720	3848	dialer.exe	48
PID 696 wrote to memory of 2668	696	lsass.exe	45
PID 696 wrote to memory of 2668	696	lsass.exe	45

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:640
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:480

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1328

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1444
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1456

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1896

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2236

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2656

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3016

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3116

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3204
- C:\Users\Admin\AppData\Local\Temp\Mercurial-Grabber-installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Mercurial-Grabber-installer.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAcwBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAeABsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAbABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAbABlACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4940
- - C:\Users\Admin\AppData\Local\Temp\Winhlp64.exe
    "C:\Users\Admin\AppData\Local\Temp\Winhlp64.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4044
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1316
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:1364
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3848
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "Winhlp64"
      4⤵
      Launches sc.exe
      PID:2368
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "Winhlp64" binpath= "C:\ProgramData\WindowsHelp\bin\Winhlp64.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:1408
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:3484
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "Winhlp64"
      4⤵
      Launches sc.exe
      PID:2324
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Winhlp64.exe"
      4⤵
      PID:2856
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2176
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:3956
- - C:\Users\Admin\AppData\Local\Temp\Mercurial.exe
    "C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3468

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3812

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4016

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4036

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4076

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1864

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1280

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1828

C:\ProgramData\WindowsHelp\bin\Winhlp64.exe
C:\ProgramData\WindowsHelp\bin\Winhlp64.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2696
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1152
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2432
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1344
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:3056
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5056

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3840d9bcedfe7017e49ee5d05bd1c46

SHA1
272620fb2605bd196df471d62db4b2d280a363c6

SHA256
3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

SHA512
76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mercurial.exe

Filesize
3.2MB

MD5
a9477b3e21018b96fc5d2264d4016e65

SHA1
493fa8da8bf89ea773aeb282215f78219a5401b7

SHA256
890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645

SHA512
66529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Winhlp64.exe

Filesize
2.8MB

MD5
5193cb4946d8a5c0e4bcfa2589d2889f

SHA1
01da27ce3c3aaa705b9e8bc7bf29f4785dbb70a1

SHA256
d3c5034163ab5e7b5e6ff2bdb82a5e8c6f3e9adf0474a4e63311944fe1c53811

SHA512
d352234b6bf35aa942408eeb4e25dd6acf9081fd70b20cc48250dc8fd29e39a8baebc1c1d118e719ef66841e61144497e93b3f438b799e97eda098a7b866abaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hgfagqae.mgf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/424-101-0x00007FF7E6490000-0x00007FF7E64A0000-memory.dmp

Filesize
64KB

Download
memory/424-100-0x0000021379860000-0x000002137988B000-memory.dmp

Filesize
172KB

Download
memory/480-91-0x00007FF7E6490000-0x00007FF7E64A0000-memory.dmp

Filesize
64KB

Download
memory/480-90-0x000001D92ED10000-0x000001D92ED3B000-memory.dmp

Filesize
172KB

Download
memory/640-93-0x0000021289450000-0x000002128947B000-memory.dmp

Filesize
172KB

Download
memory/640-94-0x00007FF7E6490000-0x00007FF7E64A0000-memory.dmp

Filesize
64KB

Download
memory/640-83-0x00000212891D0000-0x00000212891F4000-memory.dmp

Filesize
144KB

Download
memory/696-86-0x00007FF7E6490000-0x00007FF7E64A0000-memory.dmp

Filesize
64KB

Download
memory/696-85-0x00000183645D0000-0x00000183645FB000-memory.dmp

Filesize
172KB

Download
memory/988-97-0x00000215EE740000-0x00000215EE76B000-memory.dmp

Filesize
172KB

Download
memory/988-98-0x00007FF7E6490000-0x00007FF7E64A0000-memory.dmp

Filesize
64KB

Download
memory/1032-105-0x000002ABED780000-0x000002ABED7AB000-memory.dmp

Filesize
172KB

Download
memory/1032-106-0x00007FF7E6490000-0x00007FF7E64A0000-memory.dmp

Filesize
64KB

Download
memory/1044-108-0x00000135AE390000-0x00000135AE3BB000-memory.dmp

Filesize
172KB

Download
memory/1044-109-0x00007FF7E6490000-0x00007FF7E64A0000-memory.dmp

Filesize
64KB

Download
memory/1052-112-0x0000023D18140000-0x0000023D1816B000-memory.dmp

Filesize
172KB

Download
memory/1052-113-0x00007FF7E6490000-0x00007FF7E64A0000-memory.dmp

Filesize
64KB

Download
memory/1176-121-0x00007FF7E6490000-0x00007FF7E64A0000-memory.dmp

Filesize
64KB

Download
memory/1176-120-0x00000209BEF90000-0x00000209BEFBB000-memory.dmp

Filesize
172KB

Download
memory/1216-124-0x00007FF7E6490000-0x00007FF7E64A0000-memory.dmp

Filesize
64KB

Download
memory/1216-123-0x00000221C86A0000-0x00000221C86CB000-memory.dmp

Filesize
172KB

Download
memory/1252-127-0x00007FF7E6490000-0x00007FF7E64A0000-memory.dmp

Filesize
64KB

Download
memory/1252-126-0x000001DAB19A0000-0x000001DAB19CB000-memory.dmp

Filesize
172KB

Download
memory/1328-129-0x0000026598540000-0x000002659856B000-memory.dmp

Filesize
172KB

Download
memory/1328-130-0x00007FF7E6490000-0x00007FF7E64A0000-memory.dmp

Filesize
64KB

Download
memory/1384-132-0x0000015DF8570000-0x0000015DF859B000-memory.dmp

Filesize
172KB

Download
memory/1384-133-0x00007FF7E6490000-0x00007FF7E64A0000-memory.dmp

Filesize
64KB

Download
memory/1576-368-0x0000021C69740000-0x0000021C6974A000-memory.dmp

Filesize
40KB

Download
memory/1576-364-0x0000021C69550000-0x0000021C6956C000-memory.dmp

Filesize
112KB

Download
memory/1576-365-0x0000021C69570000-0x0000021C69623000-memory.dmp

Filesize
716KB

Download
memory/1576-366-0x0000021C69730000-0x0000021C6973A000-memory.dmp

Filesize
40KB

Download
memory/1576-367-0x0000021C69760000-0x0000021C6977C000-memory.dmp

Filesize
112KB

Download
memory/1576-369-0x0000021C697A0000-0x0000021C697BA000-memory.dmp

Filesize
104KB

Download
memory/1576-370-0x0000021C69750000-0x0000021C69758000-memory.dmp

Filesize
32KB

Download
memory/1576-371-0x0000021C69780000-0x0000021C69786000-memory.dmp

Filesize
24KB

Download
memory/1576-372-0x0000021C69790000-0x0000021C6979A000-memory.dmp

Filesize
40KB

Download
memory/2632-39-0x00007FF8055B0000-0x00007FF806072000-memory.dmp

Filesize
10.8MB

Download
memory/2632-1-0x0000000000250000-0x0000000000876000-memory.dmp

Filesize
6.1MB

Download
memory/2632-2-0x00007FF8055B0000-0x00007FF806072000-memory.dmp

Filesize
10.8MB

Download
memory/2632-0-0x00007FF8055B3000-0x00007FF8055B5000-memory.dmp

Filesize
8KB

Download
memory/3848-74-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3848-72-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3848-73-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3848-75-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3848-79-0x00007FF824FE0000-0x00007FF82509D000-memory.dmp

Filesize
756KB

Download
memory/3848-78-0x00007FF826400000-0x00007FF826609000-memory.dmp

Filesize
2.0MB

Download
memory/3848-77-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3848-80-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4852-46-0x0000000005C60000-0x0000000005C6A000-memory.dmp

Filesize
40KB

Download
memory/4852-50-0x0000000005F20000-0x0000000005F30000-memory.dmp

Filesize
64KB

Download
memory/4852-41-0x0000000006240000-0x00000000067E6000-memory.dmp

Filesize
5.6MB

Download
memory/4852-40-0x0000000000FB0000-0x00000000012EA000-memory.dmp

Filesize
3.2MB

Download
memory/4852-52-0x0000000005F40000-0x0000000005FAE000-memory.dmp

Filesize
440KB

Download
memory/4852-57-0x00000000069D0000-0x0000000006B1A000-memory.dmp

Filesize
1.3MB

Download
memory/4852-55-0x0000000006040000-0x000000000604E000-memory.dmp

Filesize
56KB

Download
memory/4852-54-0x0000000006000000-0x0000000006036000-memory.dmp

Filesize
216KB

Download
memory/4852-60-0x00000000095E0000-0x00000000095E8000-memory.dmp

Filesize
32KB

Download
memory/4852-59-0x00000000061E0000-0x0000000006210000-memory.dmp

Filesize
192KB

Download
memory/4852-56-0x0000000006060000-0x000000000606E000-memory.dmp

Filesize
56KB

Download
memory/4852-47-0x0000000005DA0000-0x0000000005DBC000-memory.dmp

Filesize
112KB

Download
memory/4852-53-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

Filesize
120KB

Download
memory/4852-58-0x0000000006B80000-0x0000000006C96000-memory.dmp

Filesize
1.1MB

Download
memory/4852-42-0x0000000005C90000-0x0000000005D22000-memory.dmp

Filesize
584KB

Download
memory/4852-48-0x0000000005DC0000-0x0000000005DE0000-memory.dmp

Filesize
128KB

Download
memory/4852-49-0x0000000005EF0000-0x0000000005F10000-memory.dmp

Filesize
128KB

Download
memory/4852-51-0x0000000005F30000-0x0000000005F44000-memory.dmp

Filesize
80KB

Download
memory/4940-45-0x00007FF8055B0000-0x00007FF806072000-memory.dmp

Filesize
10.8MB

Download
memory/4940-14-0x00007FF8055B0000-0x00007FF806072000-memory.dmp

Filesize
10.8MB

Download
memory/4940-34-0x000002100A300000-0x000002100A322000-memory.dmp

Filesize
136KB

Download
memory/4940-36-0x00007FF8055B0000-0x00007FF806072000-memory.dmp

Filesize
10.8MB

Download