Analysis
-
max time kernel
123s -
max time network
157s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
04-11-2021 23:26
Static task
static1
Behavioral task
behavioral1
Sample
49c3b146f9734caa1f3ffb3b273238f3.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
49c3b146f9734caa1f3ffb3b273238f3.exe
Resource
win10-en-20211104
General
-
Target
49c3b146f9734caa1f3ffb3b273238f3.exe
-
Size
16KB
-
MD5
49c3b146f9734caa1f3ffb3b273238f3
-
SHA1
c2c3955cd049f3cfcaf1f926e660712850beccc3
-
SHA256
9fcd74ab400531e530fc20dd5cb71635dd8f8aac2deea7d749284d976ea0a629
-
SHA512
bf33e890ba8fe22aa9a1cfa8757867f0d4010522c82dccbb47e16d376ec66566093056757895edf15d98d9f4f9c2a0f1ffcae4eebd9b6bdb8ed5b43eb0ddd001
Malware Config
Extracted
raccoon
a8df9e1d3d24b04502963590a8ed392d88ab1b96
-
url4cnc
http://telegin.top/opticillusionlusy
http://ttmirror.top/opticillusionlusy
http://teletele.top/opticillusionlusy
http://telegalive.top/opticillusionlusy
http://toptelete.top/opticillusionlusy
http://telegraf.top/opticillusionlusy
https://t.me/opticillusionlusy
Signatures
-
BitRAT Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/368-161-0x0000000000400000-0x00000000007CE000-memory.dmp family_bitrat behavioral2/memory/368-162-0x000000000068A488-mapping.dmp family_bitrat behavioral2/memory/4372-165-0x00000000010E0000-0x00000000014A5000-memory.dmp family_bitrat behavioral2/memory/368-166-0x0000000000400000-0x00000000007CE000-memory.dmp family_bitrat -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4984 created 804 4984 WerFault.exe fontdrvhost.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process target process PID 4360 created 644 4360 powershell.exe lsass.exe PID 1692 created 644 1692 powershell.exe lsass.exe -
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Win32\Unknown.dll acprotect \Users\Admin\AppData\Local\Win32\Unknown.dll acprotect -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
fontdrvhost.exeRuntimeBroker.exeRuntimeBroker.exeWindowsUpdate.exeWindowsUpdate.exepid process 804 fontdrvhost.exe 4372 RuntimeBroker.exe 368 RuntimeBroker.exe 2588 WindowsUpdate.exe 5020 WindowsUpdate.exe -
Processes:
resource yara_rule behavioral2/memory/2588-558-0x0000000000400000-0x00000000008DC000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
WindowsUpdate.exepid process 5020 WindowsUpdate.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
WindowsUpdate.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts WindowsUpdate.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
RuntimeBroker.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Win32\\WindowsUpdate.exe褀" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Win32\\WindowsUpdate.exe\uff00" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Win32\\WindowsUpdate.exe⠀" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Win32\\WindowsUpdate.exeက" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Win32\\WindowsUpdate.exe" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Win32\\WindowsUpdate.exe촀" RuntimeBroker.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
RuntimeBroker.exepid process 368 RuntimeBroker.exe 368 RuntimeBroker.exe 368 RuntimeBroker.exe 368 RuntimeBroker.exe 368 RuntimeBroker.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
RuntimeBroker.exeRuntimeBroker.exeWindowsUpdate.exedescription pid process target process PID 4372 set thread context of 368 4372 RuntimeBroker.exe RuntimeBroker.exe PID 368 set thread context of 2588 368 RuntimeBroker.exe WindowsUpdate.exe PID 2588 set thread context of 5020 2588 WindowsUpdate.exe WindowsUpdate.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4984 804 WerFault.exe fontdrvhost.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeWindowsUpdate.exeWerFault.exepid process 4360 powershell.exe 1692 powershell.exe 1692 powershell.exe 4360 powershell.exe 4360 powershell.exe 1692 powershell.exe 4360 powershell.exe 4360 powershell.exe 1692 powershell.exe 1692 powershell.exe 4772 powershell.exe 2232 powershell.exe 4772 powershell.exe 2232 powershell.exe 4772 powershell.exe 2232 powershell.exe 4772 powershell.exe 2232 powershell.exe 5020 WindowsUpdate.exe 5020 WindowsUpdate.exe 4984 WerFault.exe 4984 WerFault.exe 4984 WerFault.exe 4984 WerFault.exe 4984 WerFault.exe 4984 WerFault.exe 4984 WerFault.exe 4984 WerFault.exe 4984 WerFault.exe 4984 WerFault.exe 4984 WerFault.exe 4984 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
49c3b146f9734caa1f3ffb3b273238f3.exepowershell.exepowershell.exeRuntimeBroker.exewhoami.exewhoami.exepowershell.exepowershell.exewhoami.exedescription pid process Token: SeDebugPrivilege 3716 49c3b146f9734caa1f3ffb3b273238f3.exe Token: SeDebugPrivilege 4360 powershell.exe Token: SeDebugPrivilege 1692 powershell.exe Token: SeShutdownPrivilege 368 RuntimeBroker.exe Token: SeDebugPrivilege 4256 whoami.exe Token: SeDebugPrivilege 4256 whoami.exe Token: SeDebugPrivilege 4256 whoami.exe Token: SeDebugPrivilege 4256 whoami.exe Token: SeDebugPrivilege 4256 whoami.exe Token: SeDebugPrivilege 4256 whoami.exe Token: SeDebugPrivilege 4256 whoami.exe Token: SeDebugPrivilege 4256 whoami.exe Token: SeDebugPrivilege 4256 whoami.exe Token: SeDebugPrivilege 4256 whoami.exe Token: SeDebugPrivilege 4256 whoami.exe Token: SeDebugPrivilege 4256 whoami.exe Token: SeDebugPrivilege 4256 whoami.exe Token: SeDebugPrivilege 4256 whoami.exe Token: SeDebugPrivilege 4256 whoami.exe Token: SeDebugPrivilege 4256 whoami.exe Token: SeDebugPrivilege 4256 whoami.exe Token: SeDebugPrivilege 4256 whoami.exe Token: SeDebugPrivilege 4256 whoami.exe Token: SeDebugPrivilege 4256 whoami.exe Token: SeDebugPrivilege 4256 whoami.exe Token: SeDebugPrivilege 4256 whoami.exe Token: SeDebugPrivilege 4256 whoami.exe Token: SeDebugPrivilege 4256 whoami.exe Token: SeDebugPrivilege 4256 whoami.exe Token: SeDebugPrivilege 4256 whoami.exe Token: SeDebugPrivilege 4928 whoami.exe Token: SeDebugPrivilege 4928 whoami.exe Token: SeDebugPrivilege 4928 whoami.exe Token: SeDebugPrivilege 4928 whoami.exe Token: SeDebugPrivilege 4928 whoami.exe Token: SeDebugPrivilege 4928 whoami.exe Token: SeDebugPrivilege 4928 whoami.exe Token: SeDebugPrivilege 4928 whoami.exe Token: SeDebugPrivilege 4928 whoami.exe Token: SeDebugPrivilege 4928 whoami.exe Token: SeDebugPrivilege 4928 whoami.exe Token: SeDebugPrivilege 4928 whoami.exe Token: SeDebugPrivilege 4928 whoami.exe Token: SeDebugPrivilege 4928 whoami.exe Token: SeDebugPrivilege 4928 whoami.exe Token: SeDebugPrivilege 4928 whoami.exe Token: SeDebugPrivilege 4928 whoami.exe Token: SeDebugPrivilege 4928 whoami.exe Token: SeDebugPrivilege 4928 whoami.exe Token: SeDebugPrivilege 4928 whoami.exe Token: SeDebugPrivilege 4928 whoami.exe Token: SeDebugPrivilege 4928 whoami.exe Token: SeDebugPrivilege 4928 whoami.exe Token: SeDebugPrivilege 4928 whoami.exe Token: SeDebugPrivilege 4928 whoami.exe Token: SeDebugPrivilege 4928 whoami.exe Token: SeDebugPrivilege 4772 powershell.exe Token: SeDebugPrivilege 2232 powershell.exe Token: SeDebugPrivilege 1764 whoami.exe Token: SeDebugPrivilege 1764 whoami.exe Token: SeDebugPrivilege 1764 whoami.exe Token: SeDebugPrivilege 1764 whoami.exe Token: SeDebugPrivilege 1764 whoami.exe Token: SeDebugPrivilege 1764 whoami.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RuntimeBroker.exepid process 368 RuntimeBroker.exe 368 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
49c3b146f9734caa1f3ffb3b273238f3.execmd.execmd.exeRuntimeBroker.exepowershell.exepowershell.exedescription pid process target process PID 3716 wrote to memory of 4072 3716 49c3b146f9734caa1f3ffb3b273238f3.exe cmd.exe PID 3716 wrote to memory of 4072 3716 49c3b146f9734caa1f3ffb3b273238f3.exe cmd.exe PID 3716 wrote to memory of 4072 3716 49c3b146f9734caa1f3ffb3b273238f3.exe cmd.exe PID 3716 wrote to memory of 1724 3716 49c3b146f9734caa1f3ffb3b273238f3.exe cmd.exe PID 3716 wrote to memory of 1724 3716 49c3b146f9734caa1f3ffb3b273238f3.exe cmd.exe PID 3716 wrote to memory of 1724 3716 49c3b146f9734caa1f3ffb3b273238f3.exe cmd.exe PID 1724 wrote to memory of 1692 1724 cmd.exe powershell.exe PID 1724 wrote to memory of 1692 1724 cmd.exe powershell.exe PID 1724 wrote to memory of 1692 1724 cmd.exe powershell.exe PID 4072 wrote to memory of 4360 4072 cmd.exe powershell.exe PID 4072 wrote to memory of 4360 4072 cmd.exe powershell.exe PID 4072 wrote to memory of 4360 4072 cmd.exe powershell.exe PID 3716 wrote to memory of 804 3716 49c3b146f9734caa1f3ffb3b273238f3.exe fontdrvhost.exe PID 3716 wrote to memory of 804 3716 49c3b146f9734caa1f3ffb3b273238f3.exe fontdrvhost.exe PID 3716 wrote to memory of 804 3716 49c3b146f9734caa1f3ffb3b273238f3.exe fontdrvhost.exe PID 3716 wrote to memory of 4372 3716 49c3b146f9734caa1f3ffb3b273238f3.exe RuntimeBroker.exe PID 3716 wrote to memory of 4372 3716 49c3b146f9734caa1f3ffb3b273238f3.exe RuntimeBroker.exe PID 3716 wrote to memory of 4372 3716 49c3b146f9734caa1f3ffb3b273238f3.exe RuntimeBroker.exe PID 4372 wrote to memory of 368 4372 RuntimeBroker.exe RuntimeBroker.exe PID 4372 wrote to memory of 368 4372 RuntimeBroker.exe RuntimeBroker.exe PID 4372 wrote to memory of 368 4372 RuntimeBroker.exe RuntimeBroker.exe PID 4372 wrote to memory of 368 4372 RuntimeBroker.exe RuntimeBroker.exe PID 4372 wrote to memory of 368 4372 RuntimeBroker.exe RuntimeBroker.exe PID 4372 wrote to memory of 368 4372 RuntimeBroker.exe RuntimeBroker.exe PID 4372 wrote to memory of 368 4372 RuntimeBroker.exe RuntimeBroker.exe PID 4372 wrote to memory of 368 4372 RuntimeBroker.exe RuntimeBroker.exe PID 4372 wrote to memory of 368 4372 RuntimeBroker.exe RuntimeBroker.exe PID 4372 wrote to memory of 368 4372 RuntimeBroker.exe RuntimeBroker.exe PID 4372 wrote to memory of 368 4372 RuntimeBroker.exe RuntimeBroker.exe PID 4360 wrote to memory of 3432 4360 powershell.exe sc.exe PID 4360 wrote to memory of 3432 4360 powershell.exe sc.exe PID 4360 wrote to memory of 3432 4360 powershell.exe sc.exe PID 1692 wrote to memory of 4812 1692 powershell.exe sc.exe PID 1692 wrote to memory of 4812 1692 powershell.exe sc.exe PID 1692 wrote to memory of 4812 1692 powershell.exe sc.exe PID 4360 wrote to memory of 3420 4360 powershell.exe cmd.exe PID 4360 wrote to memory of 3420 4360 powershell.exe cmd.exe PID 4360 wrote to memory of 3420 4360 powershell.exe cmd.exe PID 1692 wrote to memory of 4888 1692 powershell.exe cmd.exe PID 1692 wrote to memory of 4888 1692 powershell.exe cmd.exe PID 1692 wrote to memory of 4888 1692 powershell.exe cmd.exe PID 4360 wrote to memory of 4256 4360 powershell.exe whoami.exe PID 4360 wrote to memory of 4256 4360 powershell.exe whoami.exe PID 4360 wrote to memory of 4256 4360 powershell.exe whoami.exe PID 1692 wrote to memory of 4928 1692 powershell.exe whoami.exe PID 1692 wrote to memory of 4928 1692 powershell.exe whoami.exe PID 1692 wrote to memory of 4928 1692 powershell.exe whoami.exe PID 4360 wrote to memory of 2848 4360 powershell.exe net1.exe PID 4360 wrote to memory of 2848 4360 powershell.exe net1.exe PID 4360 wrote to memory of 2848 4360 powershell.exe net1.exe PID 1692 wrote to memory of 488 1692 powershell.exe net1.exe PID 1692 wrote to memory of 488 1692 powershell.exe net1.exe PID 1692 wrote to memory of 488 1692 powershell.exe net1.exe PID 4360 wrote to memory of 4984 4360 powershell.exe net1.exe PID 4360 wrote to memory of 4984 4360 powershell.exe net1.exe PID 4360 wrote to memory of 4984 4360 powershell.exe net1.exe PID 4360 wrote to memory of 4772 4360 powershell.exe powershell.exe PID 4360 wrote to memory of 4772 4360 powershell.exe powershell.exe PID 4360 wrote to memory of 4772 4360 powershell.exe powershell.exe PID 1692 wrote to memory of 2208 1692 powershell.exe net1.exe PID 1692 wrote to memory of 2208 1692 powershell.exe net1.exe PID 1692 wrote to memory of 2208 1692 powershell.exe net1.exe PID 1692 wrote to memory of 2232 1692 powershell.exe powershell.exe PID 1692 wrote to memory of 2232 1692 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:644
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" qc windefend3⤵PID:632
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"3⤵PID:4012
-
C:\Windows\SysWOW64\whoami.exe"C:\Windows\system32\whoami.exe" /groups3⤵PID:1780
-
C:\Windows\SysWOW64\net1.exe"C:\Windows\system32\net1.exe" stop windefend3⤵PID:4804
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE3⤵PID:4884
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" qc windefend3⤵PID:4024
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"3⤵PID:4512
-
C:\Windows\SysWOW64\whoami.exe"C:\Windows\system32\whoami.exe" /groups3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1764 -
C:\Windows\SysWOW64\net1.exe"C:\Windows\system32\net1.exe" stop windefend3⤵PID:4844
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE3⤵PID:1264
-
C:\Users\Admin\AppData\Local\Temp\49c3b146f9734caa1f3ffb3b273238f3.exe"C:\Users\Admin\AppData\Local\Temp\49c3b146f9734caa1f3ffb3b273238f3.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\hosts.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nop -win 1 -c iex ([io.file]::ReadAllText($env:0))3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" qc windefend4⤵PID:3432
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"4⤵PID:3420
-
C:\Windows\SysWOW64\whoami.exe"C:\Windows\system32\whoami.exe" /groups4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4256 -
C:\Windows\SysWOW64\net1.exe"C:\Windows\system32\net1.exe" start TrustedInstaller4⤵PID:2848
-
C:\Windows\SysWOW64\net1.exe"C:\Windows\system32\net1.exe" start lsass4⤵PID:4984
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\hosts.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nop -win 1 -c iex ([io.file]::ReadAllText($env:0))3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" qc windefend4⤵PID:4812
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"4⤵PID:4888
-
C:\Windows\SysWOW64\whoami.exe"C:\Windows\system32\whoami.exe" /groups4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4928 -
C:\Windows\SysWOW64\net1.exe"C:\Windows\system32\net1.exe" start TrustedInstaller4⤵PID:488
-
C:\Windows\SysWOW64\net1.exe"C:\Windows\system32\net1.exe" start lsass4⤵PID:2208
-
C:\Users\Admin\AppData\Roaming\fontdrvhost.exe"C:\Users\Admin\AppData\Roaming\fontdrvhost.exe"2⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 10043⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4984 -
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:368 -
C:\Users\Admin\AppData\Local\Win32\WindowsUpdate.exe-a "C:\Users\Admin\AppData\Local\a4755c5f\plg\4XmySxXF.json"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2588 -
C:\Users\Admin\AppData\Local\Win32\WindowsUpdate.exe-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Suspicious behavior: EnumeratesProcesses
PID:5020
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
b751492c41c6f3173d3b6f31c1b9b4eb
SHA1abc53a2c939b1d774940deb0b888b7b1ba5a3c7b
SHA256ad95fdf313324ed94997cec026239ea3631bf27298500e5def5941db9493b457
SHA512afa65279455b98353c6fe6869f2b545231231a953afbb1bf2eaed6b11646c4b4c77c5c18102651ae247a2f0fa18c698d908f4d23ca91581cbf28e32e061cb2e2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
b3e9950f0f5783ad49eced6c69f99d32
SHA1285f3b186567601a0346a080ffc89348654c541b
SHA256f331eb96ef9923a268cc55e0d8ae13dfd31d58bee3cf35858c82f712dfe4320f
SHA512fded6e57638f25fa6272d2539c70777024823fba1af5ec75ce8cb20f7ff4f8306de8fe945d01c39e1d42b5ccb8179980145a49b57bfd8430c205efca0cad5756
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
318fd23eec2d622bedd0a598b5d8235e
SHA17ac404bbf03e16be9ef3c4cf2cf9651fe966e344
SHA2560c0663717f80c435a68d2b2aa0b1a1a01221b70cd00490528bc1e843883d7bd8
SHA512584829c31a6a292c62e8a5814c2b109201c2cdd42ac933be9323e2b32b2e9fc6baa2819e1d3da2621e6897e114caac8a539a00df0df0bbdc2feb45fba2e45143
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
775078b1827648f250d4ccce115c7c89
SHA1315a054a86450f72c78e36248cd56489dcb39978
SHA256fb701a9c76e864745bd92abd194fdf3cb2077c0f18a6088dec6ae29f0faf3fdd
SHA5124a92fb30d3c4350b75616a2557c18ac1c758f8c15bd7e7e1b06d70e85e5ea3e927b76b59b085bf5171ba6ef86469e5a4c7c1336244cc44a17bc2a7d232d04feb
-
C:\Users\Admin\AppData\Local\Temp\unk.xmlMD5
77e6621fd939338d3f19f3dd948ecf43
SHA153df8b3a76c5d6c35a99aa7759ff3bd7ec46588c
SHA2569cb90c1d5c31396519b1f6c73899c062b6ccbd9a8cfc7c0bb054fe88c7825867
SHA5126e812be4c3b958f0497f91e0eb2e8b77d4a13e2b7af750a30ec9bff3dde09a233b5510ee6333a9ab3182c11ab6c3d38789921d517449c6a03164e216cee43c4f
-
C:\Users\Admin\AppData\Local\Win32\License.XenArmorMD5
4f3bde9212e17ef18226866d6ac739b6
SHA1732733bec8314beb81437e60876ffa75e72ae6cd
SHA256212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174
SHA51210b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744
-
C:\Users\Admin\AppData\Local\Win32\License.XenArmorMD5
bf5da170f7c9a8eae88d1cb1a191ff80
SHA1dd1b991a1b03587a5d1edc94e919a2070e325610
SHA256e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd
SHA5129e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e
-
C:\Users\Admin\AppData\Local\Win32\Unknown.dllMD5
86114faba7e1ec4a667d2bcb2e23f024
SHA1670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f
-
C:\Users\Admin\AppData\Local\Win32\WindowsUpdate.exeMD5
0c547b07b9b62d970cde94b18a34b0f8
SHA1fcb33a1367e12990028abf542ca57eeb4c4c5fb4
SHA256bc1162ab3641fde0dd4b2208c2d8470035aa4f742c1b69ea53ea9cd6f5051171
SHA512b02e6ab09655456c4d298cefd235e5df9ee51b9e72a56d1d5e5c6dffaff1f43810fa4e640e10d0050bc88f0e5738d07659ff4cef74103d0a7b94b367c7c923a1
-
C:\Users\Admin\AppData\Local\Win32\WindowsUpdate.exeMD5
0c547b07b9b62d970cde94b18a34b0f8
SHA1fcb33a1367e12990028abf542ca57eeb4c4c5fb4
SHA256bc1162ab3641fde0dd4b2208c2d8470035aa4f742c1b69ea53ea9cd6f5051171
SHA512b02e6ab09655456c4d298cefd235e5df9ee51b9e72a56d1d5e5c6dffaff1f43810fa4e640e10d0050bc88f0e5738d07659ff4cef74103d0a7b94b367c7c923a1
-
C:\Users\Admin\AppData\Local\a4755c5f\plg\4XmySxXF.jsonMD5
77e6621fd939338d3f19f3dd948ecf43
SHA153df8b3a76c5d6c35a99aa7759ff3bd7ec46588c
SHA2569cb90c1d5c31396519b1f6c73899c062b6ccbd9a8cfc7c0bb054fe88c7825867
SHA5126e812be4c3b958f0497f91e0eb2e8b77d4a13e2b7af750a30ec9bff3dde09a233b5510ee6333a9ab3182c11ab6c3d38789921d517449c6a03164e216cee43c4f
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exeMD5
0c547b07b9b62d970cde94b18a34b0f8
SHA1fcb33a1367e12990028abf542ca57eeb4c4c5fb4
SHA256bc1162ab3641fde0dd4b2208c2d8470035aa4f742c1b69ea53ea9cd6f5051171
SHA512b02e6ab09655456c4d298cefd235e5df9ee51b9e72a56d1d5e5c6dffaff1f43810fa4e640e10d0050bc88f0e5738d07659ff4cef74103d0a7b94b367c7c923a1
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exeMD5
0c547b07b9b62d970cde94b18a34b0f8
SHA1fcb33a1367e12990028abf542ca57eeb4c4c5fb4
SHA256bc1162ab3641fde0dd4b2208c2d8470035aa4f742c1b69ea53ea9cd6f5051171
SHA512b02e6ab09655456c4d298cefd235e5df9ee51b9e72a56d1d5e5c6dffaff1f43810fa4e640e10d0050bc88f0e5738d07659ff4cef74103d0a7b94b367c7c923a1
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exeMD5
0c547b07b9b62d970cde94b18a34b0f8
SHA1fcb33a1367e12990028abf542ca57eeb4c4c5fb4
SHA256bc1162ab3641fde0dd4b2208c2d8470035aa4f742c1b69ea53ea9cd6f5051171
SHA512b02e6ab09655456c4d298cefd235e5df9ee51b9e72a56d1d5e5c6dffaff1f43810fa4e640e10d0050bc88f0e5738d07659ff4cef74103d0a7b94b367c7c923a1
-
C:\Users\Admin\AppData\Roaming\fontdrvhost.exeMD5
4eb5d05f73f6edc4673409b03ee325cf
SHA1f210931bedf25533129b87eee16573e618887d80
SHA2564a0129093fc5f3fb58bfebae5d9ea7fe99e2871ead13f12612606e9e2aed261d
SHA512c3370f853e23527bd22dae9ce6cf39d023d4a9c9b17b23a5cdb717e085f5c3b7160e0756674bf0519cd6717b81e68911e9896488b0c342007e114047b46fd231
-
C:\Users\Admin\AppData\Roaming\fontdrvhost.exeMD5
4eb5d05f73f6edc4673409b03ee325cf
SHA1f210931bedf25533129b87eee16573e618887d80
SHA2564a0129093fc5f3fb58bfebae5d9ea7fe99e2871ead13f12612606e9e2aed261d
SHA512c3370f853e23527bd22dae9ce6cf39d023d4a9c9b17b23a5cdb717e085f5c3b7160e0756674bf0519cd6717b81e68911e9896488b0c342007e114047b46fd231
-
C:\Users\Admin\hosts.batMD5
633dd29d37554e063e8700af0a882724
SHA12994a70ff1769fdea7f06bbfe58d8d665caca6b8
SHA256dfe6d785e2c1082e1249b081a172c31904d83ea125929e2dca0c41312e9bf2a8
SHA512b25684dab562afd12015058cafc5549b265a7ad38be8d44f3659690b21f723240a1732895dbcf77856973e6e2153a7c0841693a7991b7938a498c602537aa334
-
\Users\Admin\AppData\Local\Win32\Unknown.dllMD5
86114faba7e1ec4a667d2bcb2e23f024
SHA1670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f
-
memory/368-162-0x000000000068A488-mapping.dmp
-
memory/368-161-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/368-166-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/488-261-0x0000000000000000-mapping.dmp
-
memory/632-396-0x0000000000000000-mapping.dmp
-
memory/804-156-0x00000000004A0000-0x00000000004EE000-memory.dmpFilesize
312KB
-
memory/804-158-0x0000000000400000-0x0000000000491000-memory.dmpFilesize
580KB
-
memory/804-157-0x0000000000760000-0x00000000007EE000-memory.dmpFilesize
568KB
-
memory/804-138-0x0000000000000000-mapping.dmp
-
memory/1264-482-0x0000000000000000-mapping.dmp
-
memory/1692-136-0x0000000006642000-0x0000000006643000-memory.dmpFilesize
4KB
-
memory/1692-128-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB
-
memory/1692-199-0x0000000009C70000-0x0000000009C71000-memory.dmpFilesize
4KB
-
memory/1692-123-0x0000000000000000-mapping.dmp
-
memory/1692-197-0x0000000008930000-0x0000000008931000-memory.dmpFilesize
4KB
-
memory/1692-126-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB
-
memory/1692-194-0x00000000089A0000-0x00000000089A1000-memory.dmpFilesize
4KB
-
memory/1692-133-0x0000000006640000-0x0000000006641000-memory.dmpFilesize
4KB
-
memory/1692-177-0x0000000008890000-0x0000000008891000-memory.dmpFilesize
4KB
-
memory/1692-129-0x0000000001040000-0x0000000001041000-memory.dmpFilesize
4KB
-
memory/1692-131-0x0000000006C80000-0x0000000006C81000-memory.dmpFilesize
4KB
-
memory/1692-246-0x0000000006643000-0x0000000006644000-memory.dmpFilesize
4KB
-
memory/1692-169-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB
-
memory/1692-175-0x00000000090F0000-0x00000000090F1000-memory.dmpFilesize
4KB
-
memory/1724-121-0x0000000000000000-mapping.dmp
-
memory/1764-426-0x0000000000000000-mapping.dmp
-
memory/1780-427-0x0000000000000000-mapping.dmp
-
memory/2208-275-0x0000000000000000-mapping.dmp
-
memory/2232-425-0x0000000001013000-0x0000000001014000-memory.dmpFilesize
4KB
-
memory/2232-357-0x0000000001012000-0x0000000001013000-memory.dmpFilesize
4KB
-
memory/2232-356-0x0000000001010000-0x0000000001011000-memory.dmpFilesize
4KB
-
memory/2232-291-0x0000000000000000-mapping.dmp
-
memory/2588-558-0x0000000000400000-0x00000000008DC000-memory.dmpFilesize
4.9MB
-
memory/2588-552-0x00000000008D9FE0-mapping.dmp
-
memory/2848-253-0x0000000000000000-mapping.dmp
-
memory/3420-227-0x0000000000000000-mapping.dmp
-
memory/3432-205-0x0000000000000000-mapping.dmp
-
memory/3716-118-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/3716-135-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/4012-402-0x0000000000000000-mapping.dmp
-
memory/4024-397-0x0000000000000000-mapping.dmp
-
memory/4072-120-0x0000000000000000-mapping.dmp
-
memory/4256-247-0x0000000000000000-mapping.dmp
-
memory/4360-134-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/4360-167-0x0000000001050000-0x0000000001051000-memory.dmpFilesize
4KB
-
memory/4360-144-0x0000000007260000-0x0000000007261000-memory.dmpFilesize
4KB
-
memory/4360-146-0x0000000007300000-0x0000000007301000-memory.dmpFilesize
4KB
-
memory/4360-245-0x0000000004E33000-0x0000000004E34000-memory.dmpFilesize
4KB
-
memory/4360-125-0x0000000001050000-0x0000000001051000-memory.dmpFilesize
4KB
-
memory/4360-148-0x0000000007D50000-0x0000000007D51000-memory.dmpFilesize
4KB
-
memory/4360-127-0x0000000001050000-0x0000000001051000-memory.dmpFilesize
4KB
-
memory/4360-150-0x0000000007EA0000-0x0000000007EA1000-memory.dmpFilesize
4KB
-
memory/4360-159-0x0000000008650000-0x0000000008651000-memory.dmpFilesize
4KB
-
memory/4360-124-0x0000000000000000-mapping.dmp
-
memory/4360-137-0x0000000004E32000-0x0000000004E33000-memory.dmpFilesize
4KB
-
memory/4360-152-0x0000000007C20000-0x0000000007C21000-memory.dmpFilesize
4KB
-
memory/4360-154-0x0000000008580000-0x0000000008581000-memory.dmpFilesize
4KB
-
memory/4372-141-0x0000000000000000-mapping.dmp
-
memory/4372-165-0x00000000010E0000-0x00000000014A5000-memory.dmpFilesize
3.8MB
-
memory/4372-164-0x0000000000EF0000-0x00000000010D4000-memory.dmpFilesize
1.9MB
-
memory/4512-412-0x0000000000000000-mapping.dmp
-
memory/4772-311-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/4772-265-0x0000000000000000-mapping.dmp
-
memory/4772-315-0x0000000004CF2000-0x0000000004CF3000-memory.dmpFilesize
4KB
-
memory/4772-424-0x0000000004CF3000-0x0000000004CF4000-memory.dmpFilesize
4KB
-
memory/4804-480-0x0000000000000000-mapping.dmp
-
memory/4812-207-0x0000000000000000-mapping.dmp
-
memory/4844-481-0x0000000000000000-mapping.dmp
-
memory/4884-483-0x0000000000000000-mapping.dmp
-
memory/4888-236-0x0000000000000000-mapping.dmp
-
memory/4928-252-0x0000000000000000-mapping.dmp
-
memory/4984-263-0x0000000000000000-mapping.dmp
-
memory/5020-556-0x00000000006FC1D0-mapping.dmp
-
memory/5020-563-0x0000000000400000-0x00000000006FE000-memory.dmpFilesize
3.0MB