kpot | c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01e

Resubmissions

23-09-2024 08:07

240923-jz9k4szara 10

22-09-2024 14:12

240922-rh8lgstbrf 10

Analysis

max time kernel
139s
max time network
149s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23-09-2024 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01eN.exe
Size

1.5MB
MD5

e83ae2bb70cc2c59c4829d7f7fa88cb0
SHA1

7c0ee8a76e4f2518fb3c67c4a4df4f8566eb7016
SHA256

c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01e
SHA512

1a143a95ef9d1aeeefa31a851adc65ef1db4ebf2323107eb2f633435fb8358acc70541015caf86c48b44fb8fc95c8669d1585c2935116f173e9d32ce6989051d
SSDEEP

24576:zQ5aILMCfmAUjzX6xQtpj/Yz6XVSvmHaZkI+oq6dTnHv5yIi734DHr0ESjdkMwa7:E5aIwC+Agr6St1lOqq+jCpLWgO

Score

10^/10

kpot trickbot banker discovery evasion execution stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000700000001ac48-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/5008-15-0x0000000002240000-0x0000000002269000-memory.dmp	trickbot_loader32

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

pid	Process
1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
4752	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
1428	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2088	powershell.exe
2184	powershell.exe
2896	powershell.exe
4412	powershell.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1572	sc.exe
1548	sc.exe
3864	sc.exe
4396	sc.exe
3256	sc.exe
2432	sc.exe
1708	sc.exe
4044	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
5008	c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01eN.exe
5008	c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01eN.exe
5008	c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01eN.exe
5008	c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01eN.exe
5008	c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01eN.exe
5008	c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01eN.exe
1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
2184	powershell.exe
2088	powershell.exe
2184	powershell.exe
2088	powershell.exe
2088	powershell.exe
2184	powershell.exe
4752	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
4752	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
4752	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
4752	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
4752	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
4752	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
2896	powershell.exe
2896	powershell.exe
2896	powershell.exe
1428	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
1428	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
1428	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
1428	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
1428	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
1428	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
4412	powershell.exe
4412	powershell.exe
4412	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeTcbPrivilege	4752	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeTcbPrivilege	1428	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
Token: SeDebugPrivilege	4412	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5008	c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01eN.exe
1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
4752	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
1428	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 1724	5008	c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01eN.exe	72
PID 5008 wrote to memory of 1724	5008	c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01eN.exe	72
PID 5008 wrote to memory of 1724	5008	c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01eN.exe	72
PID 5008 wrote to memory of 1112	5008	c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01eN.exe	73
PID 5008 wrote to memory of 1112	5008	c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01eN.exe	73
PID 5008 wrote to memory of 1112	5008	c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01eN.exe	73
PID 5008 wrote to memory of 2436	5008	c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01eN.exe	74
PID 5008 wrote to memory of 2436	5008	c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01eN.exe	74
PID 5008 wrote to memory of 2436	5008	c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01eN.exe	74
PID 5008 wrote to memory of 1032	5008	c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01eN.exe	77
PID 5008 wrote to memory of 1032	5008	c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01eN.exe	77
PID 5008 wrote to memory of 1032	5008	c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01eN.exe	77
PID 1724 wrote to memory of 2432	1724	cmd.exe	79
PID 1724 wrote to memory of 2432	1724	cmd.exe	79
PID 1724 wrote to memory of 2432	1724	cmd.exe	79
PID 1112 wrote to memory of 1708	1112	cmd.exe	80
PID 1112 wrote to memory of 1708	1112	cmd.exe	80
PID 1112 wrote to memory of 1708	1112	cmd.exe	80
PID 2436 wrote to memory of 2088	2436	cmd.exe	81
PID 2436 wrote to memory of 2088	2436	cmd.exe	81
PID 2436 wrote to memory of 2088	2436	cmd.exe	81
PID 1032 wrote to memory of 800	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	82
PID 1032 wrote to memory of 800	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	82
PID 1032 wrote to memory of 800	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	82
PID 1032 wrote to memory of 3488	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	83
PID 1032 wrote to memory of 3488	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	83
PID 1032 wrote to memory of 3488	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	83
PID 1032 wrote to memory of 3456	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	84
PID 1032 wrote to memory of 3456	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	84
PID 1032 wrote to memory of 3456	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	84
PID 1032 wrote to memory of 4928	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	85
PID 1032 wrote to memory of 4928	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	85
PID 1032 wrote to memory of 4928	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	85
PID 1032 wrote to memory of 4928	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	85
PID 1032 wrote to memory of 4928	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	85
PID 1032 wrote to memory of 4928	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	85
PID 1032 wrote to memory of 4928	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	85
PID 1032 wrote to memory of 4928	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	85
PID 1032 wrote to memory of 4928	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	85
PID 1032 wrote to memory of 4928	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	85
PID 1032 wrote to memory of 4928	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	85
PID 1032 wrote to memory of 4928	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	85
PID 1032 wrote to memory of 4928	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	85
PID 1032 wrote to memory of 4928	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	85
PID 1032 wrote to memory of 4928	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	85
PID 1032 wrote to memory of 4928	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	85
PID 1032 wrote to memory of 4928	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	85
PID 1032 wrote to memory of 4928	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	85
PID 1032 wrote to memory of 4928	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	85
PID 1032 wrote to memory of 4928	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	85
PID 1032 wrote to memory of 4928	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	85
PID 1032 wrote to memory of 4928	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	85
PID 1032 wrote to memory of 4928	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	85
PID 1032 wrote to memory of 4928	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	85
PID 1032 wrote to memory of 4928	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	85
PID 1032 wrote to memory of 4928	1032	c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe	85
PID 800 wrote to memory of 4044	800	cmd.exe	89
PID 800 wrote to memory of 4044	800	cmd.exe	89
PID 800 wrote to memory of 4044	800	cmd.exe	89
PID 3488 wrote to memory of 1572	3488	cmd.exe	90
PID 3488 wrote to memory of 1572	3488	cmd.exe	90
PID 3488 wrote to memory of 1572	3488	cmd.exe	90
PID 3456 wrote to memory of 2184	3456	cmd.exe	91
PID 3456 wrote to memory of 2184	3456	cmd.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01eN.exe
"C:\Users\Admin\AppData\Local\Temp\c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01eN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\SysWOW64\cmd.exe
  /c sc stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2432
- C:\Windows\SysWOW64\cmd.exe
  /c sc delete WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\SysWOW64\sc.exe
    sc delete WinDefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1708
- C:\Windows\SysWOW64\cmd.exe
  /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
- C:\Users\Admin\AppData\Roaming\WinSocket\c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\SysWOW64\cmd.exe
    /c sc stop WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Windows\SysWOW64\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4044
- - C:\Windows\SysWOW64\cmd.exe
    /c sc delete WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Windows\SysWOW64\sc.exe
      sc delete WinDefend
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3456
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2184
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:4928

C:\Users\Admin\AppData\Roaming\WinSocket\c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
C:\Users\Admin\AppData\Roaming\WinSocket\c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4752
- C:\Windows\SysWOW64\cmd.exe
  /c sc stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  PID:864
- - C:\Windows\SysWOW64\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3864
- C:\Windows\SysWOW64\cmd.exe
  /c sc delete WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4744
- - C:\Windows\SysWOW64\sc.exe
    sc delete WinDefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - System Location Discovery: System Language Discovery
  PID:216
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2896
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Modifies data under HKEY_USERS
  PID:4172

C:\Users\Admin\AppData\Roaming\WinSocket\c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
C:\Users\Admin\AppData\Roaming\WinSocket\c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1428
- C:\Windows\SysWOW64\cmd.exe
  /c sc stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1772
- - C:\Windows\SysWOW64\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3256
- C:\Windows\SysWOW64\cmd.exe
  /c sc delete WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  PID:436
- - C:\Windows\SysWOW64\sc.exe
    sc delete WinDefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4396
- C:\Windows\SysWOW64\cmd.exe
  /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4296
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4412
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b4fa3d94cb639ff65f0b1f19df192795

SHA1
a2cdd5b982560e0d04cf98a2df6059c3989aaba9

SHA256
6a9bf19ae515c17b48c33369e9a53546db0c4bc6af1826f1f1350cc0f19742b3

SHA512
45010eacca96eb89fcdbe9fa4a811d6f664bc01008cd770d826351e6ddf827dad4235729206236506906d7a7c3d6c13cc6f6c0a368f724c0f3e1147c6be2f21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wg5yz0zk.qh4.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\c3ac2cb8607014bb044bd849fb099a97671afe2b8114343643006221a93aa01eN.exe

Filesize
1.5MB

MD5
e83ae2bb70cc2c59c4829d7f7fa88cb0

SHA1
7c0ee8a76e4f2518fb3c67c4a4df4f8566eb7016

SHA256
c3ac2cb7506014bb044bd748fb098a86561afe2b7114343543005221a93aa01e

SHA512
1a143a95ef9d1aeeefa31a851adc65ef1db4ebf2323107eb2f633435fb8358acc70541015caf86c48b44fb8fc95c8669d1585c2935116f173e9d32ce6989051d

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
46KB

MD5
5038f941ba09e9b4ca7a8c025df3f5df

SHA1
9fe0609775b24fe18cf990499b3bbf8737916c66

SHA256
c50feb3025be282e12899f734d0c3ea2c8c5303562e2ca62a0fa73dc4b2f340c

SHA512
dc8453d11850fbe0297ec2f7df29fce029317a2496c23d418abfb6e5dd288fc9ec6ad4a49fdb061283d1aa8aecd11d5139df40df37994653fc32731bb1b22ec1

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f6beb47c641f60709db1561c58a15a83

SHA1
b177777e751b070067b4a9f8094c2ea5057c18f5

SHA256
aa918f7b967eea67779f4a42b305fe43ddbeea65ca9ae7a268bee266010c8bc1

SHA512
714c906f6ec480e9a8dde67a7e01ea39491b0f6277989f8bfdac9f247c9fc937693de37fee6d8593fbc9471c3548f9187637c444ecaf40e7b24aefa72253c0ba

Download Submit
memory/1032-26-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/1032-31-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/1032-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1032-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1032-32-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/1032-27-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/1032-28-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/1032-29-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/1032-30-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/1032-50-0x00000000030F0000-0x000000000319E000-memory.dmp

Filesize
696KB

Download
memory/1032-51-0x00000000031E0000-0x0000000003429000-memory.dmp

Filesize
2.3MB

Download
memory/1032-37-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/1032-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1032-36-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/1032-35-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/1032-34-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/1032-33-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/2088-60-0x0000000008080000-0x00000000080E6000-memory.dmp

Filesize
408KB

Download
memory/2088-109-0x00000000098E0000-0x0000000009985000-memory.dmp

Filesize
660KB

Download
memory/2088-110-0x0000000009CC0000-0x0000000009D54000-memory.dmp

Filesize
592KB

Download
memory/2088-100-0x0000000009790000-0x00000000097AE000-memory.dmp

Filesize
120KB

Download
memory/2088-98-0x00000000740C0000-0x000000007410B000-memory.dmp

Filesize
300KB

Download
memory/2088-97-0x00000000097B0000-0x00000000097E3000-memory.dmp

Filesize
204KB

Download
memory/2088-59-0x0000000008010000-0x0000000008076000-memory.dmp

Filesize
408KB

Download
memory/2088-58-0x0000000007720000-0x0000000007742000-memory.dmp

Filesize
136KB

Download
memory/2088-54-0x0000000007120000-0x0000000007156000-memory.dmp

Filesize
216KB

Download
memory/2184-61-0x0000000007840000-0x0000000007B90000-memory.dmp

Filesize
3.3MB

Download
memory/2184-495-0x00000000092E0000-0x00000000092FA000-memory.dmp

Filesize
104KB

Download
memory/2184-504-0x00000000092D0000-0x00000000092D8000-memory.dmp

Filesize
32KB

Download
memory/2184-64-0x0000000007ED0000-0x0000000007F46000-memory.dmp

Filesize
472KB

Download
memory/2184-63-0x0000000008150000-0x000000000819B000-memory.dmp

Filesize
300KB

Download
memory/2184-57-0x0000000006EF0000-0x0000000007518000-memory.dmp

Filesize
6.2MB

Download
memory/2184-99-0x00000000740C0000-0x000000007410B000-memory.dmp

Filesize
300KB

Download
memory/2184-62-0x00000000077E0000-0x00000000077FC000-memory.dmp

Filesize
112KB

Download
memory/2896-585-0x00000000741B0000-0x00000000741FB000-memory.dmp

Filesize
300KB

Download
memory/2896-567-0x0000000006710000-0x0000000006A60000-memory.dmp

Filesize
3.3MB

Download
memory/2896-568-0x0000000006B50000-0x0000000006B9B000-memory.dmp

Filesize
300KB

Download
memory/2896-590-0x0000000008000000-0x00000000080A5000-memory.dmp

Filesize
660KB

Download
memory/4412-836-0x0000000006E40000-0x0000000007190000-memory.dmp

Filesize
3.3MB

Download
memory/4412-838-0x00000000078C0000-0x000000000790B000-memory.dmp

Filesize
300KB

Download
memory/4412-855-0x00000000707B0000-0x00000000707FB000-memory.dmp

Filesize
300KB

Download
memory/4752-549-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4752-550-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4752-545-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4752-544-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4752-565-0x0000000001D40000-0x0000000001DEE000-memory.dmp

Filesize
696KB

Download
memory/4752-546-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4752-548-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4752-547-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4752-551-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4752-540-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4752-541-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4752-542-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4752-543-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4928-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/4928-45-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/5008-13-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/5008-3-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/5008-12-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/5008-4-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/5008-11-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/5008-6-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/5008-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/5008-2-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/5008-7-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/5008-15-0x0000000002240000-0x0000000002269000-memory.dmp

Filesize
164KB

Download
memory/5008-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5008-10-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/5008-14-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/5008-9-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/5008-5-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/5008-8-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download